Ensure SSH security on Amazon EC2 Linux host, ec2ssh

Ensure SSH security on Amazon EC2 Linux host, ec2ssh

Friends who once worked in startups must be clear that building customer trust is a key step in business development. Today, users are increasingly familiar with technology and security, and they want suppliers to provide strict data protection while ensuring solid and reliable services. In addition, the customer's mentality is often volatile, and usually will not hesitate to embrace competitors when discovering the security risks of existing solutions. To avoid this situation, we should take the first initiative to start with the AWS-based business process, lock access to Amazon EC2, the AWS service responsible for running business applications.

AWS shared security mode and Amazon EC2

A key component of AWS's shared security model is its ability to securely access Amazon EC2 instances. On a Linux server, remote access usually means creating a connection to the target server through the SSH protocol. The authentication mechanism is mainly divided into two types: either requiring users to provide a combination of user names and passwords, or providing a set of private keys pointing to the public keys on the server for authentication. By default, most Amazon EC2 instances use the following method for user authentication: when you start your EC2 instance for the first time, the system will require you to assign a key pair to it as an optional project. In addition to the user name, AWS also assigns a PEM file to the key pair to verify with the server and enable an SSH session.

In today's article, we will discuss security issues related to accessing Linux servers running on AmazonEC2 through SSH. In addition, we will go into several examples to see how to use the following two solutions to introduce two-factor authentication into an SSH session: TOTP works with Google Authenticator and AWS Virtual MFA, and Duo UNIX from Duo Security.

Using a two-factor verification mechanism to reduce security risks

When the interactive login mechanism is enabled, the servers we operate on always face a certain degree of risks-of course, there are high and low levels of specifics. As long as we can fully protect our PEM files, and the SSH in the EC2 instance is correctly set, the key-based authentication mechanism is often better than the simple user name/password mechanism in terms of security-this is mainly because the former is more vulnerable to brute-force cracking attacks. Unfortunately, PEM files, such as passwords, can be shared and are sometimes accidentally leaked. With this in mind, it is particularly important to add an additional security layer, which is typically represented by two-factor verification. Whether using a user name/key combination or a public key as the preferred verification factor, the existence of an additional security layer can bring the protection level of the business system to another level.

Two-factor authentication, or multi-factor authentication (MFA), requires users to provide multiple identity certificates to access resources. For example, you can configure access to the AWS Management Console and require users to provide the correct verification code from hardware or software MFA devices in addition to the user name and password. These solutions are increasingly used to add additional security layers to servers and workstations. In this solution, in addition to providing a private key or user name/password, the user must enter a verification code from the MFA device before the session is enabled on the operating system.

One of the examples we witnessed at the site is to introduce two-factor verification to the "jump" or "bastion" host to improve the security level of EC2 instances, this ensures that SSH ports that direct to or are relocated to internal services are ideally protected. Another common use case is to use two-factor authentication to configure EC2 instances and assign them to AWS identity and Access Management (aws iam) roles through locking policies. On this basis, the technical support and O & M teams can securely access these EC2 instances and use the aws cli and SDK without having to provide other authentication creden.

Time-based one-time password (TOTP)

Google Authenticator can use RFC 6238 to implement the TOTP algorithm. When you install the Google Authenticator application on your Amazon EC2 instance, AWS automatically generates a key. This key will then be shared to the second device based on your specific selection, for example, through an application running on a smartphone. When we use this mobile app to scan the QR code generated by Google Authenticator, the key exchange process is complete.

Once the key is stored in a mobile app, it uses the encryption hashes function to combine itself with the current timestamp to generate a one-time password (OTP ). This OTP is the second verification factor. You will be asked to enter the user name/password or the PEM file. OTP content is hard to crack, this is because it will automatically change over time-this time period is usually 30 seconds-and is generated by mobile devices (such as smartphones) that are carried with you in most cases.

You can make your own choice from a series of TOTP-compatible mobile apps and use it to save the TOTP key and generate OTP. In today's article, we will show how to use Google Authenticator and AWS Virtual MFA to achieve this goal: the former runs on the server, the latter is used as the mobile app for TOTP compatibility to generate the OTP required for verification. Of course, other popular Mobile apps with TOTP compatibility include Google Authenticator's official Mobile app, Duo Security's Mobile app Duo Mobile and Authy.

How to use Google Authenticator and AWS VirtualMFA to implement two-factor verification for Amazon Linux Environments

1. Install AWS Virtual MFA or any other TOTP compatibility mobile app on our mobile phone

2. Enable an Amazon Linux EC2 instance

3. Install Google Authenticator:

Sudo yuminstall google-authenticator-y

4. enable Google Authenticator

Ec2-user @ ip-10-0-1-205 ~] $ Google-authenticator
Do you want authentication tokens to be time-based (y/n) y

5. When the message "Do you want authentication tokens tobe time-based (y/n)" is displayed, Press y to configure the system to use time-based verification tags.

6. Open the URL generated by Google Authenticator to display the QR code that we can use the mobile app to scan and download the corresponding key content. For example:

Https://www.google.com/chart? Chs = 200x200 & chld = M | 0 & cht = qr & chlorophyll = otpauth: // totp/ec2-user @ ip-10-0-1-205 % 3 Fsecret % 12345 ABCDE

Our new key is 12345 ABCDE.

7. The following describes other options. Because Amazon EC2 instances use reliable NTP servers by default for time synchronization, we do not need to adjust the time difference. Multiple times of use and frequency limit are optional. Of course, we recommend that you enable it because it can further improve the security effect.

8. By default, SSH on an Amazon Linux instance uses the pluggable authentication module (PAM) for verification. Therefore, we need to configure the sshd PAM module to use Google Authenticator normally. You must edit/etc/pam in the Google Authenticator instance. d/sshd, find the "auth substack password-auth" line and add the following command to specify the Google Authenticator PAM module to be used:

Auth required pam_sepermit.so
Auth required pam_google_authenticator.so
# Auth substack password-auth

9. We also need to ensure that Google Authenticator is also called for other verification types, such as "su" and "login ". Run the following command to edit/etc/pam. d/system-auth:

Authrequired pam_env.so
# Auth sufficient pam_unix.so nullok try_first_pass
Auth requisite pam_unix.so nullok try_first_pass
Auth sufficient pam_google_authenticator.so
Auth requisite pam_succeed_if.so uid >=500 quiet
Auth required pam_deny.so

10. Now you need to edit the SSH configuration file so that Google Authenticator will be called correctly as the second verification factor. First, change the following options to "yes ":

ChallengeResponseAuthenticationyes

11. Next, add the following content as a new line at the end of the file:

AuthenticationMethodspublickey, keyboard-interactive

12. Finally, restart the SSH process on the server. To ensure security, we can start a new terminal window to ensure that the current connection is not closed and test whether everything is performed as expected:

Sudo/etc/init. d/sshd restart

Now, Amazon Linux EC2 instances have been strictly protected. Google Authenticator began to become a two-factor authentication solution in the SSH Login Mechanism.

Duo Security

With the continuous development of start-ups, configuring TOTP one by one on numerous Amazon EC2 instances will gradually become a burden. Microsoft Active Directory and Windows Server users may already be familiar with RADIUS servers and learn how to use them to implement and manage the two-factor authentication mechanism. Although this method can also be extended to Linux servers, it is extremely difficult to implement and is difficult to be widely applied to other systems that require a two-factor verification solution.

In view of this, the Duo Mobile solution naturally emerged. DuoMobile is a mobile verification application developed by Duo Security. By the way, Duo Security is also a startup under the support of AWS services. It is mainly responsible for providing two-factor verification solutions for a variety of system platforms, including VPN, UNIX devices, and customized software applications. This product allows enterprise users to unify their MFA management systems and provide reports for various systems, including VPN, OWA, SSH, RDP, SSO, aws api, and AWS Management Console. Duo Mobile also supports different verification methods, such as text message verification, notification push through Duo Mobile app, telephone call or token information. It is worth mentioning that the token information is applicable to a remote environment that does not meet the cellular network or Internet connection conditions.

As a two-factor verification application for Linux instances, Duo UNIX has two deployment options: "login_duo" and "pam_duo ". Although login_duo is easier to set up, it cannot provide you with excellent flexibility comparable to the PAM-based deployment method. For example:

· If you want to use SSH for port tunneling or forwarding, you will not be able to use "login_duo" because OpenSSH will complete the configuration before Duo's two-factor mechanism gets involved. In other words, if "login_duo" is used and the tunnel and port forwarding functions are not disabled in your SSH configuration, attackers can bypass the two-factor authentication mechanism.

· In addition to initial logon, PAM also allows you to apply two-factor verification to other processes, especially "sudo" and "su ".

· The above capabilities are extremely useful in certain situations. For example, MFA is expected to allow unauthorized access to internal hosts, but it does not want to use any permission to escalate commands for forcible execution.

· Similarly, you can use Duo's Integrated PAM to provide servers for MFA and use other common protocols such as FTP.

Two-factor verification in combination with Amazon Linux and Duo UNIX

1. log on to the Duo account at the https://signup.duosecurity.com web site.

2. Create a new UNIX integration to obtain the Integration Key, secret key, and API host name.

3. download the latest duo to an Amazon EC2 instance at https://dl.duosecurity.com/duo_unix-latest.tar.gz.

4. Use the "-starts with-pam" option to configure and install the latest Duo version:

./Configure -- with-pam -- prefix =/usr & make & sudo make install

5. If your EC2 instance uses a key-based authentication mechanism, modify the/etc/ssh/sshd_config file as follows:

PubkeyAuthenticationyes
PasswordAuthentication no
AuthenticationMethods publickey, keyboard-interactive

6. edit/etc/duo/pam_duo.conf and add our ikey (integrated key), skey (Secret Key), and host (API host name. In addition, you may want to add the "autopush = yes" option to ensure that two-factor authentication requests are automatically sent to the login session, at the same time, "prompts = 1" is used to give a prompt after the verification is successful. The specific content is as follows:

[Duo]
Ikey = ABCDEFGHIJKLMNO1P234
Skey = mYSeCreTkEy
Host = api-ab12c3d4.duosecurity.com
Autopush = yes
Prompts = 1

7. Use the following content to replace the parts starting with "auth" in the/etc/pam. d/system-auth PAM system configuration file:

Auth required pam_env.so
Auth requisite pam_unix.so nullok try_first_pass
Auth sufficient pam_duo.so
Auth requisite pam_succeed_if.so uid >=500 quiet
Auth required pam_deny.so

8. if your EC2 instance uses a key-based authentication mechanism for SSH access, replace/etc/pam with the following content. the parts starting with "auth" in the d/sshd PAM sshd configuration file:

Auth required pam_sepermit.so
Auth required pam_duo.so

9. You can use other commands to adjust the pam Configuration File under/etc/PAM. d/in the same way as needed, such as "su" or "sudo ".

Now, with the help of Duo, the SSH Login Mechanism in your Amazon Linux EC2 instance has the two-factor authentication capability. If you need more detailed details and the latest updates, click here to view Duo UNIX instructions.

Summary

By deploying a correct two-factor authentication mechanism for your Amazon EC2 Linux host, you can reduce risks and improve security. There are many ways to implement two-factor verification. However, Google Authenticator and Duo UNIX and PAM have the advantages of easy deployment and high security, therefore, it is very suitable for startups who want to control access requests directed to their own AmazonEC2 instances.

Original article:

Https://medium.com/aws-activate-startup-blog/securing-ssh-to-amazon-ec2-linux-hosts-18e9b72319d4

Nuclear cola Translation