Day2-ssh+tcp Warappers+pam

Linux Security applications

SSH access control

TCP Wrappers Protection

Pam Pluggable Authentication

Pam Certification Case Practice

?

What are the pitfalls of SSH login?

Insecure network environment

Password sniffing

Keyboard record

malicious guessing and attacking

Account Enumeration

Brute Force password

?

Improve the safety of SHH

Enable SSH blacklist, whitelist

Allow only, deny only

Verifying client Keys

Client storage private key, server storage public key

Other means of control

Firewall, TCP protection, Pam authentication

?

Yum Install expect

#!/bin/bash

Pass=root

Newpass=root1

?

For IP in $ (cat/root/bin/ip.list)

Do

???? Expect <<eof

???? Spawn ssh [email protected]${ip} "echo $newpass" | Passwd–stdin Root "

???? Expect "(yes/no)?" {

???? Send "yes\r"

???? Expect "Password:"

???? Send "${pass}\r"

} "Password:" {send "${pass}\r"}

Expect EOF

Eof

Done

?

SSHD Basic Security Configuration

Configuration file/etc/ssh/sshd_config

Port???????? Modify port number defaults to 22

Protocol 2

ListenAddress 192.168.100.100

Permitrootlogin no???????? Whether to allow root user login

Permitemptypasswords No

Strictmodes Yes???????? Check user-related environment information, if not match deny login

Maxauthtries 6???? Maximum number of attempts

MaxSessions???? Maximum number of Session connections

Usedns No???? Canceling DNS anti-logging

Logingracetime 2m at the time of entering the password default 2 minutes

?

SSHD Black/White list configuration

Configuration file/etc/ssh/sshd_config

Denyusers???? USER1 USER2.

Allowusers???? User1host USER2.

Denygroups???? GROUP1 GROUP2.

Allowgroups???? GROUP1 GROUP2.

?

#for I in {1..254}

Do

Echo–e "192.168.100. $i \ser$i.test.com" >>/etc/hosts

Done

?

How to verify sshd login

Password verification

Check that the password for the logged-on user is consistent

Key verification

Check whether the client private key matches the public key on the server

Pubkeyauthentication Yes

Authorizedkeysfile. Ssh/authorized_keys???? Public Key Library: holds the public key text of an authorized client

?

SSH Login without password

Using the tool Ssh-keygen to generate SSH key pairs

You can manually specify the encryption algorithm-t RSA or –t DSA

If not specified, RSA encryption is used by default

#ssh-keygen

Id_rsa???? Id_rsa.pub

#ssh-copy-id–i [email protected]

?

Vim Authorized_keys???? Delete a row of your definition

Cat. ssh/known_hosts

Improve OpenSSH service Security

Basic security Policy--no root, no null password

Configure the Allow only policy for SSH access

Implement key authentication separately, password-free login, disable password verification

?

For private and password use

Mr. Cheng Key Ssh-keygen

Ssh-copy-id–i IP Address

Ssh-agent

Executes the information out of the ssh-agent output once

Ssh-add

SSH IP Address

?

TCP Wrappers Protection

Universal protection mechanism

A unified protection strategy

Multiple TCP services are shared for increased efficiency

?

Role

Mode one: Provides unified protection by TCPD or xinetd

Super Server xinetd

Mode two: Each service calls the Libwrap.so module alone

Typical services: VSFTPD, sshd, xinetd

LDd ' which sshd vsftpd ' |grep wrap

?

Protection rules are stored in

/etc/hosts.allow

/etc/hosts.deny

Policy Application Law

Check the Hosts.allow first, and a match will allow

Otherwise, check the Hosts.deny, and the match will be rejected.

If there are no matches in both files, the default is to allow

?

Rule format

Service List: Client list

All for all

?

DenyHosts Blocking SSH attacks

For installation and use, please refer to README.txt

DNEYHOSTS.CFG Configuration Essentials

Secure_log=/var/log/secure

Hosts_deny=/etc/hosts.deny

PURGE_DENY=2H???????? 2 hours

BLOCK_SERVICE=SSHD???? Service Name

deny_threshold_invalid=3???????? Invalid account attempted login number

deny_threshold_valid=5???????? Number of active account attempts to log in

deny_threshold_root=2???????? Root user attempts to log on

?

Pam Pluggable Authentication

About user authentication

How to identify a real user

How to control access to resources by legitimate users

How applications reduce certification development costs

Pluggable Authentication Modules

1995, Best proposed by Sun Company

Application "Interface" module

?

Three A certification

Authentication: Identity Authentication???? You're a certified

Authorization: Authorized???????? What can you do?

Audit: Audit???????? What have you done?

Configuration file/etc/pam.d/

View/etc/pam.d/su

Account???????? Required???? Pam_nologin.so

The first column is the authentication type, and the available options are:

Account: Performs a non-authentication behavior operation based on user management. Typically, it can limit the user's logon time, available system resources

Auth: This module provides two aspects of validating a user. First, it authenticates the user to the person he claims to be (for example: Password Authentication), and secondly, it gives the user group membership or other permissions.

Password: This module is required when the user modifies the password.

Session: What to do before or after certain services are given to the user. For example: Log operations for user access to Data execution

?

The second column is the control mode, and the available options are:

Required: Check results fail, will eventually fail, but still check for subsequent entries

Requisite: similar to required. Except that the check fails and immediately stops subsequent checks

Sufficient: The check was successful, passed immediately, and no longer checked for latter. If this check fails, it does not mean that it is best to fail.

Optional: Optional

Include: Contains the contents of another file

?

The third column is the calling module, which is located in the/lib64/security/directory

?

Vim/etc/pam.d/su

Auth sufficient pam_rootok.so

# Uncomment the following line to implicitly trust users in the "wheel" group.

#auth Sufficient pam_wheel.so Trust Use_uid

# Uncomment the following line to require a user to being in the "wheel" group.

#auth Required Pam_wheel.so Use_uid

?

Restrict User Login Terminal

/etc/security/access.conf

• : ???? Jack????:???? Tty2

/etc/pam.d/login

Account Required pam_access.so???????????? Note Order

Restricting access to system resources

Configure login to enable the Pam_limits.so module

Configuring LIMITS.CONF Access Policies

Day2-ssh+tcp Warappers+pam