 |
| Descriptions |
|
• Basic • Full |
| Installation |
|
• Packages • Mac OS X • Automated Script • Manual |
| Configuration |
|
• MSS Graphical Tool • Manual • Tags |
| Use |
|
• Samples • Clients |
| Download |
|
• Files • History |
| Support |
|
• Faq • Forum |
| Extras |
|
• Security • Personalize • Translations • Pubs |
1 - Can we block intrusion after a number of attempts? (avoid SSH Brute Force)
2 - Blocking by the authentication module
3 - Blocking by Firewall
4 - Blocking by the authentication module
5 - How to limit the number of simultaneous unauthenticated connections?
6 - Using authentication keys instead of passwords?
7 - Creating and loading keys under Unix
8 - Creating and loading keys under Windows
| 1 - Can we block intrusion after a number of attempts? (avoid SSH Brute Force) |
MySecureShell The software does not manage this, but we'll see how to block with an authentication module with a firewall or with fail2ban.
| Return to the synopsis |
| 2 - Blocking by the authentication module |
It is possible to block these intrusions using the authentication module called "pam_tally". To see if you have, type the command locate pam_tally" :
locate pam_tally
/lib/security/pam_tally.so
/usr/sbin/pam_tally
There are systems where it is not installed by default. On the Mac, for example where there is not. Indeed porting "pam_tally" on some systems is quite tedious, so it does not necessarily exist.
- Next distributions, the file may have another name. That is what must be done on a distribution of type Debian (Ubuntu, Knoppix ...), for others, watching a few lines later.
- In file "/etc/pam.d/common-auth", must add the line:
auth required pam_tally.so onerr=fail no_magic_root
then in the file "/etc/pam.d/common-account", must add the line:
account required pam_tally.so onerr=fail deny=3 reset no_magic_root
- Turning now to other distributions of type Fedora Core (Red Hat ...):
- In file "/etc/pam.d/system-auth", must add the line :
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=3 no_magic_root reset
Here are the options that you can change:
- deny=3 : blocks the account from 3 failed identifications.
- magic_root : allows "root" to a "su" about the user even if the account is "banned".
To view users blacklisted, type "faillog -a".
faillog -a
guest
Now, to remove that person from the "blacklist", type "faillog -r -u username".
faillog -r -u guest
| Return to the synopsis |
| 3 - Blocking by Firewall |
The other way is blocked by firewall. Here we see with Iptables how to block attacks. You must also have installed Ulog for logs.
Before you begin, you must ensure that the module ipt_recent is that is compiled or built into your kernel (kernel ). Otherwise it will rebuild it.
For whether it is present on your system, type "cat /boot/config-xxx-x | grep-i recent":
cat /boot/config-x.x.x-x | grep -i recent
CONFIG_IP_NF_MATCH_RECENT=m
- x.x.x-x : matches your kernel version.
The response "CONFIG_IP_NF_MATCH_RECENT" can be:
- "=m" : which means compiled as a module.
- "=y" : integrated into the kernel.
Once you have verified the existence on your system, fill in these lines in your configuration iptables:
You must first create a custom channel :
iptables -N SSH_WHITELIST
And then add a "Whilelist" for guests.
iptables -A SSH_WHITELIST -s $TRUSTED_HOST -m recent --remove --name SSH -j ACCEPT
Now add these lines will enable set the blocking and logs against the Brute Force SSH:
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP
- seconds 60 : it's time that someone is "banned".
- hitcount 4 : is the number of tests before being banished.
- --ulog-prefix SSH_brute_force : it's 'header for logs.
The following line is optional if you already have an identical or equivalent.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
You can now test it! To see the logs, they are in "/var/log/ulog/syslogemu.log". Type the following to see:
cat /var/log/ulog/syslogemu.log | grep SSH_brute_force
If you have guests who appear "blacklists" and you want them to belong to the "Whitelist", you can use this:
iptables -A SSH_WHITELIST -s x.x.x.x -m recent --remove --name SSH -j ACCEPT
- x.x.x.x : put the IP address to whitelist.
You can also check list by doing:
iptables -L SSH_WHITELIST
| Return to the synopsis |
| 4 - Blocking by the authentication module |
About fail2ban, the official website of the project is Fail2ban.
The software can be downloaded from SourceForge as Sources, RPMs or DEB. Ipcop and Gentoo are not far behind.
The default configuration is sufficient to protect against brute force attacks and indeed the strength of fail2ban. At its launch, the daemon is responsible for informing the Iptables rules adopted in case of attack. Fail2ban has chosen to extend its protection services ftp and apache which shows three paragraphs entitled vsftp, apache and ssh in the configuration file.
A administrator therefore define how it will protect service by informing the line enabled = true (enable) or false (not enabled) in the paragraph in the server.
Here we see an example for protecting its server MySecureShell. It edits the configuration file:
sudo vi /etc/fail2ban.conf
# Then, in paragraph :
[SSH]
# To activate protection.
enabled = true
# To save logs
logfile = /var/log/auth.log
The protection settings by default are in:
[DEFAULT]
# It allows 3 connections fail for remote IP address
maxfailures = 3
# The time of banishment will be 900s
bantime = 900
# Delay between each connection attempt
findtime = 600s
Here, one can verify that fail2ban is running:
/etc/init.d/fail2ban status
Satus of fail2ban: fail2ban is running
To stop / start the daemon after a change in the configuration:
/etc/init.d/fail2ban stop
Stopping fail2ban: .done
/etc/init.d/fail2ban start
Starting fail2ban: .done
For those who want more documentation on this project, here are some links:
- The official website Fail2ban
- http://www.the-art-of-web.com/system/fail2ban
And finally, if you want to see other ways to counter attacks SSH (as tcp_wrappers example), I suggest you have a look at this site:
http://la-samhna.de/library/brutessh.html
| Return to the synopsis |
| 5 - How to limit the number of simultaneous unauthenticated connections? |
It is possible to limit by editing the file "sshd_config" being generally "/etc/ssh" and insert this line:
MaxStartups 5
- MaxStartups 5 : Not more than 5 unauthenticated connections in parallel on your server.
| Return to the synopsis |
| 6 - Using authentication keys instead of passwords? |
It is possible to connect by key rather than using passwords. The advantage is that it dramatically improves security!
We'll start with configure the SSH server via the file "/etc/ssh/sshd_config". Edit it and change the lines like this:
PubkeyAuthentication yes
PermitEmptyPasswords no
Then, the user accounts you want the authentication key, will be configured NOT passwords. To do this, edit the file "/etc/shadow" and replace the field containing the password by "*" like this:
guest:crypted_password:13031:0:99999:7:::
Replace by:
guest:*:13031:0:99999:7:::
In the configuration of SSH just prohibit authentication password blank. In this case, the user calls no longer has a password because it is empty. The only way now for him is to authenticate a key.
We will see 2 ways to create and load the keys:
1 - Under a Unix-like system (Linux, Mac OS X. ..)
2 - Under Windows
| Return to the synopsis |
| 7 - Creating and loading keys under Unix |
We will create a public key and private key. To do this, use the following command:
ssh-keygen -t dsa
You can add the "-b" followed by the number of bits that you want to increase or decrease the encryption.
Then enter the place where the key will be stored (leave default) and then type a passphrase (type a sentence).
Then it must send the key just created to the server.
cat .ssh/id_dsa.pub | ssh user@host "cat >> .ssh/authorized_keys"
If it worked, when you connect, it asks you for a passphrase rather than a password.
ssh user@host
Enter passphrase for key '.ssh/clients':
He will now have to start SSH agent. He will look after you ask the passphrase once and for all.
ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-SOX10636/agent.10636; export SSH_AUTH_SOCK;
SSH_AGENT_PID=10636; export SSH_AGENT_PID;
echo Agent pid 10636;
The 3 lines after your order is to execute. Use copy/paste for example.
To start the agent while exporting variables, you should run this command:
eval `ssh-agent`
Now the agent is started and the environment exported! It only remains to add the key:
ssh-add ~/.ssh/id_dsa
That's finished. Now if you try to connect, you will no more demand.
To check if an agent running on the system requires a software error "keychain". It will check if an agent runs, if it is not the case, it will launch one. On Mac, there is software that serves as a "keychain" called sshLogin. Simply download and install (no configuration to do, just restart).
If you're not running Mac OS X, then you must install "keychain". Then following your "shell", you must insert 2 lines in your shell configuration:
.bash_profile (bash), .zprofile (zsh) ou .cshrc (compatible csh)
keychain ~/.ssh/id_dsa
source ~/.ssh-agent-csh-${HOSTNAME}
If you use another compatible "bash" shell you need to insert these lines
keychain ~/.ssh/id_dsa
. ~/.ssh-agent-${HOSTNAME}
This time it's finished!
| Return to the synopsis |
| 8 - Creating and loading keys under Windows |
To create a key, you must use PuTTyGen.
Once downloaded and launched, click on "Generate". You will then move the mouse to create a random code.
Where is written: "Public key for pasting into OpenSSH authorized_keys file:", is that you copy the whole key if below, on the server, following the file "autorized_keys". Then enter a passphrase. Save public key and private key by clicking the "Save public key" and "Save private key".
Now we have load the key. Download Pageant and run it.
Once launched, it is in the bottom right. Double click it to open and click Add key". Then load the private key that you exported and enter the passphrase previously generated.
For Pageant automatically load at startup put a shortcut in "Start/Programs/Startup". Then edit the shortcut and place it at the end of the line, the full path of the private key (in double quotes).
"C:\Program Files\PuTTY\pageant.exe" "C:\privatekey.ppk"
Note: You can convert keys made on a system with Unix Pageant utility PuTTYgen. Just convert the key like this: "Conversion/Import key. It'll just save the private key and loaded into Pageant.
| Return to the synopsis |
