Difference between revisions of "SSH Client"
Line 55: | Line 55: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | ==Banner== | ||
+ | |||
+ | Source: https://help.ubuntu.com/community/StricterDefaults#SSH_Welcome_Banner | ||
+ | |||
+ | > To enable login messages uncomment the following line in "/etc/ssh/sshd_config" | ||
+ | |||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | Banner /etc/issue.net | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | Then, create / update the "/etc/issue.net" file: | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | vim /etc/issue.net | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | |||
+ | |||
+ | The following example is taken from the Advanced OpenSSH page: | ||
+ | |||
+ | <syntaxhighlight lang="bash"> | ||
+ | *************************************************************************** | ||
+ | NOTICE TO USERS | ||
+ | |||
+ | |||
+ | This computer system is the private property of its owner, whether | ||
+ | individual, corporate or government. It is for authorized use only. | ||
+ | Users (authorized or unauthorized) have no explicit or implicit | ||
+ | expectation of privacy. | ||
+ | |||
+ | Any or all uses of this system and all files on this system may be | ||
+ | intercepted, monitored, recorded, copied, audited, inspected, and | ||
+ | disclosed to your employer, to authorized site, government, and law | ||
+ | enforcement personnel, as well as authorized officials of government | ||
+ | agencies, both domestic and foreign. | ||
+ | |||
+ | By using this system, the user consents to such interception, monitoring, | ||
+ | recording, copying, auditing, inspection, and disclosure at the | ||
+ | discretion of such personnel or officials. Unauthorized or improper use | ||
+ | of this system may result in civil and criminal penalties and | ||
+ | administrative or disciplinary action, as appropriate. By continuing to | ||
+ | use this system you indicate your awareness of and consent to these terms | ||
+ | and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the | ||
+ | conditions stated in this warning. | ||
+ | |||
+ | **************************************************************************** | ||
+ | </syntaxhighlight> | ||
+ | |||
+ | Once this is in place, restart sshd and all users will see this warning before they get the login prompt. This will obviously not dissuade automated SSH attacks, and will potentially worsen DoS effects, but it may tip off a human attacker that the system is being looked after closely, and that they should move on to some other system on the network | ||
Revision as of 14:04, 9 June 2014
Contents
Installation
By default Debian | Ubuntu doesn't include any SSH server.
apt-get install ssh openssh-server
SSH server configuration
Edit the configuration file:
vim /etc/ssh/sshd_config
X11 forwarding
In the configuration file, uncomment and set:
ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted yes
Enable | Disable the forwarding:
# This server doesn’t have a XServer. Therefore do not forward graphical data.
X11Forwarding no
Port(s) number
You can listen on multiple port. Just do the following:
Port 22
Port 2200
Security psycho mode:
# The default port SSH is 22. You may want to change that port to another one so your server will be more discreet.
# NB: if your server is hosted the provider might need access for maintenance purposes.
Port XXXXX
Banner
Source: https://help.ubuntu.com/community/StricterDefaults#SSH_Welcome_Banner
> To enable login messages uncomment the following line in "/etc/ssh/sshd_config"
Banner /etc/issue.net
Then, create / update the "/etc/issue.net" file:
vim /etc/issue.net
The following example is taken from the Advanced OpenSSH page:
***************************************************************************
NOTICE TO USERS
This computer system is the private property of its owner, whether
individual, corporate or government. It is for authorized use only.
Users (authorized or unauthorized) have no explicit or implicit
expectation of privacy.
Any or all uses of this system and all files on this system may be
intercepted, monitored, recorded, copied, audited, inspected, and
disclosed to your employer, to authorized site, government, and law
enforcement personnel, as well as authorized officials of government
agencies, both domestic and foreign.
By using this system, the user consents to such interception, monitoring,
recording, copying, auditing, inspection, and disclosure at the
discretion of such personnel or officials. Unauthorized or improper use
of this system may result in civil and criminal penalties and
administrative or disciplinary action, as appropriate. By continuing to
use this system you indicate your awareness of and consent to these terms
and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
conditions stated in this warning.
****************************************************************************
Once this is in place, restart sshd and all users will see this warning before they get the login prompt. This will obviously not dissuade automated SSH attacks, and will potentially worsen DoS effects, but it may tip off a human attacker that the system is being looked after closely, and that they should move on to some other system on the network
Restart SSH server
/etc/init.d/ssh restart
Security
Firewall
See Firewall#SSH
Fail2ban
see Fail2ban#SSH_configuration
SSH server configuration - Authentication by Linux user login / password
Principle
This is the default authentication system.
Each user that has a local account on the server and member is allowed to access the SSH server with its login / password.
Configuration changes
vim /etc/ssh/sshd_config
Protocol and password enforcement
Protocol 2 # only use SSH v2
PermitRootLogin no # Avoid root connections
PermitEmptyPassword no # Forbidden user with empty passwords
Login time
# Time to log
LoginGraceTime 30
Restart SSH server
/etc/init.d/ssh restart
SSH server configuration - Authentication with RSA keys
Introduction
If you’d like to increase the authentication process you can use authentication by private/public key.
- Generate new private / public keys on your own computer
- Put the public key on the remote SSH server
- Only the person with the private key can be authenticate on the server
For instance, this is how hosting company such as OVH can log on your system.
Security improvement: remove password authentication
When the key authentication is working you can remove the default access by login / password. Then, only people with a valid private/public key pair can log in.
That way, there is no way for brute-force attacks to be successful, so your system is more secure.
Declare the public key on the server
You have to:
- log in to your SSH server with the user that’s gonna use this key
- Go to user's home directory
- Create a .ssh folder (if there was none before).
cd ~
mkdir .ssh
cd .ssh
Add the new public key to the list of allowed keys:
vim authorized_key
Prefix your key with:
- RSA: ssh-rsa
- DSA: ssh-dss
Then paste the public key in one line - the public key mustn't be change or separated in 2 lines!
# Example:
ssh-rsa AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
ssh-dss AAAAB3NzaC1yc2EA[...]Lg5whU0zMuYE5IZu8ZudnP6ds= myname@example.com
Adjust file rights, the authorized_keys file must be write/readable only by that user
chmod 640 authorized_keys
cd ..
chmod 700 .ssh
Configuration changes
vim /etc/ssh/sshd_config
Allow empty password
PermitEmptyPassword yes # allow empty password in favor of RSA keys
Do not allow password authentication
Once you've checked that the key authentication is working you can disable the standard authentication with password. :) With that option enabled all brute-force attacks will failed.
!!BE CAREFUL !!
Once that setting is enable there is no rolling back from it. You might get kicked for good from your own server.
PermitEmptyPassword yes # That must be set to YES
PasswordAuthentication no # Do not allow standard login + password anymore. Only key authentication is allowed.
Restart SSH server
/etc/init.d/ssh restart
SSH server - Authentication using LDAP server
Requirement: LDAP server
Principle
The idea is to use a LDAP server to manage users and groups to ease the maintenance and administration.
- Only 1 group of users is allowed to connect
- Access can be dynamically and easily granted
Configuration
!! TO BE DONE !!
How-to generate private / public keys
Linux
Create key
1. Log-in with the user you want to use.
2. Generate a pair of authentication keys.
# Generating public/private rsa key pair
ssh-keygen -t rsa
>> Enter file in which to save the key: /home/user/.ssh/id_rsa
Log sample:
Created directory '/home/a/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/a/.ssh/id_rsa.
Your public key has been saved in /home/a/.ssh/id_rsa.pub.
The key fingerprint is:
3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4
Summary
- id_rsa == private key
- id_rsa.pub == public key
Convert OpenSSH key to Windows Putty
See: http://meinit.nl/using-your-openssh-private-key-in-putty
Windows
You can generate private / public keys with PuttyGen = Putty key generator.
When the keys are OK, you have to enter a key pass-phrase. Your pass-phrase must be:
- long (> 15 characters)
- hard to guess
- with letters + signs + numbers
Reminder
how to choose your passphrase and protect it: http://www.alcf.anl.gov/resource-guides/user-authentication-policies
Then, save your keys!
You should be the only one to access the save location.
SSH client
Linux
Standard login
# syntax
ssh user@server -p portNumber
# example
ssh root@daxiongmao.eu -p 4422
Using RSA key
Key points:
- The key must belongs to the current user
- The key rights must be "500"
Then you can log-in using the following command:
ssh -i Guillaume_OpenSSH.private -p 2200 guillaume@dev.daxiongmao.eu
Where:
- -i myFile = the private key you have to use
- -p port = specific port number (if not default 22)
Windows
You have to use Putty to perform SSH login.
How to add a public / private key in Putty ?
1.Create profile
2. Auto-login
3. Attach private key
4. Save profile
References
Source:
- Public / private key theory: http://en.wikipedia.org/wiki/Public_Key_Cryptography
- http://www.howtoforge.com/ssh_key_based_logins_putty
Windows - putty software: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
How to transform a SSH key into Windows Putty: http://meinit.nl/using-your-openssh-private-key-in-putty