SSH, SCP, SFTP, Denyhosts. Süha TUNA Res. Assist.

Transcription

1 SSH, SCP, SFTP, Denyhosts Süha TUNA Res. Assist.

2 Outline 1. What is Secure Shell? 2. ssh (Install and Configuration) 3. scp 4. sftp 5. X11 Forwarding 6. Generating Key Pairs 7. Disabling root Access 8. Denyhosts and Its Utilization

3 SSH (Secure Shell)

4 Why Use Secure Shell? Interception of communication between two systems In this scenario, the attacker can be somewhere on the network between the communicating parties, copying any information passed between them. The attacker may intercept and keep the information, or alter the information and send it on to the intended recipient. Impersonation of a particular host Using this strategy, an attacker's system is configured to pose as the intended recipient of a transmission. If this strategy works, the user's system remains unaware that it is communicating with the wrong host. Both techniques intercept potentially sensitive information and, if the interception is made for hostile reasons, the results can be disastrous. If SSH is used for remote shell login and file copying, these security threats can be greatly diminished. This is because the SSH client and server use digital signatures to verify their identity. Additionally, all communication between the client and server systems is encrypted. Attempts to spoof the identity of either side of a communication does not work, since each packet is encrypted using a key known only by the local and remote systems. 4

5 ssh Versions The SSH protocol allows any client and server programs built to the protocol's specifications to communicate securely and to be used interchangeably. Two varieties of SSH (version 1 and version 2) currently exist. The OpenSSH suite under Red Hat Enterprise Linux uses SSH version 2 which has an enhanced key exchange algorithm not vulnerable to the exploit in version 1. However, the OpenSSH suite does support version 1 connections. 5

6 Event Sequence of an ssh Connection 1 A cryptographic handshake is made so that the client can verify that it is communicating with the correct server. 2 The transport layer of the connection between the client and remote host is encrypted using a symmetric cipher. 3 The client authenticates itself to the server. 4 The remote client interacts with the remote host over the encrypted connection. 6

7 Configuring an openssh Server To run an OpenSSH server, you must first make sure that you have the proper RPM packages installed. The openssh-server package is required and is dependent on the openssh package. Config Files: /etc/ssh/sshd_config Start openssh: /sbin/service sshd start Stop openssh: /sbin/service sshd stop 7

8 A Warning from SSH If you reinstall, the reinstalled system creates a new set of identification keys. Any clients who had connected to the system with any of the OpenSSH tools before the reinstall will see the WARNING: REMOTE HOST IDENTIFICATION IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY Someone could be eavesdropping on you right now (man-in-themiddle attack) It is also possible that the RSA host key has just been changed. Old identifications can be found at: /etc/ssh/ssh_host*key* 8

9 Enhancing Security Please disable the following programs in order to enhance the ssh security Some services to disable include: telnet rsh rlogin vsftpd To disable insecure connection methods to the system, use the command line program chkconfig, the ncurses-based program /usr/sbin/ntsysv, or the Services Configuration Tool (system-config-services) graphical application. All of these tools require root level access. 9

10 OpenSSH Configuration (Server) OpenSSH has two different sets of configuration files: one for client programs (ssh, scp, and sftp) and one for the server daemon (sshd). System-wide SSH configuration information is stored in the /etc/ssh/ directory: moduli Contains Diffie-Hellman groups used for the Diffie-Hellman key exchange which is critical for constructing a secure transport layer. When keys are exchanged at the beginning of an SSH session, a shared, secret value is created which cannot be determined by either party alone. This value is then used to provide host authentication. ssh_config The system-wide default SSH client configuration file. It is overridden if one is also present in the user's home directory (~/.ssh/config). sshd_config The configuration file for the sshd daemon. ssh_host_dsa_key The DSA private key used by the sshd daemon. ssh_host_dsa_key.pub The DSA public key used by the sshd daemon. ssh_host_key The RSA private key used by the sshd daemon for version 1 of the SSH protocol. ssh_host_key.pub The RSA public key used by the sshd daemon for version 1 of the SSH protocol. ssh_host_rsa_key The RSA private key used by the sshd daemon for version 2 of the SSH protocol. ssh_host_rsa_key.pub The RSA public key used by the sshd for version 2 of the SSH protocol. 10

11 OpenSSH Configuration (Server) User-specific SSH configuration information is stored in the user's home directory within the ~/.ssh/ directory: authorized_keys This file holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file. id_dsa Contains the DSA private key of the user. id_dsa.pub The DSA public key of the user. id_rsa The RSA private key used by ssh for version 2 of the SSH protocol. id_rsa.pub The RSA public key used by ssh for version 2 of the SSH protocol identity The RSA private key used by ssh for version 1 of the SSH protocol. identity.pub The RSA public key used by ssh for version 1 of the SSH protocol. known_hosts This file contains DSA host keys of SSH servers accessed by the user. This file is very important for ensuring that the SSH client is connecting the correct SSH server. 11

12 OpenSSH Configuration (Client) To connect to an OpenSSH server from a client machine, you must have the openssh-clients and openssh packages installed on the client machine. 12

13 Using the ssh Command ssh Command ssh penguin.example.net First authentication for a server The authenticity of host 'penguin.example.net' can't be established. DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b: 01:5d:b3:07:38:e2:11:0c. Are you sure you want to continue connecting (yes/no)? Warning: Permanently added 'penguin.example.net' (RSA) to the list of known hosts. 13

14 Using the ssh Command ssh ssh penguin.example.net ls /usr/share/doc ssh penguin.example.net -l username 14

15 Using the scp Command scp scp shadowman scp <newlocalfile> scp -r downloads/* 15

16 Using the sftp command sftp ls = list the current directory on the remote machine cd = change directories on the remote machine mkdir = make a directory in current directory on remote machine lls = list the current directory on the local machine lcd = change directories on the local machine lmkdir = make a directory in current directory on local machine get = get files from the remote machine put = put files on the remote machine mget = get multiple files from the remote machine mput = put multiple files on the remote machine help = display commands available in sftp 16

17 X11 Forwarding To enable to take display from a remote machine: ssh -X <user>@example.com 17

18 Generating Key Pairs First log in on A as user a and generate a pair of authentication keys. Do not enter a passphrase: a@a:~> ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/a/.ssh/id_rsa): Created directory '/home/a/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/a/.ssh/id_rsa. Your public key has been saved in /home/a/.ssh/id_rsa.pub. The key fingerprint is: 3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 a@a Now use ssh to create a directory ~/.ssh as user b on B. (The directory may already exist, which is fine): a@a:~> ssh b@b mkdir -p.ssh b@b's password: Finally append a's new public key to b@b:.ssh/authorized_keys and enter b's password one last time: a@a:~> cat.ssh/id_rsa.pub ssh b@b 'cat >>.ssh/authorized_keys' b@b's password: From now on you can log into B as b from A as a without password: a@a:~> ssh b@b 18

19 Disabling root Access First, get to the related ssh config file. vi /etc/ssh/sshd_config Find this section in the file, containing the line with PermitRootLogin in it. #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 Make the line look like this to disable logging in through ssh as root. PermitRootLogin no Now you ll need to restart the sshd service: /etc/init.d/sshd restart Now nobody can brute force your root login, at least. 19

20 Denyhosts

21 What is Denyhosts? DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses. DenyHosts is developed by Phil Schwartz. 21

22 Denyhosts Structure IP s to be allowed: /etc/hosts.allow IP s to be denied: /etc/hosts.deny Installation for CentOS # yum --enablerepo=epel install denyhosts OR # yum install denyhosts 22

23 Configuring Denyhosts # vi /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd: sshd: sshd:

24 What is Denyhosts? # vi /etc/denyhosts.conf ############ DENYHOSTS REQUIRED SETTINGS ############ SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny BLOCK_SERVICE = sshd DENY_THRESHOLD_INVALID = 5 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 DENY_THRESHOLD_RESTRICTED = 1 WORK_DIR = /var/lib/denyhosts SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES HOSTNAME_LOOKUP=YES LOCK_FILE = /var/lock/subsys/denyhosts ############ DENYHOSTS OPTIONAL SETTINGS ############ ADMIN_ = ravisaive@tecmint.com SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosts <tecmint@tecmint.com> SMTP_SUBJECT = DenyHosts Daily Report ############ DENYHOSTS OPTIONAL SETTINGS ############ DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h 24

25 Restarting Denyhosts Service # chkconfig denyhosts on # service denyhosts start 25

26 Watch the Logs # tail -f /var/log/secure Nov 28 15:01:43 tecmint sshd[25474]: Accepted password for root from port 4339 ssh2 Nov 28 15:01:43 tecmint sshd[25474]: pam_unix(sshd:session): session opened for user root by (uid=0) Nov 28 16:44:09 tecmint sshd[25474]: pam_unix(sshd:session): session closed for user root Nov 29 11:08:56 tecmint sshd[31669]: Accepted password for root from port 2957 ssh2 Nov 29 11:08:56 tecmint sshd[31669]: pam_unix(sshd:session): session opened for user root by (uid=0) Nov 29 11:12:00 tecmint atd[3417]: pam_unix(atd:session): session opened for user root by (uid=0) Nov 29 11:12:00 tecmint atd[3417]: pam_unix(atd:session): session closed for user root Nov 29 11:26:42 tecmint sshd[31669]: pam_unix(sshd:session): session closed for user root Nov 29 12:54:17 tecmint sshd[7480]: Accepted password for root from port 1787 ssh2 26

27 Remove Banned IP from Denyhosts # /etc/init.d/denyhosts stop To remove or delete banned IP address completely. You need to edit the following files and remove the IP address. # vi /etc/hosts.deny # vi /var/lib/denyhosts/hosts # vi /var/lib/denyhosts/hosts-restricted # vi /var/lib/denyhosts/hosts-root # vi /var/lib/denyhosts/hosts-valid # vi /var/lib/denyhosts/users-hosts After removing the banned IP Address, restart the service again. # /etc/init.d/denyhosts start 27

28 Whitelist IP Addresses Permanently in Denyhosts If you ve list of static IP address that you want to whitelist permanently. Open the file /var/lib/denyhosts/allowed-hosts file. Whatever IP address included in this file will not be banned by default (consider this as a whilelist). # vi /var/lib/denyhosts/allowed-hosts And add the each IP address on separate line. Save and close the file. # We mustn't block localhost

29 Questions?