SSH Guide

Build it and learn to secure your system/server.


SSH Guide

Postby tanmay.01 » Tue Jul 09, 2013 4:25 am

SSH is one of the protocols of the TCP/IP protocol suite found at the application layer (Layer 7) of the Open Systems Interconnection (OSI) network model. Officially specified in RFC 4251 (and later, several other RFCs) SSH functions in a way that is similar to telnet but is far more robust and capable. SSH lets you log in to other hosts, get a shell and execute commands on them (for more details, read up on the concept of the OS shell), and transfer files between hosts. The major difference between SSH and telnet as terminal emulation protocols is that SSH utilizes encryption and strong authentication while telnet transmits data (including passwords) in clear text, making it vulnerable to packet sniffing. SSH, in contrast, provides secure, reliable authentication and communication over data channels that might not be so trustworthy (such as the public Internet). Because the SSH protocol encrypts the communications between network devices, it decreases the chance of an attacker (possibly an internal user) sniffing traffic and obtaining sensitive data such as authentication credentials.

What is commonly called ‘SSH’ is actually a collection of utilities such as ssh, scp, slogin, and sftp. SSH can be used to effectively replace telnet in a manner almost invisible to users. However, in the background SSH sessions involve authentication, key exchange, encryption, and passphrase generation and storing, making SSH a complex protocol.

SSH versions
SSH version 1 was released in 1995; however, a few years later it was determined to be unreliable. SSHv1 is vulnerable to a well known exploit that allows an attacker to insert data into the communication stream, making it vulnerable to man-in-the-middle (MITM) attacks. In short, versions of SSH prior to v2.0 are not completely cryptographically safe, so they should not be used. Therefore this article will focus only on SSHv2. Bear in mind that if you see SSH version 1.99 installed, this means that the host supports both SSH v1.5 and v2.

SSH encryption
SSH uses the public key (asymmetric) cryptographic model which means that data encryption between hosts utilizes two keys: a public key to encrypt the data, and a private key to decrypt it. The asymmetric keys are used to authenticate the SSH server and client and then to negotiate a symmetric key. This symmetric key is utilized for data encryption.

SSH utilizes the following encryption symmetric algorithms: AES (aka Rijndael; default if supported), 3DES, Blowfish, Twofish, Arcfour/RC4, and Cast128-cbc. For asymmetric authentication it uses Diffie-Hellman or Digital Signature Algorithm (DSA), and for hashing it uses SHA or MD5. AES, 3DES, SHA-*, and DSA are all FIPS-validated. Note that SSH does not utilize any Public Key Infrastructure (PKI) like SSL does.

Install SSH server and client on ubuntu :
Code: Select all
sudo apt-get install openssh-server openssh-client


Configure openssh server :
Code: Select all
sudo nano /etc/ssh/sshd_config


Disable password authentication :

To disable password authentication, look for the following line in your sshd_config file:

#PasswordAuthentication yes

replace it with a line that looks like this:

PasswordAuthentication no


Disable Direct root login :
To access the server remotely as root, you would need to log in as a non-root user and then switch to root with the su – command.
To disable direct root logins via SSH, you need to find the
#PermitRootLogin yes
and set it to
PermitRootLogin no.


Dont configure this if you want vnc over ssh, if you want only terminal do the following :

To disable forwarding, look for the following lines in your sshd_config:

AllowTcpForwarding yes

X11Forwarding yes

and replace them with:

AllowTcpForwarding no

X11Forwarding no


Log More Info :

To increase the level, find the following line in your sshd_config:

LogLevel INFO

and change it to this:

LogLevel VERBOSE


Generate Key on SSH Client (PC):

Code: Select all
mkdir .ssh

Code: Select all
chmod 700 ~/.ssh

Code: Select all
ssh-keygen –t rsa -b 4096


when prompted,

Enter the name and path for your key if you have multiple clients and want to recognise them, Else
Your public key will then be saved in encrypted format as /home/you/.ssh/id_rsa.pub and your private key will go in /home/you/.ssh/id_rsa.
Then,
enter a long passphrase

Note: The default is a 2048 bit key. You can increase this to 4096 bits with the -b flag (Increasing the bits makes it harder to crack the key by brute force methods).


The procedure is same in case of a rooted ANDROID PHONE , if your phone is not rooted use a client that can generate a key like ConnectBot.
I'll be using JuiceSSH on android as it also supports 2-factor authenticator like google.


Now, copy the public key to the SSH server you want to connect to with the command:

Code: Select all
$ scp ~/.ssh/id_rsa.pub username@ssh_server.domain.com: .ssh/authorized_keys


Alternatively you could add the contents of id_dsa.pub to the end of authorized keys on the remote SSH server with the command:

Code: Select all
$ cat .ssh/id_rsa.pub | ssh [host] ‘cat >> ~/.ssh/authorized_keys’


If the public key is still on your local host then the command would be:

Code: Select all
$ cat ~/.ssh/id_rsa.pub | ssh ssh_server.domain.com ‘cat – >> ~/.ssh/authorized_keys’


Key-based encryption is an effective means at stopping brute force password attacks because unless the potential intruder has possession of your public key, he’s not going to get in.


FIrst connection on SSH :

When you attempt to log in to a remote host the first time via SSH, you will see a message like this:
$ ssh ssh_server.domain.com

The authenticity of host 'ssh_server.domain.com' can't be established.
DSA key fingerprint is 85:68:4b:3a:bc:f3:7c:9b:01:5d:b8:03:38:e2:14:9c.
Are you sure you want to continue connecting (yes/no)?


When you continue, the server ssh_server.domain.com will be added to your list of known hosts located in
/home/you/.ssh/known_hosts.

Secure SSH servers

Here are some basic steps to secure your SSH servers. For more detailed guides, see the ‘Securing SSH’ links in the Further Reference section of this page.
    1.Disable SSH logins as the root user (described above).
    2.Run the SSH service on a non-standard port (described above.
    3.Require SSH users to have passwords that are both complex and long (at least eight characters).
    4.Ensure that file permissions are set properly to prevent SSH users from accessing files which they are not supposed to. For example, you could put each user in his own group. Don’t grant that group access to any other files or directories (be aware that they will be able to access anything set to 777). Then you can set the appropriate permissions on all the files you want them to have access to using the chgrp command.
    5.Add known source IP addresses to a whitelist to lock down access control. See: /etc/hosts.deny and /etc/hosts.allow.
    6.Consider installing sshblack and Fail2ban for IPS functionality.
HP ENVY 15
•3rd generation Intel(R) Core(TheeMahn) i5-3210M Processor (2.5 GHz with Turbo Boost up to 3.1 GHz)
• 1GB Radeon(TheeMahn) HD 7750M GDDR5 Graphics [HDMI]
• 6GB 1600DDR3 System Memory (2 Dimm)
• 750GB 7200 rpm Hard Drive
• Intel 2x2 802.11a/b/g/n WLAN + Bluetooth(R)
• Full-size Radiance backlit keyboard.

Image
User avatar
tanmay.01
Moderator
 
Posts: 253
Joined: Wed Dec 07, 2011 1:03 pm
Location: India
Age: 28
Operating System: Other Linux



Re: SSH Guide

Postby kfrngaqea » Mon Aug 05, 2013 12:16 am

tanmay.01 wrote:The procedure is same in case of a rooted ANDROID PHONE , if your phone is not rooted use a client that can generate a key like ConnectBot.
[b]I'll be using JuiceSSH on android as it also supports 2-factor authenticator like google
.

[/b]


Thank you for your share, it's very useful to me
kfrngaqea
U.E. Newbie
U.E. Newbie
 
Posts: 1
Joined: Mon Aug 05, 2013 12:08 am
Operating System: Ultimate Edition 3.1 64 BIT


Return to Server and Security

Who is online

Users browsing this forum: No registered users and 0 guests

cron