SSH, SCP, SFTP, Denyhosts. Süha TUNA Res. Assist.

Similar documents
SSH The Secure Shell

SSH and FTP on Ubuntu WNYLUG Neal Chapman 09/09/2009

Secure File Transfer Installation. Sender Recipient Attached FIles Pages Date. Development Internal/External None 11 6/23/08

OpenSSH: Secure Shell

Connectivity using ssh, rsync & vsftpd

TS-800. Configuring SSH Client Software in UNIX and Windows Environments for Use with the SFTP Access Method in SAS 9.2, SAS 9.3, and SAS 9.

Secure Shell. The Protocol

TELE 301 Network Management. Lecture 16: Remote Terminal Services

Security Configuration Guide P/N Rev A05

SSH! Keep it secret. Keep it safe

SSSD and OpenSSH Integration

Back Up Linux And Windows Systems With BackupPC

Linux Boot Camp. Our Lady of the Lake University Computer Information Systems & Security Department Kevin Barton Artair Burnett

Pro OpenSSH. Michael Stahnke. Apress* =# # w^ l&l ## frsft. *,«.,*

2 Advanced Session... Properties 3 Session profile... wizard. 5 Application... preferences. 3 ASCII / Binary... Transfer

Monitoring a Linux Mail Server

How to Tunnel Remote Desktop using SSH (Cygwin) for Windows XP (SP2)

FTP Server Configuration

Using SFTP on the z/os Platform

Configuring SSH and Telnet

SERVER HARDENING. Presented by: Daniel Waymel and Corrin Thompson at TexSAW 2014 at the University of Texas at Dallas

Configuring Secure Linux Hosts

CA ehealth. Remote Poller Guide. r6.1

Guide to the Configuration and Use of SFTP Clients for Uploading Digital Treatment Planning Data to IROC RI

Secure Network Filesystem (Secure NFS) By Travis Zigler

How to upload large files to a JTAC Case

WinSCP PuTTY as an alternative to F-Secure July 11, 2006

13. Configuring FTP Services in Knoppix

File Transfer Examples. Running commands on other computers and transferring files between computers

Securing Windows Remote Desktop with CopSSH

Cryptography: RSA and Factoring; Digital Signatures; Ssh

Defeating Firewalls : Sneaking Into Office Computers From Home

Linux Security Ideas and Tips

SSL Tunnels. Introduction

Encrypted File Transfer - Customer Testing

Managed File Transfer

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

Security Advice for Instances in the HP Cloud

Adobe Marketing Cloud Using FTP and sftp with the Adobe Marketing Cloud

Understanding Secure Shell Host Keys

ASX SFTP External User Guide

Secure Shell (SSH) Protocol

Step One: Installing Rsnapshot and Configuring SSH Keys

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

ICS 351: Today's plan

Cloud Implementation using OpenNebula

Laboration 3 - Administration

Linux FTP Server Setup

File Transfer Protocol

Securing Windows Remote Desktop with CopSSH

IBM eserver iseries ITSO Technical Forum 2005

Tera Term Telnet. Introduction

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

F-Secure SSH. for Windows. User s Guide

HPCC - Hrothgar Getting Started User Guide

Overview. Remote access and file transfer. SSH clients by platform. Logging in remotely

Implementing Secure Shell

File transfer clients manual File Delivery Services

Chapter 17. Transport-Level Security

SCP - Strategic Infrastructure Security

10/23/12. Fundamentals of Linux Platform Security. Linux Platform Security. Roadmap. Security Training Course. Module 9 Application Security

EventTracker Windows syslog User Guide

TELE 301 Network Management. Lecture 17: File Transfer & Web Caching

Linux logging and logfiles monitoring with swatch

Aspera Proxy Red Hat, Debian ADMIN GUIDE

Secure Shell Demon setup under Windows XP / Windows Server 2003

Single Node Hadoop Cluster Setup

How to backup a remote MySQL server with ZRM over the Internet

Linux Server Configuration Guidelines

Cloud Storage Quick Start Guide

Install and configure SSH server

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Security Policy Revision Date: 23 April 2009

Automated Offsite Backup with rdiff-backup

CASHNet Secure File Transfer Instructions

SSH Secure Shell. Administrator s Guide

Exam Questions SY0-401

Topics in Network Security

Redpaper. Securing Communications with OpenSSH on IBM i5/os. Front cover. ibm.com/redbooks. Learn how to install, configure, and use SSH with i5/os

An Overview of the Secure Shell (SSH)

PTC X/Server. Evaluation Guide. PTC Inc.

Using Network Attached Storage with Linux. by Andy Pepperdine

Source Code Management for Continuous Integration and Deployment. Version 1.0 DO NOT DISTRIBUTE

Authentication Types. Password-based Authentication. Off-Line Password Guessing

Directory and File Transfer Services. Chapter 7

Configuring CSS Remote Access Methods

SSH Key Exchange: Windows client to Unix/Linux server

CPS Computer Security Lecture 9: Introduction to Network Security. Xiaowei Yang

Sync Security and Privacy Brief

Secure File Multi Transfer Protocol Design

Introduction to Linux (Authentication Systems, User Accounts, LDAP and NIS) Süha TUNA Res. Assist.

How to Push CDR Files from Asterisk to SDReporter. September 27, 2013

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

IBM Aspera FASP Proxy Admin Guide 1.2.2

Pragma FortressSSH 5.0

Transcription:

SSH, SCP, SFTP, Denyhosts Süha TUNA Res. Assist.

Outline 1. What is Secure Shell? 2. ssh (Install and Configuration) 3. scp 4. sftp 5. X11 Forwarding 6. Generating Key Pairs 7. Disabling root Access 8. Denyhosts and Its Utilization

SSH (Secure Shell)

Why Use Secure Shell? Interception of communication between two systems In this scenario, the attacker can be somewhere on the network between the communicating parties, copying any information passed between them. The attacker may intercept and keep the information, or alter the information and send it on to the intended recipient. Impersonation of a particular host Using this strategy, an attacker's system is configured to pose as the intended recipient of a transmission. If this strategy works, the user's system remains unaware that it is communicating with the wrong host. Both techniques intercept potentially sensitive information and, if the interception is made for hostile reasons, the results can be disastrous. If SSH is used for remote shell login and file copying, these security threats can be greatly diminished. This is because the SSH client and server use digital signatures to verify their identity. Additionally, all communication between the client and server systems is encrypted. Attempts to spoof the identity of either side of a communication does not work, since each packet is encrypted using a key known only by the local and remote systems. 4

ssh Versions The SSH protocol allows any client and server programs built to the protocol's specifications to communicate securely and to be used interchangeably. Two varieties of SSH (version 1 and version 2) currently exist. The OpenSSH suite under Red Hat Enterprise Linux uses SSH version 2 which has an enhanced key exchange algorithm not vulnerable to the exploit in version 1. However, the OpenSSH suite does support version 1 connections. 5

Event Sequence of an ssh Connection 1 A cryptographic handshake is made so that the client can verify that it is communicating with the correct server. 2 The transport layer of the connection between the client and remote host is encrypted using a symmetric cipher. 3 The client authenticates itself to the server. 4 The remote client interacts with the remote host over the encrypted connection. 6

Configuring an openssh Server To run an OpenSSH server, you must first make sure that you have the proper RPM packages installed. The openssh-server package is required and is dependent on the openssh package. Config Files: /etc/ssh/sshd_config Start openssh: /sbin/service sshd start Stop openssh: /sbin/service sshd stop 7

A Warning from SSH If you reinstall, the reinstalled system creates a new set of identification keys. Any clients who had connected to the system with any of the OpenSSH tools before the reinstall will see the following message: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY Someone could be eavesdropping on you right now (man-in-themiddle attack) It is also possible that the RSA host key has just been changed. Old identifications can be found at: /etc/ssh/ssh_host*key* 8

Enhancing Security Please disable the following programs in order to enhance the ssh security Some services to disable include: telnet rsh rlogin vsftpd To disable insecure connection methods to the system, use the command line program chkconfig, the ncurses-based program /usr/sbin/ntsysv, or the Services Configuration Tool (system-config-services) graphical application. All of these tools require root level access. 9

OpenSSH Configuration (Server) OpenSSH has two different sets of configuration files: one for client programs (ssh, scp, and sftp) and one for the server daemon (sshd). System-wide SSH configuration information is stored in the /etc/ssh/ directory: moduli Contains Diffie-Hellman groups used for the Diffie-Hellman key exchange which is critical for constructing a secure transport layer. When keys are exchanged at the beginning of an SSH session, a shared, secret value is created which cannot be determined by either party alone. This value is then used to provide host authentication. ssh_config The system-wide default SSH client configuration file. It is overridden if one is also present in the user's home directory (~/.ssh/config). sshd_config The configuration file for the sshd daemon. ssh_host_dsa_key The DSA private key used by the sshd daemon. ssh_host_dsa_key.pub The DSA public key used by the sshd daemon. ssh_host_key The RSA private key used by the sshd daemon for version 1 of the SSH protocol. ssh_host_key.pub The RSA public key used by the sshd daemon for version 1 of the SSH protocol. ssh_host_rsa_key The RSA private key used by the sshd daemon for version 2 of the SSH protocol. ssh_host_rsa_key.pub The RSA public key used by the sshd for version 2 of the SSH protocol. 10

OpenSSH Configuration (Server) User-specific SSH configuration information is stored in the user's home directory within the ~/.ssh/ directory: authorized_keys This file holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the client by checking its signed public key stored within this file. id_dsa Contains the DSA private key of the user. id_dsa.pub The DSA public key of the user. id_rsa The RSA private key used by ssh for version 2 of the SSH protocol. id_rsa.pub The RSA public key used by ssh for version 2 of the SSH protocol identity The RSA private key used by ssh for version 1 of the SSH protocol. identity.pub The RSA public key used by ssh for version 1 of the SSH protocol. known_hosts This file contains DSA host keys of SSH servers accessed by the user. This file is very important for ensuring that the SSH client is connecting the correct SSH server. 11

OpenSSH Configuration (Client) To connect to an OpenSSH server from a client machine, you must have the openssh-clients and openssh packages installed on the client machine. 12

Using the ssh Command ssh Command ssh penguin.example.net First authentication for a server The authenticity of host 'penguin.example.net' can't be established. DSA key fingerprint is 94:68:3a:3a:bc:f3:9a:9b: 01:5d:b3:07:38:e2:11:0c. Are you sure you want to continue connecting (yes/no)? Warning: Permanently added 'penguin.example.net' (RSA) to the list of known hosts. 13

Using the ssh Command ssh username@penguin.example.net ssh penguin.example.net ls /usr/share/doc ssh penguin.example.net -l username 14

Using the scp Command scp <localfile>username@tohostname:<remotefile> scp shadowman username@penguin.example.net:shadowman scp username@tohostname:<remotefile> <newlocalfile> scp -r downloads/* username@penguin.example.net:uploads/ 15

Using the sftp command sftp username@penguin.example.net ls = list the current directory on the remote machine cd = change directories on the remote machine mkdir = make a directory in current directory on remote machine lls = list the current directory on the local machine lcd = change directories on the local machine lmkdir = make a directory in current directory on local machine get = get files from the remote machine put = put files on the remote machine mget = get multiple files from the remote machine mput = put multiple files on the remote machine help = display commands available in sftp 16

X11 Forwarding To enable to take display from a remote machine: ssh -X <user>@example.com 17

Generating Key Pairs First log in on A as user a and generate a pair of authentication keys. Do not enter a passphrase: a@a:~> ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/a/.ssh/id_rsa): Created directory '/home/a/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/a/.ssh/id_rsa. Your public key has been saved in /home/a/.ssh/id_rsa.pub. The key fingerprint is: 3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 a@a Now use ssh to create a directory ~/.ssh as user b on B. (The directory may already exist, which is fine): a@a:~> ssh b@b mkdir -p.ssh b@b's password: Finally append a's new public key to b@b:.ssh/authorized_keys and enter b's password one last time: a@a:~> cat.ssh/id_rsa.pub ssh b@b 'cat >>.ssh/authorized_keys' b@b's password: From now on you can log into B as b from A as a without password: a@a:~> ssh b@b 18

Disabling root Access First, get to the related ssh config file. vi /etc/ssh/sshd_config Find this section in the file, containing the line with PermitRootLogin in it. #LoginGraceTime 2m #PermitRootLogin no #StrictModes yes #MaxAuthTries 6 Make the line look like this to disable logging in through ssh as root. PermitRootLogin no Now you ll need to restart the sshd service: /etc/init.d/sshd restart Now nobody can brute force your root login, at least. 19

Denyhosts

What is Denyhosts? DenyHosts is a log-based intrusion prevention security tool for SSH servers written in Python. It is intended to prevent brute-force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses. DenyHosts is developed by Phil Schwartz. 21

Denyhosts Structure IP s to be allowed: /etc/hosts.allow IP s to be denied: /etc/hosts.deny Installation for CentOS # yum --enablerepo=epel install denyhosts OR # yum install denyhosts 22

Configuring Denyhosts # vi /etc/hosts.allow # # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd: 172.16.25.125 sshd: 172.16.25.126 sshd: 172.16.25.127 23

What is Denyhosts? # vi /etc/denyhosts.conf ############ DENYHOSTS REQUIRED SETTINGS ############ SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny BLOCK_SERVICE = sshd DENY_THRESHOLD_INVALID = 5 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 1 DENY_THRESHOLD_RESTRICTED = 1 WORK_DIR = /var/lib/denyhosts SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES HOSTNAME_LOOKUP=YES LOCK_FILE = /var/lock/subsys/denyhosts ############ DENYHOSTS OPTIONAL SETTINGS ############ ADMIN_EMAIL = ravisaive@tecmint.com SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosts <tecmint@tecmint.com> SMTP_SUBJECT = DenyHosts Daily Report ############ DENYHOSTS OPTIONAL SETTINGS ############ DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h 24

Restarting Denyhosts Service # chkconfig denyhosts on # service denyhosts start 25

Watch the Logs # tail -f /var/log/secure Nov 28 15:01:43 tecmint sshd[25474]: Accepted password for root from 172.16.25.125 port 4339 ssh2 Nov 28 15:01:43 tecmint sshd[25474]: pam_unix(sshd:session): session opened for user root by (uid=0) Nov 28 16:44:09 tecmint sshd[25474]: pam_unix(sshd:session): session closed for user root Nov 29 11:08:56 tecmint sshd[31669]: Accepted password for root from 172.16.25.125 port 2957 ssh2 Nov 29 11:08:56 tecmint sshd[31669]: pam_unix(sshd:session): session opened for user root by (uid=0) Nov 29 11:12:00 tecmint atd[3417]: pam_unix(atd:session): session opened for user root by (uid=0) Nov 29 11:12:00 tecmint atd[3417]: pam_unix(atd:session): session closed for user root Nov 29 11:26:42 tecmint sshd[31669]: pam_unix(sshd:session): session closed for user root Nov 29 12:54:17 tecmint sshd[7480]: Accepted password for root from 172.16.25.125 port 1787 ssh2 26

Remove Banned IP from Denyhosts # /etc/init.d/denyhosts stop To remove or delete banned IP address completely. You need to edit the following files and remove the IP address. # vi /etc/hosts.deny # vi /var/lib/denyhosts/hosts # vi /var/lib/denyhosts/hosts-restricted # vi /var/lib/denyhosts/hosts-root # vi /var/lib/denyhosts/hosts-valid # vi /var/lib/denyhosts/users-hosts After removing the banned IP Address, restart the service again. # /etc/init.d/denyhosts start 27

Whitelist IP Addresses Permanently in Denyhosts If you ve list of static IP address that you want to whitelist permanently. Open the file /var/lib/denyhosts/allowed-hosts file. Whatever IP address included in this file will not be banned by default (consider this as a whilelist). # vi /var/lib/denyhosts/allowed-hosts And add the each IP address on separate line. Save and close the file. # We mustn't block localhost 127.0.0.1 172.16.25.125 172.16.25.126 172.16.25.127 28

Questions?

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information