Professional Documents
Culture Documents
SSH
SSH
......................................................................................................
-1 ........................................................................................................
-2 SSH Authentication .....................................
-3 ...............................................................................................
-4 ...................................................................... iptables
-5 ....................................................................... Xinetd
-6 ...............................................................
-7 .........................................................................................
-8 ..................................................................................
-9 ....................................................
-10 X ........................................................................ SSH
-11 sshguard Brute Force .................... SSH
-12 SSH ........................................................... DenyHosts
-13 : )............................................................ (Port Knocking
.............................................................................................................
:
/ /
.
:
:
: www.linuxac.org
B!n@ry :
...
...
:
SSH
... SSH ... Secure SHell
telnet
... Clear Text
SNIFFING ... Wireshark SSH
AES :
(Advanced Encryption Scheme), Triple DES, Blowfish ...
) 1 (telnet
) 2 (ssh
SSH Authentication:
Host-Key Authentication :
.
binary .
Host-Key .
) (
.
Public-Key Authentication :
. .Passphrase Public Private
.
.
Passphrase-Less Authentication :
Passphrase
Automated .cron
.
SSH 2002
CentOS Fedora Debian Ubuntu Slackware .
:
CentOS Fedora (::
/etc/init.d/sshd start
:
}/etc/init.d/sshd {start|stop|restart|reload|condrestart|status
:
/etc/init.d/ssh start
:
}/etc/init.d/ssh {start|stop|reload|force-reload|restart|try-restart
restart
reload .
... .
:
ssh username@ip/domain
:
ssh binary@5.5.5.5
:
~/.ssh/known_hosts
binary
. .
binary binary
binary :
ssh 5.5.5.5
.binary
mohamed :
ssh 5.5.5.5
mohamed .
.
: .Host-Key Authentication
.
Public-Key
.Authentication
.
) (
.binary CLIENT :
ssh-keygen -t rsa
ssh-keygen -t dsa
:
2048bit .1024bit
.RSA ENTER :
Generating public/private rsa key pair.
Enter file in which to save the key (/home/binary/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/binary/.ssh/id_rsa.
Your public key has been saved in /home/binary/.ssh/id_rsa.
The key fingerprint is:
02:09:09:09:ee:cc:dd:4d:3d:3a:66:ff:ab:df:34:11 binary@binary-zone.com
fingerprint
binary mohamed
/home/mohamed/.ssh/id_rsa
. passphrase
binary :
scp ~/.ssh/id_rsa.pub binary@5.5.5.5:.ssh/authorized_keys
authorized_keys
/home/binary/.ssh/
:
chmod 600 /home/binary/.ssh/id_rsa.pub
:
chmod 400 /home/binary/.ssh/id_rsa
binary id_rsa.pub id_rsa
.
B!n@ry .
vim /etc/ssh/sshd_config
PasswordAuthentication :
PasswordAuthentication no
IP 6.6.6.6
:
ssh-keygen -t rsa -f id_server2
.
:
/home/binary/.ssh
id_server2 id_rsa
: :
ssh -i id_server2 binary@6.6.6.6
6.6.6.6 passphrase
.
: B!n@ry
: id_rsa :
ssh-keygen -p -f /home/binary/.ssh/id_rsa
id_server2 :
ssh-keygen -p -f /home/binary/.ssh/id_server2
.
.
: fingerprint
:
: +
. Hardening SSH
) ( iptables
.xinetd
:iptables
;/sbin/iptables -A INPUT -p tcp -s 5.5.5.5 --dport 22 -j ACCEPT
IP 5.5.5.5 ssh .
:xinetd
vim /etc/hosts.allow
:
sshd: 5.5.5.5: ALLOW
:
vim /etc/hosts.deny
:
sshd: ALL : DENY
IP 5.5.5.5
. ) spoof IP
(.
vim /etc/ssh/sshd_config
:
ListenAddress 5.5.5.5
PermitRootLogin no
Protocol 2
AllowUsers binary mohamed
AllowGroups admins
Port 5858
:
5.5.5.5 .
IP .
- SSH-2 .SSH-1
- binary mohamed .
- admins .
:
`which sshd` -t
.
Harden
.
:
: Port-Knocking SPA )
( .DenyHosts
:
: Google
Host-Key Authentication
Public-Key Authentication . ...
/etc/hosts.allow
/etc/hosts.deny
IP SSH
:
ssh_exchange_identification: Connection closed by remote host
:
mohamed
binary serv1 IP 5.5.5.5
serv2 IP 6.6.6.6 port 22
2222
22
: .ssh:
~/.ssh/
22 binary serv1
:
~/.ssh/serv1
:serv1
vim ~/.ssh/serv1
:
IdentityFile ~/.ssh/serv1
Port 22
User binary
mohamed:
vim ~/.ssh/serv2
:
IdentityFile ~/.ssh/serv2
Port 2222
User mohamed
binary :
ssh -F serv1 5.5.5.5
ssh serv1 ...
mohamed :
ssh -F serv2 6.6.6.6
ssh serv2 ...
: .2222
netstat:
netstat -a --tcp -p | grep ssh
:
.ssh
: ...
:
:
/etc/ssh/ssh_config
: B!n@ry
: ... Client
/etc/ssh/sshd_config
SSH .
...
:
) backup (
. OpenSSH :
ssh binary@5.5.5.5 sudo /etc/init.d/httpd restart
httpd ...
:
ssh binary@5.5.5.5 tar cvf binary-backup.tar /home/binary
binary ... binary-backup.tar
...
: .
: ... comment
:
"ssh-keygen -t rsa -C "binary on serv1
... :
binary on serv1
: B!n@ry
X SSH .
: mount filesystem
. .
:
: . mount
serv1:
mkdir /mnt/serv1
: binary mount
: :
sshfs binary@5.5.5.5: /mnt/serv1
) :(:
:
sshfs binary@5.5.5.5:/home/binary/ /mnt/serv1
:
:
mnt/serv1/
: umount
: :
sudo umount /mnt/serv1
X SSH
... ...
... remotely rdesktop vnc rlogin telnet ... ssh
rdesktop vnc ...
... SSH Tunneling :
SSH ... B!n@ry :
ssh -X user@domain.com
domain.com ... user
X X
... Forwarding :
& gedit
gedit
:
ssh -X user@IP-Address
IP Address ...
:
& gcalctool
gcalctool ...
... SysAdmin
<--
syslog-ng
<--
LOGS syslog-ng sshguard :
vim /etc/syslog-ng/syslog-ng.conf
:
# pass only entries with auth+authpriv facilities that contain sshd
;} ;)"filter sshlogs { facility(auth, authpriv) and match("sshd
)# pass to this process with this template (avoids <ID> prefixes
{ destination sshguardproc
"program("/usr/local/sbin/sshguard
;))"template("$DATE $FULLHOST $MESSAGE\n
;}
;} ;)log { source(src); filter(sshlogs); destination(sshguardproc
syslog-ng
:
killall -HUP syslog-ng
:
sudo /etc/init.d/syslog-ng reload
sshgaurd :
ps ax | grep sshguard
/ netfilter iptables
CHAIN sshgaurd SSH
... :
iptables -N sshguard
SSH Port 22 CHAIN
sshguard :
iptables -A INPUT -p tcp --dport 22 -j sshguard
DROP ACCEPT
SSH BLOCK sshgaurd
SSH DenyHosts
.
.SSH
SSH .DenyHosts
) BOX( Online
. SSH
) ( Access
SSH CentOS Fedora RHEL :
/var/log/secure
:
/var/log/auth.log
:
sudo tail -f /var/log/secure
Python :
python -V
. .
: .
:
:
mv /path2/DenyHosts-2.6.tar.gz /usr/share/
:
cd /usr/share/
:
tar xvfz DenyHosts-2.6.tar.gz
:
cd DenyHosts-2.6/
:
mv denyhosts.cfg-dist denyhosts.cfg
: .
:denyhosts.cfg
vim denyhosts.cfg
) (:
WORK_DIR = /usr/share/denyhosts/
HOSTS_DENY = /etc/hosts.deny
BLOCK_SERVICE = sshd
SECURE_LOG = /var/log/secure
DENY_THRESHOLD_INVALID = 2
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 2
LOCK_FILE = /var/lock/subsys/denyhosts
HOSTNAME_LOOKUP=YES
AGE_RESET_VALID=5d
=AGE_RESET_INVALID
AGE_RESET_ROOT=10d
DAEMON_PURGE = 10d
DAEMON_SLEEP = 10m
DAEMON_LOG = /var/log/denyhosts
DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
ADMIN_EMAIL = root@localhost
.
/ DenyHosts /usr/share/denyhosts/
hosts.deny IP's .
IP 2
.
BOX 5
BOX .
Lock File .
Hostname Lookups .
. . .
- IP's .
IP's hosts.deny .
/ . 10 . 10 .BOX
- .
- .
- .
. : .
. ) :(root
python setup.py install
site-packages .
IP ssh
hosts.allow .:
echo "sshd: 5.5.5.5" >> /etc/hosts.allow
5.5.5.5 . :
python denyhosts.py
hosts.deny .
: DenyHosts .
. :
mv daemon-control-dist denyhosts
:
ln -s /usr/share/denyhosts/denyhosts /etc/init.d/denyhosts
:denyhosts
vim /usr/share/denyhosts/denyhosts
:
"DENYHOSTS_BIN = "/usr/share/denyhosts/denyhosts.py
"DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts
"DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg
: )(Port Knocking
...
) ( : ...
... : ... ...
...
// ...
... :
...
...
...
...
...
...
)// ( ...
... Port Knocking ...
...
/ ) (Admin ...
... packets
/ BLOCK ... DROP DROP IP
)( ...
... Port Knock daemon
... ... GW LOG
SCAN rule iptables ...
7000 5000 3000 LOG
LOG ...
Port Knock ...
... PK
SSH SSH
... 22 Knockd / ) /(
:
Server
Client
Debug
:
apt-get install knockd
:
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -F
iptables -t nat -X
:
iptables -L -n
:
vi /etc/knockd.conf
:
[options]
UseSyslog
[opencloseSSH]
sequence = 2222:tcp,3333:tcp,4444:tcp
seq_timeout = 15
tcpflags
= syn,ack
start_command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport ssh -j ACCEPT
cmd_timeout = 10
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
:
vi /etc/default/knockd
: START_KNOCKD 0 1
START_KNOCKD=1
Knockd:
/etc/init.d/knockd start
SSH:
/etc/init.d/sshd start
...
:SSH
ssh 192.168.0.44
SSH ... Client
) ( :
knock -v 192.168.0.44 2222 3333 4444
2222 3333 4444 ... knockd
SSH:
ssh 192.168.0.44
...
:
iptables -L -n
:
tcp dpt:22
:
:
syslog-ng
iptables
Documentation
Knockd
PortKnocking.org
... ...
...
... B!n@ry