SCAR-iT/LWM-Linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
LWM-Linux/09 - Linux Security Concepts/Network Security (OpenSSH).md

3.7 KiB
Raw Blame History

Network Security (OpenSSH)

1. Introduction to OpenSSH

OpenSSH (Open Secure Shell) is a suite of secure networking utilities based on the SSH (Secure Shell) protocol. It provides encrypted communication sessions over a computer network, allowing secure remote access, file transfers, and command execution.

2. Key Features of OpenSSH

  • Encrypted communication
  • Public key authentication
  • Port forwarding
  • X11 forwarding
  • SFTP (Secure File Transfer Protocol) subsystem

3. Installation

Most Unix-like systems come with OpenSSH pre-installed. For other systems:

  • Ubuntu/Debian: sudo apt-get install openssh-server
  • CentOS/RHEL: sudo yum install openssh-server
  • macOS: Comes pre-installed
  • Windows: Use OpenSSH or third-party implementations like PuTTY

4. Basic Configuration

The main configuration file is /etc/ssh/sshd_config. Key settings include:

  • Port: Change default port (22) to reduce automated attacks
  • PermitRootLogin: Disable direct root login
  • PasswordAuthentication: Disable password authentication
  • PubkeyAuthentication: Enable public key authentication

Example:

Port 2222
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

5. Public Key Authentication

Generate a key pair:

ssh-keygen -t rsa -b 4096

Transfer the public key to the server:

ssh-copy-id user@server

6. Firewall Configuration

Restrict SSH access using a firewall. For example, with UFW:

sudo ufw allow 2222/tcp
sudo ufw enable

7. Fail2Ban

Install and configure Fail2Ban to protect against brute-force attacks:

sudo apt-get install fail2ban

Configure in /etc/fail2ban/jail.local:

[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3

8. Two-Factor Authentication (2FA)

Install Google Authenticator:

sudo apt-get install libpam-google-authenticator

Run the initialization:

google-authenticator

Modify /etc/pam.d/sshd:

auth required pam_google_authenticator.so

Update /etc/ssh/sshd_config:

ChallengeResponseAuthentication yes

9. SSH Keys Management

  • Use ssh-agent for convenient key management
  • Implement SSH certificates for larger deployments

10. Port Forwarding

Local port forwarding:

ssh -L 8080:localhost:80 user@server

Remote port forwarding:

ssh -R 8080:localhost:80 user@server

11. SFTP Configuration

Configure SFTP-only access for certain users:

Match Group sftponly
    ChrootDirectory /home/%u
    ForceCommand internal-sftp
    AllowTcpForwarding no
    X11Forwarding no

12. Logging and Monitoring

  • Enable verbose logging in sshd_config
  • Use tools like Logwatch or OSSEC for log analysis
  • Implement centralized logging with solutions like ELK stack

13. Regular Updates

Keep your OpenSSH installation and the host system up-to-date:

sudo apt-get update && sudo apt-get upgrade

14. Security Auditing

Regularly audit your SSH configuration using tools like:

  • ssh-audit
  • Lynis

15. Best Practices

  • Use strong, unique passwords for each account
  • Implement the principle of least privilege
  • Regularly rotate SSH keys
  • Use SSH protocol version 2 only
  • Disable unused features and remove unnecessary user accounts

16. Troubleshooting

  • Check logs in /var/log/auth.log or /var/log/secure
  • Use ssh -v for verbose output during connection attempts
  • Verify file permissions (e.g., ~/.ssh should be 700, ~/.ssh/authorized_keys should be 600)

Conclusion:

Implementing these measures will significantly enhance the security of your SSH setup. However, security is an ongoing process. Stay informed about the latest vulnerabilities and best practices, and regularly review and update your configuration.