OpenSSH

From wiki.techunit.org
Jump to: navigation, search

Secure SSH

Use Public Key Based Authentication

  • On client

Different key format

RSA - Portability

"RSA keys will give you the greatest portability"

Ed25519 - Security

"Ed25519 will give you the best security but requires recent versions of client & server"

DSA - Deprecated

"OpenSSH 7.0 deprecated and disabled support for DSA keys due to discovered vulnerabilities, therefore the choice of cryptosystem lies within RSA or one of the two types of ECC."

ECDSA - NSA Backdoor

"ECDSA is likely more compatible than Ed25519 (though still less than RSA), but suspicions exist about its security"

wiki.archlinux.org - Choosing_the_type_of_encryption

Generate key pair

ssh-keygen -b 4096 -t rsa

Copy public key to server

ssh-copy-id -i .ssh/id_rsa.pub user@<server>

SSHD config

  • On server : Edit /etc/ssh/sshd_config

Only Use SSH Protocol 2

Protocol 2

Disable root Login via SSH

PermitRootLogin no

Limit Users' and group SSH Access

AllowUsers user1 user2
#OR
AllowGroups group1 group2

Configure Idle Log Out Timeout Interval

ClientAliveInterval 300 # 5 Minutes
ClientAliveCountMax 0


Change SSH Port

Port 300

Limit IP Binding

ListenAddress <your private IP>
ListenAddress <your public IP>

Disable password

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Optimize security

Use Fail2Ban

Use Firewall to filter incoming

Add Port Knocking to SSH for Extra Security

SSH tips and tricks

SSH config

  • You can create a config file in ~/.ssh/config
Host alias
    HostName example.com
    Port 223
    User youruser
    IdentityFile  ~/.ssh/id_example
    IdentitiesOnly yes

Host anotheralias
    HostName 192.168.0.10
    User anotheruser
    PubkeyAuthentication no

Connection chaining

Forward Authentication Agent

  • If public key present on both server, you can connect without password
ssh-agent
#Connect to first server
ssh -A ktr@public.example.com
#Connect to second server
ssh root@private.server

Chain connections

  • Connect to private.server through public.example.com
ssh -A -t user@public.example.com ssh root@private.server

SSH Tunneling

Local Port Forwarding

  • Bind local port 8080 to srv2 web port through srv1
ssh -nNT username@srv1.example.com -L 8080:srv2.int.example.com:80
#OR bind local port 3307 to remote mysql port
ssh -L 3307:localhost:3306 username@remote
  • -n Redirects stdin from /dev/null
  • -N Do not execute a remote command
  • -T Disable pseudo-tty allocation
  • -L localport:host:hostport

Remote Port Forwarding

  • Bind remote port (9000) to local web port
ssh -R 9000:localhost:80 username@remote
  • -R Using remote port forwarding

Web proxy

  • Bind remote port (9000) to local web port
ssh -nNT -D 8080 username@remote
  • -D Specifies a local “dynamic” application-level port forwarding

Edit your preferences in Firefox, in Advanced/Network/Connection/Settings

  • SOCKS Host : localhost Port 8080
  • SOCKS V5

SSHFS

  • Mount Distant directories with SSH
sudo aptitude install sshfs -y
mkdir remote
sshfs user@remote:/path/to/dir remote

SSH config

  • Edit ~/.ssh/config
Host mail
    HostName mail.example.com
    User user1
    StrictHostKeyChecking no
    Port 2222

Host server1
    HostName server1.example.com
    User toto
    StrictHostKeyChecking no
    ForwardAgent yes

Host *.example.com
    User ktr
    StrictHostKeyChecking no
    ForwardAgent yes

Host *
    User root
    StrictHostKeyChecking no
    ForwardAgent yes
    UserKnownHostsFile /dev/null

SSH Forward X

Incoming

Elliot
techUnit's cofounder