Three locks for protecting SSH (increasing the difficulty of hacker intrusion)

Introduction

If you need to remotely access your computer and enable the Secure Shell (SSH) connection, hackers will try to break through your defense and control your computer. You must accept this fact. Although it cannot be guaranteed that the computer will not be occupied by "hackers", some simple solutions help to protect SSH and make attacks more difficult. This article discusses three technologies:

Change the standard port of SSH to an uncommon value and enhance the SSH configuration to block the simplest attack.
Define a limited list of users and only allow these users to log on.
This completely hides the fact that SSH access is allowed and requires that valid users be identified based on the special "knock-on" sequence.
To apply these technologies, you must be able to access the root account. In addition, you may have to install some packages. You need to configure the firewall and router (if there is a router), open and close specific ports, and forward data packets to your computer.

Enhanced Protection

The concept of "hiding to Generate Security" is well known and ridiculed. It is only wishful thinking that no one knows about your method in the form of concealment. However, hiding it in some scenarios can be helpful. Although simple measures cannot stop Determined hackers, they can at least block those "script boys" who often have a very general level of script.

Everyone knows that the standard port for SSH connection is 22. Therefore, to make the computer more secure, the first measure should be to change the port to another uncommon non-standard port number, such as 22960. Generally, numbers above 1024 can be used, but you should check references to avoid problems. This change affects you only by connecting to the computer using the following command:

Ssh-p 22960 your. machine. url

To achieve this, you only need to make a simple modification in the/etc/ssh/sshd_config file. Edit this file (must be the root user), search for Port 22, and change the Port number to the number you selected (if this line starts with the pound sign, it indicates that it has been commented out, so the annotation mark should be removed ). Save the file and run the/etc/init. d/sshd restart command to restart SSH. Open the selected port on the firewall and disable port 22.

However, you can proceed further. Edit the configuration file, which contains the rows shown in Listing 1. Note that some rows may already exist, but you can comment them out.

Listing 1. Easily enhancing security by modifying the SSH configuration file

Port 22960
LoginGraceTime 30
MaxAuthTries 3
Protocol 2
PermitRootLogin no

LoginGraceTime allows a user to log on for 30 seconds. If the user spends more than 30 seconds, the user cannot access LoginGraceTime and must log on again. MaxAuthTries limits the number of failed attempts to 3, and rejects logon attempts after 3. The above two lines of Protocol do not use weak protocols. The last line does not allow anyone to log on as the root user, which makes it more difficult for hackers to attack. You can also use the options DenyUsers, AllowUsers, DenyGroups, and AllowGroups to implement other restrictions. These modifications do not significantly enhance the security of the computer, but only attempts to launch a brute force attack on standard port 22 will fail and will not cause damage. In any case, this is the first step in the right direction. After this article, we will use a safer method to not only modify the port number, but also completely hide it.

Who can access?

For most people, PAM is a kind of canned cooking oil. However®Security term. PAM indicates that the Authentication module (Pluggable Authentication Modules) can be inserted ). These modules provide additional authentication rules to protect access to computers.

First, we will discuss a basic question: Why is PAM used? If each program had to define its own authentication logic, it would be confusing. How do I determine that all applications perform the same test and check? What if additional control measures are required? Do you want to rewrite all programs? In the computer science field, an additional layer can be used to solve all problems, at least in terms of security. If a program needs to verify the user's identity, it can call the pam api. This API is responsible for executing all the checks specified in the PAM Configuration File. This method also allows you to easily modify authentication rules. All programs that perceive PAM automatically apply the new rules without modifying their code. If you want to use a biological check (such as an iris scanner or fingerprint collector) and the producer provides PAM, you can easily set it up. If the configuration file contains module calls, all applications can use this device.

Configure PAM

PAM provides features in four security domains, but applications are unlikely to require all of these features at the same time. For example, the passwd command only needs the third group in the following list:

Account Processing account restrictions. What can a valid user do?
Auth processes user identification-for example, by entering the user name and password.
Password only handles password-related issues, such as setting a new password.
Session processing connection management, including logging.
In the/etc/pam. d directory, create a configuration file for each application that uses PAM with the same file name as the application name. For example, the configuration file of the login command is/etc/pam. d/login.

You must define which modules will be applied and create an action "heap ". PAM runs all modules in the heap and allows or rejects user requests based on their results. You must also define whether the check is required. Finally, the other file provides default rules for all applications without special rules.

The optional module can be successful or fail; PAM returns success or failure based on whether the module is successful.
The required module must be successful. If it fails, PAM returns failure, but will return it after running other modules in the heap.
The requisite module must also be successful. However, if it fails, PAM immediately returns failure and no longer runs other modules.
When the sufficient module succeeds, PAM immediately returns success and no longer runs other modules.
The configuration file structure is very simple. A comment can start with a hash character (#). A long row can be divided into multiple rows by adding a backslash () to the line feed. The row has three fields: the domain (account, auth, password or session), the control flag (optional, required, requisite, or sufficient), and the path and parameters of the module to run. Note that the second field can be more complex. For more information, see references. In addition, you can use the include rule to include rules in other files, such as auth include common-account.

The special/etc/pam. d/other file is the "default" configuration file (see Listing 2), where the rules are automatically applied to all applications without their own configuration files. To ensure security, you should quickly check the/etc/pam. d directory and change all the configuration files you do not use to other names (so that the other configuration will be used ). If you think you really need an application, you only need to change the configuration file back to the original name. The default configuration usually rejects all requests (by using the pam_deny.so module) and warns the Administrator (through the pam_warn.so module) to solve the problem.

The standard "other" configuration file provides secure default rules for all applications without their own configuration files (deny all requests ).

Listing 2. Standard "other" configuration file

Account required pam_deny.so
Auth required pam_deny.so
Auth required pam_warn.so
Password required pam_deny.so
Password required pam_warn.so
Session required pam_deny.so

If you replace pam_deny.so with pam_unix.so, the standard authentication method (enter the user name and password) is applied ). If you do not care about security, use pam_permit.so, which will allow any requests!

Some available methods

Although there is no standard module list, all releases contain the majority of the following modules. Check the/lib/security or/usr/lib/security directory of the resident module. For 64-bit operating systems, use lib64 to replace lib. If you need more information, Run man the. name. of. the. module instead of executing it directly. PAM is not an executable binary code.

Pam_access allows or denies access based on the/etc/security/access. conf file. This module will be used later to determine which users are allowed to log on.
Pam_cracklib and pam_pwcheck check the strength of the new password.
Pam_deny and pam_permit are basic modules that deny or allow access respectively.
Pam_echo shows the content of the specified file to the user.
Pam_lastlog shows the user the date and time of his last logon.
Pam_ldap.so allows you to perform authentication based on the LDAP server and provide cross-network centralized authentication.
The pam_limits module allows you to specify system resource limits, which are defined in the/etc/security/limits. conf file.
Pam_listfile provides another method to allow or deny services based on the content of a file.
Pam_mail checks whether the user has any unprocessed emails.
Pam_motd displays the "message of the day" file to the user.
If the/etc/nologin file exists, pam_nologin stops all logins.
Pam_rootok allows access by the root user without further checks. /Etc/pam. d/su usually contains this module. The required line is auth sufficient pam_rootok.so. The root user can be operated by any user without a password.
Pam_succeed_if checks the specific attributes of an account, such as whether it is a member of a group.
Pam_time can restrict access to the service according to the rules in/etc/security/time. conf.
Pam_unix (or pam_unix2) provides traditional UNIX based on/etc/passwd and/etc/shadow files®Authentication.
Pam_userdb performs Identity Authentication Based on a Berkeley database.
Pam_warn records information in system logs.
Pam_wheel only provides root access to members of the wheel group. The required line is auth required pam_wheel.so.
For more information about other modules and writing your own modules, see references. Now, use PAM to determine who can log on to your computer.

Restrict access with PAM

Now, we will use PAM to limit who can connect to your server. You must edit the/etc/pam. d/sshd file to make it look like listing 3.

Listing 3. Add pam_access.so to the sshd PAM File

# % PAM-1.0
Account include common-account
Account required pam_access.so
Auth include common-auth
Auth required pam_nologin.so
Password include common-password
Session include common-session

Add pam_access.so to the sshd PAM file to easily define who can connect to your computer using SSH. The pam_access.so module implements security Control Based on the/etc/security/access. conf file, as shown in Listing 4.

Listing 4. Using pam_access.so to define who can or cannot use SSH

+: ALL: 192.168.1.
+: Jack: ALL
+: Jill: ALL
-: ALL

The first line allows any user (ALL) to log on from the internal network. The last two rows are allowed.