SSH stuff |
| Monday, 25 April 2005 01:31 | ||||||||
Blocking brute force attempts with sshThere are quite a few tools out there to accomplish the blocking of invalid login attempts using iptables amd tcpwrappers. Most are actually written in python...;-D In fact, you can yum install both fail2ban and denyhosts! Making it quite easy to get on your box. However, I'm partial to closing ports all together and using dynamic rules instead of forming ban lists. Ban lists require additional resources and still expose a service to all for undocumented exploits to occur...(buffer overflows). See IPOpener - Block everything and allow to few (The power of dynamic rules).But having said that, there are times when it might be interesting to see who's out there attacking my boxes. I've seen some cool network maps. Main Page - Fail2ban - Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address. Packets Consulting - Ssh-faker - This program is called by /etc/hosts.deny whenever someone connects to port 22. Unless they type in a plaintext password or type the wrong password, they get an ssh-compatible error message, and a syslog message is generated. If they type in the right password, they are added to /etc/hosts.allow, and their next connection will reach the real sshd. Welcome to DenyHosts - DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host. Additionally, upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host. An email report can be sent to a system admin. BlockHosts | A C Zoom - Automatic blocking of abusive IP hosts, Script to record how many times system services are being probed, using configurable pattern matching to recognize failed accesses (such as for "sshd" or "proftpd" or any service), and when a particular IP address exceeds a certain number of failed attempts, that IP address is blocked by using multiple techniques: using /etc/hosts.allow for services that support TCP_WRAPPERS, or by executing ip route commands to setup null-routing for that source host address, or by executing iptables commands to setup packet filtering to drop packets from a source host address. Preventing Brute Force Attacks With Fail2ban On Debian Etch | HowtoForge - Linux Howtos and Tutorials Preventing SSH Dictionary Attacks With DenyHosts | HowtoForge - Linux Howtos and Tutorials Port forwarding with SSH (Also called SSH tunneling)(a good command is: ssh -N -R remoteport:localhost:22 config-host-name) Port forwarding allows you to send arbitrary connections through your SSH connection. This provides secure communication over otherwise insecure networks.SSH provides two flavors of port forwarding. LocalForward and RemoteForward. LocalForward connects a remote server to the local machine. The ssh client machine actually listens for new connections to be tunneled and sends them through the existing ssh connection. ssh -L 9999:mailserver:110 sshserver This would establish a LocalForward using sshserver. The forward would be from mailserver:110 to the local machine port 9999. RemoteForward is a tunnel initiated on the server side that goes back through the client machine. LocalForwards
RemoteForwards
Auto-closing SSH tunnels Key based auth setupUse keys instead of passwordsOk, before you starting banging your head trying to figure out why key auth isn't working...make sure your sshd has the proper settings for it. Check to make sure you have the following settings in your sshd_config. # Should we allow Identity (SSH version 1) authentication? # (NOTE: Not necessary if you only want to use version 2,even if you use rsa keys) RSAAuthentication yes # Should we allow Pubkey (SSH version 2) authentication? PubkeyAuthentication yes # Where do we look for authorized public keys? # If it doesn't start with a slash, then it is # relative to the user's home directory AuthorizedKeysFile .ssh/authorized_keys NOTE!Sept-10-2005: You also MUST make sure that the .ssh folder in your home directory is rxw(700) for the user only! In addition, your authorized_keys file must be rw(600) for the user only. If the file modes are incorrect, sshd will reject all attempts to auth with the keys. (this info could have saved me a good half hour of pain) If you had the correct settings, great. If you didn't and you changed the config, restart the sshd process. Now that we have verified the proper settings, lets move on to how to actually add keys! Move into your ssh directory for the user you are currently logged in as: localmachine$ cd $HOME/.ssh Generate a key pair, this will create a private key(one you keep on your local machine) and a public key(one you give to the remote machine). localmachine$ ssh-keygen -t rsa -f ~/.ssh/remotemachine The -t option allows you to choose a cipher but I suggest using rsa. The -f option specifies the name of the key, replace the remotemachine with the name you'd like. Copy the public key into the authorized keys on the remote machine. localmachine$ cat remotemachine.pub |ssh user@remotemachine 'sh -c "cat - >>~/.ssh/authorized_keys;chmod 600 ~/.ssh/authorized_keys;"' This single line will copy the public key to the remote machine and make sure the permissions are read and write only for the user. Now you can simply login to the remote machine by doing the following: localmachine$ ssh -i remotemachine user@remotemachine So maybe you don't like having to specify that you want to use the identity each time. SSH allows you to define config options for hosts in your ~/.ssh/config file. You can simply name a session name and the options associated with it. For example, lets say I connect to remotemachine using the username auser and the identity backup. I can create a config file with: host remotemachine hostname remotemachine.somenetwork.com user auser identityfile ~/.ssh/backup compression yes cipher blowfish protocol 2 Now I can just use: localmachine$ ssh remotemachine to login to the system. SSH will automatically try to find the session name in my config file and use the appropriate settings. Some extra options: You can create single use keys by prepending command="<cmd>" to your public key in the authorized_keys file. This specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. command="<cmd>" For added security, you can only allow the key to be used from a certain host using the from option. Example: from="*.somenetwork.net,!pc.someothernetwork.net" Other options you might consider turning off include: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty command="<cmd>",from="some.host.net",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty <public key here> Here is a single command that adds options to the begining of the public key and pushes it to the remote machines authorized_keys. localmachine$ echo 'command="<cmd>" ' `cat <whatever>.pub` |ssh user@remotemachine 'sh -c "cat - >>~/.ssh/authorized_keys;chmod 600 ~/.ssh/authorized_keys;"' shfs - mount a filesystem using ssh.SHFS is a kernel module for linux that allows a user to mount a filesystem remotely using only ssh. This is a wonderful module because I love ssh access so much. It is wonderful because it allows you to access your data remotely but securely.Once you've installed it, all you've got to do is: shfsmount --persistent -s user@host:/tmp /mnt/shfs This mounts the /tmp directory on user@host to the local /mnt/shfs directory. (-s expands remote symlinks, --persistent makes shfs more tolerant of connection problems) Embed SSH in BrowserI'm looking into embedding a ssh client in the webbrowser. That would be awesome. Some possible clients are: Mindterm - SSH java clientUsing Mindterm - Cambridge uses it. SSH for Java |
||||||||
| Last Updated on Wednesday, 23 December 2009 23:43 |