Hi all.

When I was setting up my server while back I have noticed 100’s of entries in my:

/var/log/auth.log

about failed log in attempts from various IP’s with various logins. I wondered what it was until I saw this:

Cracking SSH Logins Video

Conclusions? There is at least one (wishful thinking…) bot out there which will scan the entire range of IP’s for opened port 22 and will use some brute-force tool trying to crack it. Now that’s not a very positive conclusion for all the SSH users…

What can be done about this? There are 3 thing You can do.

A) Forbid the root’s log in – that’s a default option in PCLinuxOS.
B) Install fail2ban via synaptic
C) Change the SSH port from 22 to something above the 10100

I use all of them.

Forbidding the root’s log in is a must. Root is the only 100% sure login on every Linux based system. Attacker don’t have to guess it. It’s there for sure. Now all he has to do is to guess the password. Blocking root’s log in will make him to guess Your user login and password. This is more difficult for them and that’s the whole point.

PCLinuxOS uses interesting settings in its config files. If You look at the file:

/etc/ssh/denyusers

You will see that it contains a word root.

This setting is blocking all the attempts of root log in to Your SSH server and yet allows You to use su command for Your convenience. Why? Even if attacker knows root password he will not be able to log in. However user who is logged into the system via SSH can raise its privileges using su command. This is secured and comfortable in the same time. Sometimes root’s privileges are necessary so PCLinuxOS does allows You to gain root and yet You have to log in as user and know the root’s password to gain full control over the machine.

Another method – Fail2ban – (You will find it in our repositories) will add a firewall rule to block all the attempts of connecting to the SSH port for a machine that unsuccessfully tried to log in X amount of times in Y time period. Example – xxx.yyy.zzz.uuu machine tried to log in with logins jack, ann, mark 3 times in 20 minutes period so it got banned for an hour.

You can set X and Y in the fail2ban config file:

/etc/fail2ban/jail.conf

and if You have local e-mail server configured – fail2ban will send You a message with notifications about new events.

Fail2ban will protect not only SSH but also FTP, SFTP, and other protocols that are using authentication. Very cool tool.

Another thing that You can do is to change the port of the SSH server. Here is how its done.

Changing Port For SSH Server Video

Why changing the port and why above 10100? Default port for SSH is 22. All the script kiddies aka skiddies will use that port in their bots. Even if script kiddie is smart and will scan Your IP with port scanner like nmap – by default he will scan first 10000 ports only. Setting up SSH above that will cause the port scanner to find ZIP, ZERO, NADA, BIG BOBKAS. Even if skiddy is smarter then that and he will scan all the 65k ports the open port will be shown as unknown service. He would have to add few more switches to the nmap to find out that its a SSH server. Skiddies are mostly lazy and they are going after the easy prey. Making it just that little bit more difficult can be a blessing for Your security.

So far those three steps are what I have learned about securing SSH server. Maybe in the future if I will learn something new I will add it in a new post.

Remember that even the weakest protection is better then no protection at all.

Regards.

Andy

Hi all.

It would drive me bananas if I would have to remember password for each and every of my shell accounts… leaving the account with no password is unacceptable however from the security point of view. Solution? Use authentication keys – public and private.

How to get them? Its very easy.

Open terminal on Your local machine.

Use command:

ssh-keygen -t rsa

When asked for:

Enter file in which to save the key (/home/mylogin/.ssh/id_rsa):

Press [ENTER].

Enter passphrase (empty for no passphrase)

Press [ENTER].

Enter same passphrase again:

Press [ENTER].

[mylogin@myhostname ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/mylogin/.ssh/id_rsa):
Created directory '/home/mylogin/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mylogin/.ssh/id_rsa.
Your public key has been saved in /home/mylogin/.ssh/id_rsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:7b mylogin@myhostname.local
The key's randomart image is:
+--[ RSA 2048]----+

RANDOM ART

BLAH

BLAH

+-----------------+
[mylogin@myhostname ~]$

SO what You did so far? You have generated a pair of authenticating keys. Private – which is for Your eyes only and public which can be shown to anyone.

Keys are placed in those two files:

Your identification has been saved in /home/mylogin/.ssh/id_rsa. <<< PRIVATE KEY

Your public key has been saved in /home/mylogin/.ssh/id_rsa.pub. <<< PUBLIC KEY

Run this command:

cat /home/mylogin/.ssh/id_rsa.pub

Lets say it spits out this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwMplVCQ+Y33n4kTVAy0nQReGD1GXmM28/D4STzNwdEthSY9UGIBduS1dGIVLWZYnphZglNFHE0Z0eIqgo0o0GDdtxqqsV20Zq/KV2nN+E8axlin4mRNuc/HgczxXkOtqkS9/yENOq8XN7XPD57kC+v+017GGNh139WiHbw+Myn9/mamjhmjywcnReiIbrYZnlgWJjpCXJCEoQZczypUyzB6x7aUMlenGdZwtfXCEPP709VSP9lUzanosY6bq1XoF6ravL2fulAvuNQVyxL7nfqJsio0JCI400WEJYm1et8Eg2vVEtIgIEKS7DZou/DR++/QgXpQas6yxaaHQ6Q0wt mylogin@myhostname.local

Now copy this ^^^ ENTIRE line.

Now that You have generated authentication keys and copied the public one – You have to place the public key in a file on the remote machine. Not just any file. Its a specific file in a specific folder both with a specific permissions.

Open new terminal. Ssh Yourself to the remotemachine.net

ssh -l mylogin remotemachine.net

Create directory in .ssh in Your home folder

mkdir ~/.ssh

Give it correct permissions:

chmod 700 ~/.ssh

Create file authorized_keys in the newly created directory

touch ~/.ssh/authorized_keys

Give it correct permissions:

chmod 600 ~/.ssh/authorized_keys

Paste the content previously copied from the cat /home/mylogin/.ssh/id_rsa.pub command combined with

echo "PASTE" > ~/.ssh/authorized_keys

Example:

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCwMplVCQ+Y33n4kTVAy0nQReGD1GXmM28/D4STzNwdEthSY9UGIBduS1dGIVLWZYnphZglNFHE0Z0eIqgo0o0GDdtxqqsV20Zq/KV2nN+E8axlin4mRNuc/HgczxXkOtqkS9/yENOq8XN7XPD57kC+v+017GGNh139WiHbw+Myn9/mamjhmjywcnReiIbrYZnlgWJjpCXJCEoQZczypUyzB6x7aUMlenGdZwtfXCEPP709VSP9lUzanosY6bq1XoF6ravL2fulAvuNQVyxL7nfqJsio0JCI400WEJYm1et8Eg2vVEtIgIEKS7DZou/DR++/QgXpQas6yxaaHQ6Q0wt mylogin@myhostname.local" > ~/.ssh/authorized_keys

Logout from the remote machine:

exit

Log back in.

ssh -l mylogin remotemachine.net

Remote ssh server shouldn’t ask for a password. If it does – You messed up and You are reading it all tagged as FAIL! 😉

You can use 1 private key to connect to multiple servers. Just copy the public key to all of them like I explained above. Permissions are crucial. 700 for the .ssh folder and 600 for the authorized_keys file. 99% of errors are connected to the wrong permissions of the folder / file or due to the wrong file name.

Regards.

Andy