Some security tips for SSH in CentOS

Some security tips for SSH in CentOS
Preface

I don't need to talk about the benefits of ssh? For example, the previous rpc commands can be replaced by ssh in telnet:

1. -Remote Logon
2. ssh user@remote.machine
3. -Remote Execution
4. ssh user@remote.machine 'command ...'
5. -Remote replication
6. scp user@remote.machine:/remote/path /local/path
7. scp /local/path user@remote.machine:/remote/path
8. - X forward
9. ssh -X user@remote.machine
10. xcommand ...
11. - Tunnel / Portforward
12. ssh -L 1234:remote.machine:4321 user@remote.machine
13. ssh -R 1234:local.machine:4321 user@remote.machine
14. ssh -L 1234:other.machine:4321 user@remote.machine

For detailed usage, I will not talk about it. Please study it on your own.

I want to talk about some security skills for the ssh service.

Instance

(Take RedHat 9 as an example)

1. Publish to client:
2. $ ssh-keygen -t rsa
3. * You do not need to set a password when you press enter three times, unless you use ssh-agent.
4. $ scp ~/.ssh/id_rsa.pub user1@server.machine:id_rsa.pub
5. * If it is a windows client, puttygen.exe can be used to generate a public key,
6. Then modify it after writing the code to the server to make the content a single line.
7. * If the server has disabled Password Logon, use other methods to encrypt the publick key.

Log on to the server:

• Disable root Login

  1. # vi /etc/ssh/sshd_config
  2. PermitRootLogin no

• In addition to password authentication, the token forces the use of the RSA certificate (false ssh authentication as user1)

  1. # vi /etc/ssh/sshd_config
  2. RSAAuthentication yes
  3. PubkeyAuthentication yes
  4. AuthorizedKeysFile .ssh/authorized_keys
  5. PasswordAuthentication no
  6. # service sshd restart
  7. # su - user1
  8. $ mkdir ~/.ssh 2>/dev/null
  9. $ chmod 700 ~/.ssh
  10. $ touch ~/.ssh/authorized_keys
  11. $ chmod 644 ~/.ssh/authorized_keys
  12. $ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
  13. $ rm ~/id_rsa.pub
  14. $ exit

• Restrict su/sudo names:

  1. # vi /etc/pam.d/su
  2. auth required /lib/security/$ISA/pam_wheel.so use_uid
  3. # visudo
  4. %wheel ALL=(ALL) ALL
  5. # gpasswd -a user1 wheel

• Restrict ssh user names

  1. # vi /etc/pam.d/sshd
  2. auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users onerr=fail
  3. # echo user1 >> /etc/ssh_users

• Use the web control tool to clear the login ssh authentication ticket.

  1. # iptables -I INPUT -p tcp --dport 22 -j DROP
  2. # mkdir /var/www/html/ssh_open
  3. # cat > /var/www/html/ssh_open/.htaccess <<END
  4. AuthName "ssh_open"
  5. AuthUserFile /var/www/html/ssh_open/.htpasswd
  6. AuthType basic
  7. require valid-user
  8. END
  9. # htpasswd -c /var/www/html/ssh_open/.htpasswd user1

(It is better to set up SSL, or set it only for https protocol. I have set it for SSL. Please refer to the setting here .) (If you need to control the source region, please refer to the Allow/Deny category, or the author's self-contained .)

1. # cat > /var/www/html/ssh_open/ssh_open.php <<END
2. <?
3. //Set dir path for ip list
4. $dir_path=".";
6. //Set filename for ip list
7. $ip_list="ssh_open.txt";
9. //Get client ip
10. $user_ip=$_SERVER['REMOTE_ADDR'];
12. //allow specifying ip if needed
13. if (@$_GET['myip']) {
14. $user_ip=$_GET['myip'];
15. }
17. //checking IP format
18. if ($user_ip==long2ip(ip2long($user_ip))) {
20. //Put client ip to a file
21. if(@!($file = fopen("$dir_path/$ip_list","w+")))
22. {
23. echo "Permission denied!!<br>";
24. echo "Pls Check your rights to dir $dir_path or file $ip_list";
25. }
26. else
27. {
28. fputs($file,"$user_ip");
29. fclose($file);
30. echo "client ip($user_ip) has put into $dir_path/$ip_list";
31. }
32. } else {
33. echo "Invalid IP format!!<br>ssh_open.txt was not changed.";
34. }
35. ?>
38. END
39. # touch /var/www/html/ssh_open/ssh_open.txt
40. # chmod 640 /var/www/html/ssh_open/*
41. # chgrp apache /var/www/html/ssh_open/*
42. # chmod g+w /var/www/html/ssh_open/ssh_open.txt
43. # chmod o+t /var/www/html/ssh_open
44. # service httpd restart
45. # mkdir /etc/iptables
46. # cat > /etc/iptables/sshopen.sh <<END
47. #!/bin/bash
49. PATH=/sbin:/bin:/usr/sbin:/usr/bin
51. list_dir=/var/www/html/ssh_open
52. list_file=$list_dir/allow_ssh.txt
53. bad_list=$list_dir/bad_ip.txt
54. auth_log=$list_dir/xinetd.log
55. trusted_ip="127.0.0.1 4.3.2.1"
56. chain_name=ssh_rules
58. mail_to=root
60. # clear chain if exits, or create chain.
61. iptables -L -n | /bin/grep -q "^Chain $chain_name" && {
62. iptables -F $chain_name
63. true
64. } || {
65. iptables -N $chain_name
66. iptables -I INPUT -p tcp --dport 22 -j $chain_name
67. }
69. # clear chain on demand
70. [ "$1" = clear ] && {
71. iptables -F $chain_name
72. cat /dev/null > $list_file
73. exit 0
74. }
76. # do nothing while list is empty
77. [ -s $list_file ] || exit 1
79. # deny connection if host dosn't math to list
80. host_ip=$(grep 'myssh from=' $auth_log | tail -1 | awk -F'=' '{print $NF}')
81. list_ip=$(cat $list_file)
82. if [ -n "$host_ip" -a "$host_ip" != "$list_ip" ]; then
83. echo -e "${trusted_ip/ /\n}" | grep -q "$host_ip" || {
84. /sbin/iptables-save | grep -q "INPUT -s $host_IP -j DROP$" || {
85. /sbin/iptables -I INPUT -s $host_ip -j DROP
86. echo $host_ip >> $bad_list
87. echo "$host_ip is blocked by $0 on $(date)" | mail -s "block
88. ip" $mail_to
89. }
90. }
91. exit 2
92. fi
94. # add rule
95. iptables -A $chain_name -p tcp --dport 22 -s $(< $list_file) -j ACCEPT && \
96. echo "ssh opened to $(< $list_file) on $(date)" | \
97. mail -s "sshopen" $mail_to
98. exit 0
99. END
100. # chmod +x /etc/iptables/sshopen.sh
101. # echo -e 'sshopen\t\t1234/tcp' >> /etc/services
102. # cat > /etc/xinetd.d/sshopen <<END
103. service sshopen
104. {
105. log_type = FILE /studyarea/www/phorum/xinetd.log
106. log_on_success = HOST
107. log_on_failure = HOST
108. disable = no
109. socket_type = stream
110. protocol = tcp
111. wait = no
112. user = root
113. server = /etc/iptables/sshopen.sh
114. }
115. # iptables -I INPUT -p tcp --dport 1234 -j ACCEPT
116. # cat > /etc/cron.d/sshopen <<END
117. */5 * * * * root /etc/iptables/sshopen.sh clear
118. END
122. Publish to client
123. In browser URL merge:
124. http://server.machine/ssh_open/ssh_open.php?myip=1.2.3.4
125. (If not specified? Myip = 1.2.3.4 is based on the client's IP address at that time. If no proxy is available .)
126. In this way, the ssh_open.txt on the server only has a single record, and each time the record is sent.
127. Next:
128. $ telnet server.machine 1234
129. Then you have a maximum of five minutes using ssh to connect to the server!

The basic structure of this step is as follows:

• Block all firewall blocks of sshd.

• • Then, set a directory in httpd, set ssl + htpasswd + allow/deny control, and then upload a php file to record the browser ip address. txt text. depending on your browser capabilities, you can manually capture the IP address of the browser, or allow the browser terminal to import data to specify. only one record is displayed for the text watermark, Which is cleared regularly each time.
• • Modify/etc/services, add a new category (such as xxx), and specify a new port (such as 1234)
• • Use the xinetd script to listen to the port and run a script to configure iptables. Then, obtain the IP address from the checklist in step 2 and enable ssh authentication.
• • Set crontab to clean up iptables rules related to ssh route entries and clear the records in each score. this does not mean that there are already two operators. If the time exceeds the limit, the above will be repeated.

• If this parameter is not set in the previous step, you may be tempted to try your ssh Server:

  1. # cat > /etc/iptables/sshblock.sh <<END
  2. #!/bin/bash
  4. PATH=/sbin:/bin:/usr/sbin:/usr/bin
  6. LOG_FILE=/var/log/secure
  7. KEY_WORD="Illegal user"
  8. KEY_WORD1="Failed password for root"
  9. PERM_LIST=/etc/firewall/bad.list.perm
  10. LIMIT=5
  11. MAIL_TO=root
  12. IPT_SAV="$(iptables-save)"
  13. bad_list=$(egrep "$KEY_WORD" $LOG_FILE | awk '{print $NF}' | xargs)
  14. bad_list1=$(egrep "$KEY_WORD1" $LOG_FILE | awk '{print $11}' | xargs)
  15. bad_list="$bad_list $bad_list1"
  17. for i in $(echo -e "${bad_list// /\n}" | sort -u)
  18. do
  19. hit=$(echo $bad_list | egrep -o "$i" | wc -l)
  20. [ "$hit" -ge "$LIMIT" ] && {
  21. echo "$IPT_SAV" | grep -q "$i .*-j DROP" || {
  22. echo -e "\n$i was dropped on $(date)\n" | mail -s "DROP by ${0##*/}: $i" $MAIL_TO
  23. iptables -I INPUT -s $i -j DROP
  24. }
  25. egrep -q "^$i$" $PERM_LIST || echo $i >> $PERM_LIST
  26. }
  27. done
  28. END
  29. # chmod +x /etc/firewall/sshblock.sh
  30. # cat >> /etc/hosts.allow <<END
  31. sshd: ALL: spawn ( /etc/firewall/sshblock.sh )& : ALLOW
  32. END

In this way, the guys who try SSH can initiate a maximum of five LIMIT requests, and then BLOCK the requests. in addition, the ip address in PERM_LIST can also be provided to the initial script of iptables to generate a permanent token:

1. for i in $(< $PERM_LIST)
2. do
3. /sbin/iptables -I INPUT -s $i -j DROP
4. done

• Also, if you want to know who is doing full range port scan for you:

  1. # iptables -I INPUT -p tcp --dport 79 -j ACCEPT
  2. cat > /etc/xinetd.d/finger <<END
  3. service finger
  4. {
  5. socket_type = stream
  6. wait = no
  7. user = nobody
  8. server = /usr/sbin/in.fingerd
  9. disable = no
  10. }
  11. END
  12. # cat >> /etc/hosts.allow <<END
  13. in.fingerd: ALL : spawn ( echo -e "\nWARNING %a was trying finger.\n$(date)" | mail -s "finger from %a" root ) & : DENY
  14. END

Here, I just set it to send to root.

In fact, you can modify it to trigger firewall to return the value of % a to ban.

However, if the peer has a selective port scan and does not reach finger, then it is useless...