SCAR-iT/LWM-Linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
LWM-Linux/09 - Linux Security Concepts/Network Security (OpenSSH).md

147 lines
3.7 KiB
Markdown
Raw Permalink Blame History

# Network Security (OpenSSH)
## 1. Introduction to OpenSSH
OpenSSH (Open Secure Shell) is a suite of secure networking utilities based on the SSH (Secure Shell) protocol. It provides encrypted communication sessions over a computer network, allowing secure remote access, file transfers, and command execution.
## 2. Key Features of OpenSSH
- Encrypted communication
- Public key authentication
- Port forwarding
- X11 forwarding
- SFTP (Secure File Transfer Protocol) subsystem
## 3. Installation
Most Unix-like systems come with OpenSSH pre-installed. For other systems:
- Ubuntu/Debian: `sudo apt-get install openssh-server`
- CentOS/RHEL: `sudo yum install openssh-server`
- macOS: Comes pre-installed
- Windows: Use OpenSSH or third-party implementations like PuTTY
## 4. Basic Configuration
The main configuration file is `/etc/ssh/sshd_config`. Key settings include:
- Port: Change default port (22) to reduce automated attacks
- PermitRootLogin: Disable direct root login
- PasswordAuthentication: Disable password authentication
- PubkeyAuthentication: Enable public key authentication
Example:
```ini
Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
```
## 5. Public Key Authentication
Generate a key pair:
```bash
ssh-keygen -t rsa -b 4096
```
Transfer the public key to the server:
```bash
ssh-copy-id user@server
```
## 6. Firewall Configuration
Restrict SSH access using a firewall. For example, with UFW:
```bash
sudo ufw allow 2222/tcp
sudo ufw enable
```
## 7. Fail2Ban
Install and configure Fail2Ban to protect against brute-force attacks:
```bash
sudo apt-get install fail2ban
```
Configure in `/etc/fail2ban/jail.local`:
```ini
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
```
## 8. Two-Factor Authentication (2FA)
Install Google Authenticator:
```bash
sudo apt-get install libpam-google-authenticator
```
Run the initialization:
```bash
google-authenticator
```
Modify `/etc/pam.d/sshd`:
```ini
auth required pam_google_authenticator.so
```
Update `/etc/ssh/sshd_config`:
```ini
ChallengeResponseAuthentication yes
```
## 9. SSH Keys Management
- Use ssh-agent for convenient key management
- Implement SSH certificates for larger deployments
## 10. Port Forwarding
Local port forwarding:
```bash
ssh -L 8080:localhost:80 user@server
```
Remote port forwarding:
```bash
ssh -R 8080:localhost:80 user@server
```
## 11. SFTP Configuration
Configure SFTP-only access for certain users:
```ini
Match Group sftponly
ChrootDirectory /home/%u
ForceCommand internal-sftp
AllowTcpForwarding no
X11Forwarding no
```
## 12. Logging and Monitoring
- Enable verbose logging in sshd_config
- Use tools like Logwatch or OSSEC for log analysis
- Implement centralized logging with solutions like ELK stack
## 13. Regular Updates
Keep your OpenSSH installation and the host system up-to-date:
```bash
sudo apt-get update && sudo apt-get upgrade
```
## 14. Security Auditing
Regularly audit your SSH configuration using tools like:
- ssh-audit
- Lynis
## 15. Best Practices
- Use strong, unique passwords for each account
- Implement the principle of least privilege
- Regularly rotate SSH keys
- Use SSH protocol version 2 only
- Disable unused features and remove unnecessary user accounts
## 16. Troubleshooting
- Check logs in `/var/log/auth.log` or `/var/log/secure`
- Use `ssh -v` for verbose output during connection attempts
- Verify file permissions (e.g., `~/.ssh` should be 700, `~/.ssh/authorized_keys` should be 600)
## Conclusion:
Implementing these measures will significantly enhance the security of your SSH setup. However, security is an ongoing process. Stay informed about the latest vulnerabilities and best practices, and regularly review and update your configuration.
Reference in New Issue View Git Blame Copy Permalink