[Reprinted] SSH security tips

SSH security tips

----------------------------------------------------

I. Preface

I don't need to talk about the advantages of SSH?
For example, the previous RPC command and Telnet can all be replaced by SSH.
For example, the following common functions:
-Login on the terminal
SSH user@remote.machine
-Producer-side upload row
SSH user@remote.machine 'COMMAND ...'
-Producer terminal Licensing
SCP user@remote.machine:/remote/path/local/path
SCP/local/path user@remote.machine:/remote/path
-X forward
Ssh-x user@remote.machine
Xcommand...
-Tunnel/portforward
Ssh-l 1234: Remote. Machine: 4321 user@remote.machine
Ssh-r 1234: Local. Machine: 4321 user@remote.machine
Ssh-l 1234: Other. Machine: 4321 user@remote.machine

As for the usage of linear regression, I will not talk about it. Please study it on your own.
What I want to talk about here is to introduce some security skills to the SSH server and hope you can feel at ease.

II. Implementation

(RedHat 9 is used as an example)

1) prohibit Root Login
# Vi/etc/ssh/sshd_config
Permitrootlogin No

2) In addition to password authentication, the token forces the use of the RSA certificate (false SSH authentication as user1)
# Vi/etc/ssh/sshd_config
Rsaauthentication Yes
Pubkeyauthentication Yes
Authorizedkeysfile. Ssh/authorized_keys
Passwordauthentication No
# Service sshd restart
# Su-user1
$ Mkdir ~ /. Ssh 2>/dev/null
$ Chmod 700 ~ /. SSH
$ Touch ~ /. Ssh/authorized_keys
$ Chmod 644 ~ /. Ssh/authorized_keys

--------------------------------------------------
Publish to client:
$ Ssh-keygen-T RSA
(Password authentication is not required when you press enter three times, unless you use SSH-agent .)
$ SCP ~ /. Ssh/id_rsa.pub user1@server.machine: id_rsa.pub
(For Windows client, puttygen.exe can generate public key,
Then modify it after writing the code to the server to make the content a single line .)
---------------------------------------------------

Return to the server:
$ Cat ~ /Id_rsa.pub> ~ /. Ssh/authorized_keys
$ RM ~ /Id_rsa.pub
$ Exit

3) restrict SU/sudo names:
# Vi/etc/PAM. d/su
Auth required/lib/security/$ ISA/pam_wheel.so use_uid
# Mongodo
% Wheel all = (all) All
# Gpasswd-A user1 Wheel

4) restrict SSH user names
# Vi/etc/PAM. d/sshd
Auth required pam_listfile.so item = user sense = allow file =/etc/ssh_users onerr = fail
# Echo user1>/etc/ssh_users

5) use the Web Console to clear the login SSH token.
# Iptables-I input-p -- dport 22-J Drop
# Mkdir/var/www/html/ssh_open
# Cat>/var/www/html/ssh_open/. htaccess <End
Authname "ssh_open"
Authuserfile/var/www/html/ssh_open/. htpasswd
Authtype basic
Require valid-user
End
# Htpasswd-C/var/www/html/ssh_open/. htpasswd user1
(It is better to set up SSL, or set it only for HTTPS protocol. I have set it for SSL. Please refer to the setting here .)
(If you need to control the source region, please refer to the allow/deny category, or the author's self-contained .)
# Cat>/var/www/html/ssh_open/ssh_open.php <End
<?
// Set dir path for IP list
$ Dir_path = ".";

// Set filename for IP list
$ Ip_list = "ssh_open.txt ";

// Get Client IP
$ User_ip = $ _ server ['remote _ ADDR '];

// Allow specifying IP if needed
If (@ $ _ Get ['myip']) {
$ User_ip = $ _ Get ['myip'];
}

// Checking IP Format
If ($ user_ip = long2ip (ip2long ($ user_ip ))){

// Put Client IP to a file
If (@! ($ File = fopen ("$ dir_path/$ ip_list", "W + ")))
{
Echo "Permission denied !! <Br> ";
Echo "PLS check your rights to Dir $ dir_path or file $ ip_list ";
}
Else
{
Fputs ($ file, "$ user_ip ");
Fclose ($ file );
Echo "Client IP ($ user_ip) has put into $ dir_path/$ ip_list ";
}
} Else {
Echo "invalid IP Format !! <Br> ssh_open.txt was not changed .";
}
?>
End
# Touch/var/www/html/ssh_open/ssh_open.txt
# Chmod 640/var/www/html/ssh_open /*
# Chgrp Apache/var/www/html/ssh_open /*
# Chmod g + w/var/www/html/ssh_open/ssh_open.txt
# Chmod o + T/var/www/html/ssh_open
# Service httpd restart
# Mkdir/etc/iptables
# Cat>/etc/iptables/sshopen. Sh <End
#! /Bin/bash

Path =/sbin:/bin:/usr/sbin:/usr/bin

List_dir =/var/www/html/ssh_open
List_file = $ list_dir/ssh_open.txt
Chain_name = ssh_rules
Mail_to = root

# Clear chain if exits, or create chain.
Iptables-l-N |/bin/grep-Q "^ chain $ chain_name "&&{
Iptables-F $ chain_name
True
} | {
Iptables-N $ chain_name
Iptables-I input-P TCP -- dport 22-J $ chain_name
}

# Clear chain when needed
["$1" = clear] & {
Iptables-F $ chain_name
Exit 0
}

# Do nothing while list is empty
[-S $ list_file] | Exit 1

# Add rule
Iptables-A $ chain_name-p tcp -- dport 22-S $ (<$ list_file)-J accept &&\
Echo "ssh opened to $ (<$ list_file) on $ (date)" | mail-s "sshopen" $ mail_to
End
# Chmod + x/etc/iptables/sshopen. Sh
# Echo-e 'sshopen \ t \ t1234/tcp '>/etc/services
# Cat>/etc/xinetd. d/sshopen <End
Service sshopen
{
Disable = No
Socket_type = stream
Protocol = TCP
Wait = No
User = root
Server =/etc/iptables/sshopen. Sh
}
# Iptables-I input-P TCP -- dport 1234-J accept
# Cat>/etc/cron. d/sshopen <End
*/5 * root/etc/iptables/sshopen. Sh clear
End

---------------------------
Publish to client
In browser URL merge:
Http://server.machine/ssh_open/ssh_open.php? Myip = 1.2.3.4
(If not specified? Myip = 1.2.3.4 is based on the client's IP address at that time. If no proxy is available .)
In this case, the ssh_open.txt file on the server only has a single record.
Then you will have a maximum of five minutes using SSH to connect to the server!
---------------------------

The basic structure of this step is as follows:
1) block all firewall blocks of sshd.
2) then, set a directory in httpd, and set SSL + htpasswd + allow/deny control,
Then, a PHP file in the target file records the browser IP address in A. TXT text file.
Depending on your browser capabilities, you can manually capture the IP address of the browser, or allow the browser terminal to import data to specify.
Only one record of text is displayed.
3) Modify/etc/services, add a new category (such as XXX), and specify a new port (such as 1234)
4) use the xinetd tool to listen to the port, trigger a script, set iptables, get the IP address from the checklist in step 2, and open SSH authentication.
5) set the crontab to clear iptables rules related to SSH route entries in each score. This does not affect the existing route entries. If the limit is reached, repeat the preceding steps.

6) if the previous step is not set, you may be tempted to try the SSH server by many people:
# Cat>/etc/iptables/sshblock. Sh <End
#! /Bin/bash

Path =/sbin:/bin:/usr/sbin:/usr/bin

LOG_FILE =/var/log/secure
Key_word = "illegal user"
Key_word1 = "Failed password for root"
Perm_list =/etc/Firewall/bad. List. perm
Limit = 5
Mail_to = root
Ipt_sav = "$ (iptables-save )"
Bad_list = $ (egrep "$ key_word" $ LOG_FILE | awk '{print $ NF}' | xargs)
Bad_list1 = $ (egrep "$ key_word1" $ LOG_FILE | awk '{print $11}' | xargs)
Bad_list = "$ bad_list $ bad_list1"

For I in $ (echo-e "$ {bad_list // \ n}" | sort-U)
Do
Hit = $ (echo $ bad_list | egrep-o "$ I" | WC-l)
["$ Hit"-ge "$ limit"] & {
Echo "$ ipt_sav" | grep-Q "$ I. *-J Drop" | {
Echo-e "\ N $ I was dropped on $ (date) \ n" | mail-s "drop by ${0 # */}: $ I" $ mail_to
Iptables-I input-S $ I-j drop
}
Egrep-Q "^ $ I $" $ perm_list | echo $ I >>$ perm_list
}
Done
End
# Chmod + x/etc/Firewall/sshblock. Sh
# Cat>/etc/hosts. Allow <End
Sshd: All: spawn (/etc/Firewall/sshblock. Sh) &: Allow
End

In this way, the guys who try SSH can initiate a maximum of five limit requests, and then block the requests.
In addition, the IP address in perm_list can also be provided to the initial script of iptables to generate a permanent token:
For I in $ (<$ perm_list)
Do
/Sbin/iptables-I input-S $ I-j drop
Done

7) also, if you want to know who is doing full range Port Scan for you:

# Iptables-I input-P TCP -- dport 79-J accept
Cat>/etc/xinetd. d/finger <End
Service finger
{
Socket_type = stream
Wait = No
User = nobody
Server =/usr/sbin/in. fingerd
Disable = No
}
End
# Cat>/etc/hosts. Allow <End
In. fingerD: All: spawn (echo-e "\ nwarning % A was trying finger. \ N $ (date) "| mail-s" finger from % A "root) &: deny
End

Here, I just set it to send to root.
In fact, you can modify it to trigger firewall to return the value of % A to ban.
However, if the peer has a selective port scan and does not reach finger, then it is useless...

3. Conclusion

Security has a lot of fun tips. I will share it with you later... ^_^

I wish you all the following:
Mid-Autumn Festival!

Netman
2005/09/16 in Tainan