random

- collection of un-sorted bollocks
git clone git://git.acid.vegas/random.git
Log | Files | Refs | Archive

ssh.md (9743B)

      1 # SSH Security
      2 > A full write-up on OpenSSH usage with security in mind.
      3 
      4 ---
      5 
      6 ## Table of Contents
      7 * [Generating An SSH Key Pair](#generating-an-ssh-key-pair)
      8 	- [Linux](#linux)
      9 	- [Windows](#windows)
     10 * [Getting Your Client To Use Your SSH Key](#getting-your-client-to-use-your-ssh-key)
     11 	- [Linux](#linux)
     12 	- [Windows](#windows)
     13 * [Setup Server](#setup-server)
     14 	- [Harden OpenSSH Daemon](#harden-openssh-daemon)
     15 	- [Create A New User On The Server](#create-a-new-user-on-the-server)
     16 	- [Copy Your Public Key To Your Shell](#copy-your-public-key-to-your-shell)
     17 * [Extra Security](#extra-security)
     18 	- [Allow Incoming SSH Connections Through IPTables](#allow-incoming-ssh-connections-through-iptables)
     19 	- [Lock Users In A Chroot Jail Environment](#lock-users-in-a-chroot-jail-environment)
     20 	- [Port Knocking](#port-knocking)
     21 		- [Setup Server](#setup-server-1)
     22 			- [Using IPTables](#using-iptables)
     23 			- [Using Knockd](#using-knockd)
     24 		- [Knocking Your Server](#knocking-your-server)
     25 			- [Using Nmap](#using-nmap)
     26 			- [Using knockd](#using-knockd-1)
     27 	- [Jump Hosts](#jump-hosts)
     28 
     29 **Note:** The port *65150* is used in this write-up as an example of how to use a non-standard ports.
     30 
     31 ---
     32 
     33 ### Generating An SSH Key Pair
     34 #### Linux
     35 Generate a key using the **Ed25519** algorithm with 500 KDF rounds:
     36 * `ssh-keygen -t ed25519 -a 500 -C "$(whoami)@$(hostname)-$(date -I)"`
     37 
     38 This will generate 2 files in your `~/.ssh` directory. A public key *(.pub)* and a private key.
     39 
     40 You only need to backup your private key. Public keys can be regenerated from the private key:
     41 * `ssh-keygen -y -f ~/.ssh/acidvegas@pi-2017-01-01`
     42 
     43 Copy your public key to clipboard:
     44 * `cat ~/.ssh/acidvegas@pi-2017-01-01.pub`
     45 
     46 #### Windows
     47 Download & run [puttygen](https://the.earth.li/~sgtatham/putty/latest/w32/puttygen.exe).
     48 
     49 Once opened, change the key type to **ED25519** under the *Parameters* box, and then click the *Generate* button.
     50 
     51 Click the *Save private key* button to save your key.
     52 
     53 You only need to backup your private key. Public keys can be regenerated by clicking `File -> Load private key`.
     54 
     55 Copy the data in the box labeled *Public key for pasting into OpenSSH authorized_keys file*.
     56 
     57 ### Getting Your Client To Use Your SSH Key
     58 #### Linux
     59 * `ssh -p 65150 -i ~/.ssh/acidvegas@pi-2017-01-01 acidvegas@192.168.1.10`
     60 
     61 or...
     62 
     63 * `nano ~/.ssh/config`
     64 ```
     65 Host acidbox
     66 	HostName 192.168.1.10
     67 	Port 65150
     68 	User acidvegas
     69 	IdentityFile ~/.ssh/acidvegas@pi-2017-01-01
     70 	IdentitiesOnly yes
     71 ```
     72 * `chmod 600 ~/.ssh/config`
     73 * Usage: `ssh acidbox`
     74 
     75 #### Windows
     76 Download & run the [putty](https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe) client.
     77 
     78 Once opened, select `Connection -> SSH -> Auth` from the *Category* box. Click the *Browse* button and select your private key.
     79 
     80 Select *Session* from the *Category* box. Change the *Host Name (or IP address)* and *Port* to your server.
     81 
     82 Name the session in *Saved Sessions* box and click the *Save* button.
     83 
     84 SSH into your server by clicking your saved session from the *Saved Sessions* box, and clicking the *Open* button.
     85 
     86 ---
     87 
     88 ### Setup Server
     89 #### Harden OpenSSH Daemon
     90 * `nano /etc/ssh/sshd_config`
     91 ```
     92 AddressFamily any
     93 AllowAgentForwarding no
     94 AllowGroups ssh
     95 AllowTcpForwarding no
     96 AuthorizedKeysFile /etc/ssh/authorized_keys/%u
     97 #Banner /etc/issue
     98 ChallengeResponseAuthentication no
     99 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
    100 ClientAliveInterval 0
    101 #ClientAliveCountMax 0
    102 HostKey /etc/ssh/ssh_host_ed25519_key
    103 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
    104 LoginGraceTime 30
    105 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
    106 MaxAuthTries 2
    107 MaxSessions 1
    108 MaxStartups 3:50:10
    109 PasswordAuthentication no
    110 PermitRootLogin no
    111 Port 65150
    112 PrintLastLog no
    113 PrintMotd no
    114 Protocol 2
    115 ```
    116 * `mkdir /etc/ssh/authorized_keys`
    117 * `rm /etc/ssh/ssh_host_*_key`
    118 * `ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key`
    119 
    120 **Options**:
    121 * The `AddressFamily` option can be:
    122 	- **inet** for IPv4 only.
    123 	- **inet6** for IPv6 only.
    124 	- **any** for both.
    125 * The `AuthorizedKeysFile` option can be commented out to use the standard `~/.ssh/authorized_keys` file instead.
    126 * The `Banner` option can be un-commented if the `/etc/issue` file exists. This is shown before the user authenticates.
    127 * The `ClientAliveCountMax` option can be un-commented & the `ClientAliveInterval` option can be changed to **1800** to enforce a 15 minute idle timeout.
    128 * The `MaxSessions` option can be increased if there are additional users on the server.
    129 * The `Port` option should be set to a non-standard port *(High-value port number recommended)*. 
    130 * The `PrintMotd` option can be changed to **yes** if the file `/etc/motd` exists. This is shown after the user authenticates.
    131 
    132 #### Create A New User On The Server
    133 Create a new user on the server with a password:
    134 * `useradd -m -s /bin/bash acidvegas`
    135 * `passwd acidvegas`
    136 
    137 Create an **ssh** group and add your user to the group.
    138 * `groupadd ssh`
    139 * `gpasswd -a acidvegas ssh`
    140 
    141 #### Copy Your Public Key To Your Shell
    142 * `nano /etc/ssh/authorized_keys/acidvegas` *(Paste your public key data in this file)*
    143 
    144 **Note:** This is only required if you are using the `AuthorizedKeysFile /etc/ssh/authorized_keys/%u` line in your `sshd_config` file. For using the standard `~/.ssh/authorized_keys` file, do the follow:
    145 * `mkdir ~/.ssh`
    146 * `chmod 700 ~/.ssh`
    147 * `chown -R $USER ~/.ssh`
    148 * `nano ~/.ssh/authorized_keys` *(Paste the copied public key data into this file)*
    149 * `chmod 400 ~/.ssh/authorized_keys`
    150 * Optionally, you can pass the immutable flag to prevent changes:
    151 	- `chattr +i ~/.ssh`
    152 	- `chattr +i ~/.ssh/authorized_keys`
    153 
    154 ---
    155 
    156 ### Extra Security
    157 #### Allow Incoming SSH Connections Through IPTables
    158 ```
    159 iptables -A INPUT  -i eth0 -p tcp --dport 65150 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    160 iptables -A OUTPUT -o eth0 -p tcp --sport 65150 -m conntrack --ctstate ESTABLISHED     -j ACCEPT
    161 ```
    162 
    163 You can also allow only incomming connection from a specific IP address instead by changing the first line above to:
    164 ```
    165 iptables -A INPUT -i eth0 -p tcp -s 192.168.1.99 --dport 65150 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
    166 ```
    167 
    168 #### Lock Users In A Chroot Jail Environment
    169 See [mkchroot](https://github.com/acidvegas/mkchroot) repository for details.
    170 
    171 #### Port Knocking
    172 The following is an example which uses the port knocking sequence `8881 -> 7777 -> 9991` to open port 65150 for 30 seconds.
    173 
    174 ##### Server 
    175 ###### Using IPTables
    176 * `nano /etc/iptables/iptables.rules`
    177 ```
    178 *filter
    179 :INPUT DROP [0:0]
    180 :FORWARD DROP [0:0]
    181 :OUTPUT ACCEPT [0:0]
    182 :TRAFFIC - [0:0]
    183 :SSH-INPUT - [0:0]
    184 :SSH-INPUTTWO - [0:0]
    185 # TRAFFIC chain for Port Knocking. The correct port sequence in this example is  8881 -> 7777 -> 9991; any other sequence will drop the traffic 
    186 -A INPUT -j TRAFFIC
    187 -A TRAFFIC -p icmp --icmp-type any -j ACCEPT
    188 -A TRAFFIC -m state --state ESTABLISHED,RELATED -j ACCEPT
    189 -A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 65150 -m recent --rcheck --seconds 30 --name SSH2 -j ACCEPT
    190 -A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH2 --remove -j DROP
    191 -A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 9991 -m recent --rcheck --name SSH1 -j SSH-INPUTTWO
    192 -A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH1 --remove -j DROP
    193 -A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 7777 -m recent --rcheck --name SSH0 -j SSH-INPUT
    194 -A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH0 --remove -j DROP
    195 -A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 8881 -m recent --name SSH0 --set -j DROP
    196 -A SSH-INPUT -m recent --name SSH1 --set -j DROP
    197 -A SSH-INPUTTWO -m recent --name SSH2 --set -j DROP 
    198 -A TRAFFIC -j DROP
    199 COMMIT
    200 ```
    201 * `systemctl daemon-reload `
    202 * `systemctl restart iptables`
    203 
    204 ###### Using Knockd
    205 Download & install the [knockd](http://www.zeroflux.org/projects/knock) package.
    206 
    207 * `nano /etc/knockd.conf`
    208 ```
    209 [options]
    210 	logfile = /var/log/knockd.log
    211 [opencloseSSH]
    212 	sequence      = 8881:tcp,7777:tcp,9991:tcp
    213 	seq_timeout   = 5
    214 	tcpflags      = syn,ack
    215 	start_command = /usr/bin/iptables -A TCP -s %IP% -p tcp --dport 65150 -j ACCEPT
    216 	cmd_timeout   = 10
    217 	stop_command  = /usr/bin/iptables -D TCP -s %IP% -p tcp --dport 65150 -j ACCEPT
    218 ```
    219 
    220 #### Knocking Your Server
    221 ##### Using Nmap
    222 Download & install the [nmap](https://nmap.org/) package.
    223 
    224 * `nano knock.sh`
    225 ```bash
    226 #!/bin/bash
    227 HOST=$1
    228 shift
    229 for ARG in "$@"
    230 do
    231 	nmap -Pn --host_timeout 100 --max-retries 0 -p $ARG $HOST
    232 done
    233 ```
    234 * Usage: `sh knock.sh example.server.com 8881 7777 9991`
    235 
    236 ##### Using Knockd
    237 Download & install the [knockd](http://www.zeroflux.org/projects/knock) package.
    238 
    239 * `knock -v example.server.com 8881:tcp 7777:tcp 9991:tcp`
    240 
    241 #### Jump Hosts
    242 * `ssh -J <jumphost> <host>`
    243 
    244 The `<jumphost>` option can be `user@host`, `user@host:port` or an host setup in your `~/.ssh/config`.
    245 
    246 Multiple jump hosts can be used in a comma *(no spaces)* separated list.
    247 
    248 The same applies for the `<host>` option, except to change the port, either use the `-p <port>` option at the end or use a host setup in your `~/.ssh/config`.
    249 
    250 or...
    251 
    252 * nano `~/.ssh/config`:
    253 ```
    254 Host jumpbox
    255     HostName jump.server.com
    256 
    257 Host targetbox
    258 	...
    259     ProxyJump jumpbox1
    260 	...
    261 ```
    262 
    263 Multiple jump hosts can be used in the `ProxyJump` option in a comma *(no spaces)* separated list.
    264 
    265 Connect to your target host with `ssh targetbox`
    266 
    267 ---
    268 
    269 ### Sources
    270 * https://wiki.archlinux.org/index.php/Port_knocking
    271 * https://wiki.archlinux.org/index.php/SSH_keys
    272 * https://wiki.mozilla.org/Security/Guidelines/OpenSSH
    273 * https://www.openssh.com/manual.html
    274 * https://stribika.github.io/2015/01/04/secure-secure-shell.html