random- collection of un-sorted bollocks |
git clone git://git.acid.vegas/random.git |
Log | Files | Refs | Archive |
ssh.md (9743B)
1 # SSH Security 2 > A full write-up on OpenSSH usage with security in mind. 3 4 --- 5 6 ## Table of Contents 7 * [Generating An SSH Key Pair](#generating-an-ssh-key-pair) 8 - [Linux](#linux) 9 - [Windows](#windows) 10 * [Getting Your Client To Use Your SSH Key](#getting-your-client-to-use-your-ssh-key) 11 - [Linux](#linux) 12 - [Windows](#windows) 13 * [Setup Server](#setup-server) 14 - [Harden OpenSSH Daemon](#harden-openssh-daemon) 15 - [Create A New User On The Server](#create-a-new-user-on-the-server) 16 - [Copy Your Public Key To Your Shell](#copy-your-public-key-to-your-shell) 17 * [Extra Security](#extra-security) 18 - [Allow Incoming SSH Connections Through IPTables](#allow-incoming-ssh-connections-through-iptables) 19 - [Lock Users In A Chroot Jail Environment](#lock-users-in-a-chroot-jail-environment) 20 - [Port Knocking](#port-knocking) 21 - [Setup Server](#setup-server-1) 22 - [Using IPTables](#using-iptables) 23 - [Using Knockd](#using-knockd) 24 - [Knocking Your Server](#knocking-your-server) 25 - [Using Nmap](#using-nmap) 26 - [Using knockd](#using-knockd-1) 27 - [Jump Hosts](#jump-hosts) 28 29 **Note:** The port *65150* is used in this write-up as an example of how to use a non-standard ports. 30 31 --- 32 33 ### Generating An SSH Key Pair 34 #### Linux 35 Generate a key using the **Ed25519** algorithm with 500 KDF rounds: 36 * `ssh-keygen -t ed25519 -a 500 -C "$(whoami)@$(hostname)-$(date -I)"` 37 38 This will generate 2 files in your `~/.ssh` directory. A public key *(.pub)* and a private key. 39 40 You only need to backup your private key. Public keys can be regenerated from the private key: 41 * `ssh-keygen -y -f ~/.ssh/acidvegas@pi-2017-01-01` 42 43 Copy your public key to clipboard: 44 * `cat ~/.ssh/acidvegas@pi-2017-01-01.pub` 45 46 #### Windows 47 Download & run [puttygen](https://the.earth.li/~sgtatham/putty/latest/w32/puttygen.exe). 48 49 Once opened, change the key type to **ED25519** under the *Parameters* box, and then click the *Generate* button. 50 51 Click the *Save private key* button to save your key. 52 53 You only need to backup your private key. Public keys can be regenerated by clicking `File -> Load private key`. 54 55 Copy the data in the box labeled *Public key for pasting into OpenSSH authorized_keys file*. 56 57 ### Getting Your Client To Use Your SSH Key 58 #### Linux 59 * `ssh -p 65150 -i ~/.ssh/acidvegas@pi-2017-01-01 acidvegas@192.168.1.10` 60 61 or... 62 63 * `nano ~/.ssh/config` 64 ``` 65 Host acidbox 66 HostName 192.168.1.10 67 Port 65150 68 User acidvegas 69 IdentityFile ~/.ssh/acidvegas@pi-2017-01-01 70 IdentitiesOnly yes 71 ``` 72 * `chmod 600 ~/.ssh/config` 73 * Usage: `ssh acidbox` 74 75 #### Windows 76 Download & run the [putty](https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe) client. 77 78 Once opened, select `Connection -> SSH -> Auth` from the *Category* box. Click the *Browse* button and select your private key. 79 80 Select *Session* from the *Category* box. Change the *Host Name (or IP address)* and *Port* to your server. 81 82 Name the session in *Saved Sessions* box and click the *Save* button. 83 84 SSH into your server by clicking your saved session from the *Saved Sessions* box, and clicking the *Open* button. 85 86 --- 87 88 ### Setup Server 89 #### Harden OpenSSH Daemon 90 * `nano /etc/ssh/sshd_config` 91 ``` 92 AddressFamily any 93 AllowAgentForwarding no 94 AllowGroups ssh 95 AllowTcpForwarding no 96 AuthorizedKeysFile /etc/ssh/authorized_keys/%u 97 #Banner /etc/issue 98 ChallengeResponseAuthentication no 99 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr 100 ClientAliveInterval 0 101 #ClientAliveCountMax 0 102 HostKey /etc/ssh/ssh_host_ed25519_key 103 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 104 LoginGraceTime 30 105 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com 106 MaxAuthTries 2 107 MaxSessions 1 108 MaxStartups 3:50:10 109 PasswordAuthentication no 110 PermitRootLogin no 111 Port 65150 112 PrintLastLog no 113 PrintMotd no 114 Protocol 2 115 ``` 116 * `mkdir /etc/ssh/authorized_keys` 117 * `rm /etc/ssh/ssh_host_*_key` 118 * `ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key` 119 120 **Options**: 121 * The `AddressFamily` option can be: 122 - **inet** for IPv4 only. 123 - **inet6** for IPv6 only. 124 - **any** for both. 125 * The `AuthorizedKeysFile` option can be commented out to use the standard `~/.ssh/authorized_keys` file instead. 126 * The `Banner` option can be un-commented if the `/etc/issue` file exists. This is shown before the user authenticates. 127 * The `ClientAliveCountMax` option can be un-commented & the `ClientAliveInterval` option can be changed to **1800** to enforce a 15 minute idle timeout. 128 * The `MaxSessions` option can be increased if there are additional users on the server. 129 * The `Port` option should be set to a non-standard port *(High-value port number recommended)*. 130 * The `PrintMotd` option can be changed to **yes** if the file `/etc/motd` exists. This is shown after the user authenticates. 131 132 #### Create A New User On The Server 133 Create a new user on the server with a password: 134 * `useradd -m -s /bin/bash acidvegas` 135 * `passwd acidvegas` 136 137 Create an **ssh** group and add your user to the group. 138 * `groupadd ssh` 139 * `gpasswd -a acidvegas ssh` 140 141 #### Copy Your Public Key To Your Shell 142 * `nano /etc/ssh/authorized_keys/acidvegas` *(Paste your public key data in this file)* 143 144 **Note:** This is only required if you are using the `AuthorizedKeysFile /etc/ssh/authorized_keys/%u` line in your `sshd_config` file. For using the standard `~/.ssh/authorized_keys` file, do the follow: 145 * `mkdir ~/.ssh` 146 * `chmod 700 ~/.ssh` 147 * `chown -R $USER ~/.ssh` 148 * `nano ~/.ssh/authorized_keys` *(Paste the copied public key data into this file)* 149 * `chmod 400 ~/.ssh/authorized_keys` 150 * Optionally, you can pass the immutable flag to prevent changes: 151 - `chattr +i ~/.ssh` 152 - `chattr +i ~/.ssh/authorized_keys` 153 154 --- 155 156 ### Extra Security 157 #### Allow Incoming SSH Connections Through IPTables 158 ``` 159 iptables -A INPUT -i eth0 -p tcp --dport 65150 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT 160 iptables -A OUTPUT -o eth0 -p tcp --sport 65150 -m conntrack --ctstate ESTABLISHED -j ACCEPT 161 ``` 162 163 You can also allow only incomming connection from a specific IP address instead by changing the first line above to: 164 ``` 165 iptables -A INPUT -i eth0 -p tcp -s 192.168.1.99 --dport 65150 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT 166 ``` 167 168 #### Lock Users In A Chroot Jail Environment 169 See [mkchroot](https://github.com/acidvegas/mkchroot) repository for details. 170 171 #### Port Knocking 172 The following is an example which uses the port knocking sequence `8881 -> 7777 -> 9991` to open port 65150 for 30 seconds. 173 174 ##### Server 175 ###### Using IPTables 176 * `nano /etc/iptables/iptables.rules` 177 ``` 178 *filter 179 :INPUT DROP [0:0] 180 :FORWARD DROP [0:0] 181 :OUTPUT ACCEPT [0:0] 182 :TRAFFIC - [0:0] 183 :SSH-INPUT - [0:0] 184 :SSH-INPUTTWO - [0:0] 185 # TRAFFIC chain for Port Knocking. The correct port sequence in this example is 8881 -> 7777 -> 9991; any other sequence will drop the traffic 186 -A INPUT -j TRAFFIC 187 -A TRAFFIC -p icmp --icmp-type any -j ACCEPT 188 -A TRAFFIC -m state --state ESTABLISHED,RELATED -j ACCEPT 189 -A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 65150 -m recent --rcheck --seconds 30 --name SSH2 -j ACCEPT 190 -A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH2 --remove -j DROP 191 -A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 9991 -m recent --rcheck --name SSH1 -j SSH-INPUTTWO 192 -A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH1 --remove -j DROP 193 -A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 7777 -m recent --rcheck --name SSH0 -j SSH-INPUT 194 -A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH0 --remove -j DROP 195 -A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 8881 -m recent --name SSH0 --set -j DROP 196 -A SSH-INPUT -m recent --name SSH1 --set -j DROP 197 -A SSH-INPUTTWO -m recent --name SSH2 --set -j DROP 198 -A TRAFFIC -j DROP 199 COMMIT 200 ``` 201 * `systemctl daemon-reload ` 202 * `systemctl restart iptables` 203 204 ###### Using Knockd 205 Download & install the [knockd](http://www.zeroflux.org/projects/knock) package. 206 207 * `nano /etc/knockd.conf` 208 ``` 209 [options] 210 logfile = /var/log/knockd.log 211 [opencloseSSH] 212 sequence = 8881:tcp,7777:tcp,9991:tcp 213 seq_timeout = 5 214 tcpflags = syn,ack 215 start_command = /usr/bin/iptables -A TCP -s %IP% -p tcp --dport 65150 -j ACCEPT 216 cmd_timeout = 10 217 stop_command = /usr/bin/iptables -D TCP -s %IP% -p tcp --dport 65150 -j ACCEPT 218 ``` 219 220 #### Knocking Your Server 221 ##### Using Nmap 222 Download & install the [nmap](https://nmap.org/) package. 223 224 * `nano knock.sh` 225 ```bash 226 #!/bin/bash 227 HOST=$1 228 shift 229 for ARG in "$@" 230 do 231 nmap -Pn --host_timeout 100 --max-retries 0 -p $ARG $HOST 232 done 233 ``` 234 * Usage: `sh knock.sh example.server.com 8881 7777 9991` 235 236 ##### Using Knockd 237 Download & install the [knockd](http://www.zeroflux.org/projects/knock) package. 238 239 * `knock -v example.server.com 8881:tcp 7777:tcp 9991:tcp` 240 241 #### Jump Hosts 242 * `ssh -J <jumphost> <host>` 243 244 The `<jumphost>` option can be `user@host`, `user@host:port` or an host setup in your `~/.ssh/config`. 245 246 Multiple jump hosts can be used in a comma *(no spaces)* separated list. 247 248 The same applies for the `<host>` option, except to change the port, either use the `-p <port>` option at the end or use a host setup in your `~/.ssh/config`. 249 250 or... 251 252 * nano `~/.ssh/config`: 253 ``` 254 Host jumpbox 255 HostName jump.server.com 256 257 Host targetbox 258 ... 259 ProxyJump jumpbox1 260 ... 261 ``` 262 263 Multiple jump hosts can be used in the `ProxyJump` option in a comma *(no spaces)* separated list. 264 265 Connect to your target host with `ssh targetbox` 266 267 --- 268 269 ### Sources 270 * https://wiki.archlinux.org/index.php/Port_knocking 271 * https://wiki.archlinux.org/index.php/SSH_keys 272 * https://wiki.mozilla.org/Security/Guidelines/OpenSSH 273 * https://www.openssh.com/manual.html 274 * https://stribika.github.io/2015/01/04/secure-secure-shell.html