From 59397fd1009a42d24dc101eb4a6b1ea4b9ff4101 Mon Sep 17 00:00:00 2001 From: Michele Cereda Date: Mon, 30 Sep 2024 19:08:16 +0200 Subject: [PATCH] fix(ssh): define useful ways for hardening --- knowledge base/set up port knocking.md | 6 +- knowledge base/ssh.md | 116 +++++++++++++++++++++---- knowledge base/turris os.md | 9 +- 3 files changed, 105 insertions(+), 26 deletions(-) diff --git a/knowledge base/set up port knocking.md b/knowledge base/set up port knocking.md index 6f44a0b..6050377 100644 --- a/knowledge base/set up port knocking.md +++ b/knowledge base/set up port knocking.md @@ -1,14 +1,16 @@ # Set up port knocking Technique where a daemon keeps listening on specific ports for a specific sequence of connections.
-When the correct sequence is used, the daemon issues a configured command, usually to open a defined port for the client only. +When the correct sequence is used, the daemon issues a configured command, usually to open a defined port for the client +only. This is frequently used to open the SSH port in a server for a specific client. See [Knockd]. diff --git a/knowledge base/ssh.md b/knowledge base/ssh.md index 90c4fbb..c709524 100644 --- a/knowledge base/ssh.md +++ b/knowledge base/ssh.md @@ -8,10 +8,9 @@ 1. [Optimize connection handling](#optimize-connection-handling) 1. [Integrate with GnuPG](#integrate-with-gnupg) 1. [Server configuration](#server-configuration) - 1. [Change port](#change-port) - 1. [Disable password authentication](#disable-password-authentication) - 1. [Permit root login](#permit-root-login) + 1. [Change listening port](#change-listening-port) 1. [Conditional blocks](#conditional-blocks) + 1. [Hardening](#hardening) 1. [SSHFS](#sshfs) 1. [Installation](#installation) 1. [Troubleshooting](#troubleshooting) @@ -293,35 +292,108 @@ Include /usr/etc/ssh/sshd_config.d/*.conf This avoids issues from updates overwriting the default file and allows user configurations to override defaults in a cleaner way. -### Change port +### Change listening port ```ssh-config Port 2222 ``` -### Disable password authentication - -```ssh-config -PasswordAuthentication no -ChallengeResponseAuthentication no -``` - -### Permit root login - -```ssh-config -PermitRootLogin yes -``` - ### Conditional blocks -> Only a subset of keywords may be used in a _Match_ block. Check the [`SSHD_CONFIG(5)`][sshd_config man page] man page. +> Only a subset of keywords may be used in a _Match_ block.
+> Check the [`SSHD_CONFIG(5)`][sshd_config man page] man page for more information. ```ssh-config Match Address 192.168.111.0/24 PasswordAuthentication no PermitRootLogin no +Match User ashley + AllowUsers ashley@203.0.113.1 ``` +### Hardening + +Don't bother changing the SSH port from the default `22` value unless you require it for other purposes.
+Security through obscurity is utterly ineffective and can create issues with tools expecting standard usage + +[1][Why I don't change SSH from port 22], +[2][Security Through Obscurity (STO): History, Criticism & Risks] +. + +Suggestions: + +- Disable `root` login: + + ```ssh-config + PermitRootLogin no + ``` + + Or limit it to keys: + + ```ssh-config + PermitRootLogin prohibit-password + ``` + +- Limit the maximum number of authentication attempts for any login session: + + ```ssh-config + MaxAuthTries 3 + ``` + +- Limit the amount of time user have to complete authentication after the initial connection: + + ```ssh-config + LoginGraceTime 20 + ``` + +- Disable authentication with empty passwords: + + ```sh + PermitEmptyPasswords no + ``` + +- Disable password authentication altogether: + + ```ssh-config + PasswordAuthentication no + ``` + +- Restrict authentication options to keys: + + ```ssh-config + ChallengeResponseAuthentication no + ``` + +- Disable other authentication methods if not used: + + ```ssh-config + ChallengeResponseAuthentication no + KerberosAuthentication no + GSSAPIAuthentication no + ``` + +- Disable other features if not used: + + ```ssh-config + AllowAgentForwarding no + AllowTcpForwarding no + PermitTunnel no + X11Forwarding no + ``` + +- Restrict login to specific IP addresses: + + ```ssh-config + AllowUsers*@203.0.113.1 *@203.0.113.2 *@192.0.2.0/24 *@172.16.*.1 sammy@203.0.113.1 alex@203.0.113.2 + Match User ashley + AllowUsers ashley@203.0.113.1 + ``` + +- Temporarily block IPs after repeated authentication failures.
+ See [fail2ban]. + +- [Set up port knocking]. + ## SSHFS Notable options: @@ -388,6 +460,7 @@ Solution: update the SSH server. - [`sshd_config` example][sshd_config example] - [ssh-agent] - [Use GPG keys for SSH authentication] +- [Security Through Obscurity (STO): History, Criticism & Risks] ### Sources @@ -402,6 +475,8 @@ Solution: update the SSH server. - [Restrict SSH login to a specific IP or host] - [Stick with security: YubiKey, SSH, GnuPG, macOS] - [How to check if an RSA public / private key pair match] +- [Why I don't change SSH from port 22] +- [How To Harden OpenSSH on Ubuntu 20.04] [use gpg keys for ssh authentication]: gnupg.md#use-gpg-keys-for-ssh-authentication +[set up port knocking]: set%20up%20port%20knocking.md [ssh_config example]: ../examples/ssh/ssh_config @@ -422,14 +498,18 @@ Solution: update the SSH server. [sshd_config man page]: https://man.openbsd.org/sshd_config +[fail2ban]: https://github.com/fail2ban/fail2ban [get started with openssh for windows]: https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse?tabs=gui [how to check if an rsa public / private key pair match]: https://serverfault.com/questions/426394/how-to-check-if-an-rsa-public-private-key-pair-match#426429 [how to enable ssh access using a gpg key for authentication]: https://opensource.com/article/19/4/gpg-subkeys-ssh +[how to harden openssh on ubuntu 20.04]: https://www.digitalocean.com/community/tutorials/how-to-harden-openssh-on-ubuntu-20-04 [how to list keys added to ssh-agent with ssh-add?]: https://unix.stackexchange.com/questions/58969/how-to-list-keys-added-to-ssh-agent-with-ssh-add [how to perform hostname canonicalization]: https://sleeplessbeastie.eu/2020/08/24/how-to-perform-hostname-canonicalization/ [how to reuse ssh connection to speed up remote login process using multiplexing]: https://www.cyberciti.biz/faq/linux-unix-reuse-openssh-connection/ [multiple similar entries in ssh config]: https://unix.stackexchange.com/questions/61655/multiple-similar-entries-in-ssh-config [restrict ssh login to a specific ip or host]: https://docs.rackspace.com/support/how-to/restrict-ssh-login-to-a-specific-ip-or-host/ +[security through obscurity (sto): history, criticism & risks]: https://www.okta.com/uk/identity-101/security-through-obscurity/ [stick with security: yubikey, ssh, gnupg, macos]: https://evilmartians.com/chronicles/stick-with-security-yubikey-ssh-gnupg-macos [use sshfs to mount a remote directory as a volume on osx]: https://benohead.com/mac-os-x-use-sshfs-to-mount-a-remote-directory-as-a-volume/ [using the ssh config file]: https://linuxize.com/post/using-the-ssh-config-file/ +[why i don't change ssh from port 22]: https://www.youtube.com/watch?v=Fzt5dqaIMYc diff --git a/knowledge base/turris os.md b/knowledge base/turris os.md index 7f59f8f..67ffd29 100644 --- a/knowledge base/turris os.md +++ b/knowledge base/turris os.md @@ -464,12 +464,9 @@ uci commit 'dhcp' && reload_config && luci-reload ## Hardening -Suggestions: +See: -- [SSH]: - - Change the SSH port from the default `22` value. - - Restrict login to specific IP addresses. - - Restrict authentication options to keys. +- [SSH hardening]. ## The SFP+ caged module @@ -577,7 +574,7 @@ All the references in the [further readings] section, plus the following: [openwrt]: openwrt.md [opkg]: opkg.md [pi-hole]: pi-hole.md -[ssh]: ssh.md +[ssh hardening]: ssh.md#hardening [uci]: uci.md