Shashikant shah

Wednesday, 13 April 2016

SSH Service Hardening :-



PAM offers very powerful authentication control. You need to use the pam_access PAM module, which is mainly for access management. It provides login access control based on
§  Login names
§  Host or domain names
§  Internet addresses or network IP numbers
§  Terminal line names etc
2. Why pam_access matters?
On a production server, authorized login can come from any networked computer. Therefore, it is important to have tight control over users who are allowed to connect server via OpenSSH server.

3. How do I configure pam_access?
You need to edit following files:
1.    /etc/pam.d/sshd – Linux PAM configuration file.
2.    /etc/security/access.conf – By default rules for access management are taken from configuration this file. When someone logs in, the entry in this scanned and matched against rule. You can specify whether the login will be accepted or refused to user. General syntax is as follows:
permission : username: origins
Where,
§  permission : Permission field should be a “+” (access granted) or “-” (access denied) character.
§  username : Linux system username/login name such as root, shashi etc. You can also specify group names. You can also use special keywod ALL (to match all username).
§  origins : It is a list of one ore more tty names, host name, IP address, domain names that begin with . or special key words ALL or LOCAL

Open /etc/pam.d/sshd file :-
# vim /etc/pam.d/sshd
account    required     pam_access.so
auth       required     pam_sepermit.so


root and shashi user only login in ssh and only one IP allow 192.168.1.150

4.Open file /etc/security/access.conf

# vi /etc/security/access.conf

Append following line:

+: ALL EXCEPT root shashi:192.168.1.150

5. Restart SSH Services.
#/etc/init.d/sshd restart

Check ssh services.
Other IP not able to login ssh server.

Some RULE PAM :-

1.      Block All network with user :-
-:ALL  :  ALL

2.      Only user allow on network :-
+:shashi:192.168.1.0/24
            OR
+:shashi:192.168.1.150

3.      Normal user not able to access root su – command.

/etc/pam.d/su
# Uncomment the following line to require a user to be in the "wheel" group.
auth       required    pam_wheel.so use_uid

Some Normal user use su root access :-
               # usermod -G wheel user1
               
               # cat /etc/group | grep user1
               Wheel:x:10:user1
               User1:x:501:
               # tail  –f   /var/log/secure
 
 
2. Use of X11Forwarding
The display server on the client might have a higher exposure to be attacked, when enabling this option. If forwarding of X11 traffic is not needed, disable it by setting this value to “no”.
 
X11Forwarding no
 
3. Disable rhosts
While not common anymore, rhosts were a weak way to authenticate systems. By default the use of rhosts is already disabled. Make sure to check if it really is.
 
IgnoreRhosts yes
 
4. DNS hostname checking
By default the SSH server can check if the client connecting maps back to the same combination of hostname and IP address. Use this option to perform this basic check.
 
UseDNS yes
 
5. Disable Empty Passwords
You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:
 
PermitEmptyPasswords no
 
6. Disable root Login via SSH
Uncomment it and change the value to “no”:
PermitRootLogin no
 
7. Change Port no 22 in file /etc/ssh/sshd_config
 #Port 22
Port 8022
netstat -anp |grep 8022
 
8.Configure Idle user Log Out Timeout Interval
ClientAliveInterval 300
ClientAliveCountMax 0
You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out).
 
9.Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:
AllowUsers root vivek jerry
DenyUsers saroj anjali foo
 
10. Only use SSH Protocol 2
Since SSH protocol 1 is insecure we need to force SSH server to always use protocol 2
i)                    Strong cryptographic integrity check
ii)                  Separate transport, authentication, and connection protocols
 
Protocol 2
 
11.Change SSH Server Listen Address
By default SSH Server listens on all available interfaces which is in some cases not OK. It is always best, to limit SSH server to listen only on interfaces we want and use for to connect to.
(we can access ssh this two ip)
 
ListenAddress 192.168.1.5 # System IP
ListenAddress 202.54.1.5  #VIP
 
         # netstat -anp |grep 22
 
12.Max Authentication Tries
MaxAuthTries 4
 
13. Log All Information
LogLevel INFO
 
14.Message Of The Day
Banner /etc/motd
 
How to block ssh users after 3 failed login attempts using pam_tally2.so

3.      Edit /etc/pam.d/sshd

auth required pam_tally2.so deny=3 onerr=fail unlock_time=300 

4.      pam_tally2.so uses the file /var/log/tallylog as a counter for the failed logis, if you wish to check the counter you can use the command pam_tally2

[root@nuke]# pam_tally2
5.      If you wish to reset the counter for a user, before the 5 minutes ban 
# pam_tally2 -r -u hacker1

No comments:

Post a Comment