SSH


......................................................................................................
-1 ........................................................................................................
-2 SSH Authentication .....................................
-3 ...............................................................................................
-4 ...................................................................... iptables
-5 ....................................................................... Xinetd
-6 ...............................................................
-7 .........................................................................................
-8 ..................................................................................
-9 ....................................................
-10 X ........................................................................ SSH
-11 sshguard Brute Force .................... SSH
-12 SSH ........................................................... DenyHosts
-13 : )............................................................ (Port Knocking
.............................................................................................................

 :


/ /
.

:
:
: www.linuxac.org
B!n@ry :

...
...


:
SSH
... SSH ... Secure SHell
telnet
... Clear Text
SNIFFING ... Wireshark SSH
AES :
(Advanced Encryption Scheme), Triple DES, Blowfish ...

) 1 (telnet

) 2 (ssh

 SSH Authentication:
Host-Key Authentication :
.
binary .
Host-Key .
) (
.
Public-Key Authentication :

. .Passphrase Public Private
.

.
Passphrase-Less Authentication :
Passphrase
Automated .cron
.
SSH 2002
CentOS Fedora Debian Ubuntu Slackware .
:
CentOS Fedora (::
/etc/init.d/sshd start
:
}/etc/init.d/sshd {start|stop|restart|reload|condrestart|status
:
/etc/init.d/ssh start
:
}/etc/init.d/ssh {start|stop|reload|force-reload|restart|try-restart
restart
reload .

 ... .
:
ssh username@ip/domain
:
ssh binary@5.5.5.5

:
~/.ssh/known_hosts
binary
. .
binary binary
binary :
ssh 5.5.5.5
.binary
mohamed :
ssh 5.5.5.5
mohamed .
.
: .Host-Key Authentication
.
Public-Key
.Authentication
.
) (
.binary CLIENT :
ssh-keygen -t rsa

ssh-keygen -t dsa
:

 2048bit .1024bit
.RSA ENTER :
Generating public/private rsa key pair.
Enter file in which to save the key (/home/binary/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/binary/.ssh/id_rsa.
Your public key has been saved in /home/binary/.ssh/id_rsa.
The key fingerprint is:
02:09:09:09:ee:cc:dd:4d:3d:3a:66:ff:ab:df:34:11 binary@binary-zone.com
fingerprint
binary mohamed
/home/mohamed/.ssh/id_rsa
. passphrase

binary :
scp ~/.ssh/id_rsa.pub binary@5.5.5.5:.ssh/authorized_keys
authorized_keys
/home/binary/.ssh/
:
chmod 600 /home/binary/.ssh/id_rsa.pub
:
chmod 400 /home/binary/.ssh/id_rsa
binary id_rsa.pub id_rsa
.
B!n@ry .

vim /etc/ssh/sshd_config
PasswordAuthentication :
PasswordAuthentication no

 .Public-Key Authentication Escape : x

vim
/ / . . CentOS Fedora
(::
/etc/init.d/sshd restart
:
/etc/init.d/ssh restart
reload
.
.reload CentOS Fedora (::
/etc/init.d/sshd reload
:
/etc/init.d/ssh reload

. :
ssh binary@5.5.5.5
:
Enter passphrase for key 'id_rsa':

. enter
.
: Passphrase-Less Authentication
:
.
: B!n@ry
: .

: .
: B!n@ry
:

 IP 6.6.6.6
:
ssh-keygen -t rsa -f id_server2
.
:
/home/binary/.ssh
id_server2 id_rsa
: :
ssh -i id_server2 binary@6.6.6.6
6.6.6.6 passphrase
.
: B!n@ry
: id_rsa :
ssh-keygen -p -f /home/binary/.ssh/id_rsa
id_server2 :
ssh-keygen -p -f /home/binary/.ssh/id_server2
.

.
: fingerprint
:
: +
. Hardening SSH
) ( iptables
.xinetd

 :iptables
;/sbin/iptables -A INPUT -p tcp -s 5.5.5.5 --dport 22 -j ACCEPT
IP 5.5.5.5 ssh .

:xinetd
vim /etc/hosts.allow
:
sshd: 5.5.5.5: ALLOW
:
vim /etc/hosts.deny
:
sshd: ALL : DENY
IP 5.5.5.5
. ) spoof IP
(.


vim /etc/ssh/sshd_config
:
ListenAddress 5.5.5.5
PermitRootLogin no
Protocol 2
AllowUsers binary mohamed
AllowGroups admins
Port 5858
:
5.5.5.5 .
IP .

root root .root (:

- SSH-2 .SSH-1

- binary mohamed .

- admins .

5858 iptables 22 5858

:
`which sshd` -t
.
Harden
.
:
: Port-Knocking SPA )
( .DenyHosts
:
: Google
Host-Key Authentication
Public-Key Authentication . ...


/etc/hosts.allow

/etc/hosts.deny
IP SSH
:
ssh_exchange_identification: Connection closed by remote host


:
mohamed
binary serv1 IP 5.5.5.5
serv2 IP 6.6.6.6 port 22
2222
22
: .ssh:
~/.ssh/
22 binary serv1
:
~/.ssh/serv1
:serv1
vim ~/.ssh/serv1
:
IdentityFile ~/.ssh/serv1
Port 22
User binary
mohamed:
vim ~/.ssh/serv2

 :
IdentityFile ~/.ssh/serv2
Port 2222
User mohamed
binary :
ssh -F serv1 5.5.5.5
ssh serv1 ...
mohamed :
ssh -F serv2 6.6.6.6
ssh serv2 ...
: .2222
netstat:
netstat -a --tcp -p | grep ssh
:
.ssh
: ...
:
:
/etc/ssh/ssh_config
: B!n@ry
: ... Client
/etc/ssh/sshd_config
SSH .
...

 :
) backup (
. OpenSSH :
ssh binary@5.5.5.5 sudo /etc/init.d/httpd restart
httpd ...
:
ssh binary@5.5.5.5 tar cvf binary-backup.tar /home/binary
binary ... binary-backup.tar
...

: .

: ... comment
:
"ssh-keygen -t rsa -C "binary on serv1
... :
binary on serv1

: B!n@ry
X SSH .
: mount filesystem
. .
:
: . mount
serv1:
mkdir /mnt/serv1

fuse-utils sshfs mount .

:

sudo apt-get install fuse-utils sshfs

fuse . :
lsmod | grep fuse
:
modprobe fuse

: binary mount
: :
sshfs binary@5.5.5.5: /mnt/serv1
) :(:
:
sshfs binary@5.5.5.5:/home/binary/ /mnt/serv1
:
:
mnt/serv1/

: umount
: :
sudo umount /mnt/serv1

 X SSH
... ...
... remotely rdesktop vnc rlogin telnet ... ssh

rdesktop vnc ...

... SSH Tunneling :
SSH ... B!n@ry :
ssh -X user@domain.com
domain.com ... user
X X
... Forwarding :
& gedit
gedit
:
ssh -X user@IP-Address
IP Address ...
:
& gcalctool
gcalctool ...
... SysAdmin

 sshguard Brute Force SSH

Brute Force SSH sshguard
... sshguard LOG IP
SSH BLOCK IP
...
:
sudo apt-get install sshguard

<--

syslog-ng
<--
LOGS syslog-ng sshguard :
vim /etc/syslog-ng/syslog-ng.conf
:
# pass only entries with auth+authpriv facilities that contain sshd
;} ;)"filter sshlogs { facility(auth, authpriv) and match("sshd
)# pass to this process with this template (avoids <ID> prefixes
{ destination sshguardproc
"program("/usr/local/sbin/sshguard
;))"template("$DATE $FULLHOST $MESSAGE\n
;}
;} ;)log { source(src); filter(sshlogs); destination(sshguardproc
syslog-ng
:
killall -HUP syslog-ng
:
sudo /etc/init.d/syslog-ng reload
sshgaurd :
ps ax | grep sshguard

 / netfilter iptables
CHAIN sshgaurd SSH
... :
iptables -N sshguard
SSH Port 22 CHAIN
sshguard :
iptables -A INPUT -p tcp --dport 22 -j sshguard
DROP ACCEPT
SSH BLOCK sshgaurd

 SSH DenyHosts
.
.SSH
SSH .DenyHosts
) BOX( Online
. SSH
) ( Access
SSH CentOS Fedora RHEL :
/var/log/secure
:
/var/log/auth.log
:
sudo tail -f /var/log/secure

sudo tail -f /var/log/auth.log

. IP's
(:
: BOX B!n@ry
BOX
:
IP Range
.
Brute Force .Automated Brute Force Attack
:
: .
DenyHosts
rpm yum apt-get .dpkg \
: DenyHosts .Python
DenyHosts-2.6.tar.gz :

 Python :
python -V
. .
: .
:
:
mv /path2/DenyHosts-2.6.tar.gz /usr/share/
:
cd /usr/share/
:
tar xvfz DenyHosts-2.6.tar.gz
:
cd DenyHosts-2.6/
:
mv denyhosts.cfg-dist denyhosts.cfg

: .
:denyhosts.cfg
vim denyhosts.cfg
) (:

WORK_DIR = /usr/share/denyhosts/
HOSTS_DENY = /etc/hosts.deny
BLOCK_SERVICE = sshd
SECURE_LOG = /var/log/secure
DENY_THRESHOLD_INVALID = 2
DENY_THRESHOLD_VALID = 5
DENY_THRESHOLD_ROOT = 2
LOCK_FILE = /var/lock/subsys/denyhosts
HOSTNAME_LOOKUP=YES
AGE_RESET_VALID=5d
=AGE_RESET_INVALID
AGE_RESET_ROOT=10d
DAEMON_PURGE = 10d
DAEMON_SLEEP = 10m
DAEMON_LOG = /var/log/denyhosts
DAEMON_LOG_TIME_FORMAT = %b %d %H:%M:%S
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
ADMIN_EMAIL = root@localhost

.
/ DenyHosts /usr/share/denyhosts/

hosts.deny IP's .

. SSH RHEL,Fedora,Ce ntOS . (:

)) ((

IP 2
.

BOX 5
BOX .

root BOX root . root .

Lock File .

Hostname Lookups .
. . .

- IP's .

root . 10 root SSH .

IP's hosts.deny .

/ . 10 . 10 .BOX

- .

- .

- .

. : .
. ) :(root
python setup.py install
site-packages .
IP ssh
hosts.allow .:
echo "sshd: 5.5.5.5" >> /etc/hosts.allow
5.5.5.5 . :
python denyhosts.py

hosts.deny .

 : DenyHosts .
. :
mv daemon-control-dist denyhosts
:
ln -s /usr/share/denyhosts/denyhosts /etc/init.d/denyhosts
:denyhosts
vim /usr/share/denyhosts/denyhosts
:
"DENYHOSTS_BIN = "/usr/share/denyhosts/denyhosts.py
"DENYHOSTS_LOCK = "/var/lock/subsys/denyhosts
"DENYHOSTS_CFG = "/usr/share/denyhosts/denyhosts.cfg

.DenyHosts Lock File. .: (RHEL,Fedora,CentOS

chkconfig denyhosts --add

:
chkconfig denyhosts on
update-rc.d ):(Exp1r3d
HowTo : Control Startup Services
:
/etc/init.d/denyhosts start
10.
DenyHosts BOX SSH

 : )(Port Knocking
...

) ( : ...
... : ... ...
...
// ...
... :
...
...

...
...
...
...
)// ( ...
... Port Knocking ...
...
/ ) (Admin ...
... packets
/ BLOCK ... DROP DROP IP

)( ...
... Port Knock daemon
... ... GW LOG
SCAN rule iptables ...
7000 5000 3000 LOG
LOG ...
Port Knock ...
... PK
SSH SSH
... 22 Knockd / ) /(


:
Server
Client
Debug
:
apt-get install knockd
:
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -F
iptables -t nat -X
:
iptables -L -n
:
vi /etc/knockd.conf
:
[options]
UseSyslog
[opencloseSSH]
sequence = 2222:tcp,3333:tcp,4444:tcp
seq_timeout = 15
tcpflags
= syn,ack
start_command = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport ssh -j ACCEPT
cmd_timeout = 10
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
:
vi /etc/default/knockd
: START_KNOCKD 0 1
START_KNOCKD=1

 Knockd:
/etc/init.d/knockd start
SSH:
/etc/init.d/sshd start

...
:SSH
ssh 192.168.0.44
SSH ... Client
) ( :
knock -v 192.168.0.44 2222 3333 4444
2222 3333 4444 ... knockd
SSH:
ssh 192.168.0.44
...
:
iptables -L -n
:

tcp dpt:22

)Chain INPUT (policy DROP

target prot opt source
destination
ACCEPT
tcp -- 192.168.0.44
0.0.0.0/0

rule 22 ... SSH

knockd :
knock -v 4444 3333 2222
knockd
... knockd
...

:
:

syslog-ng
iptables

Documentation

Knockd
PortKnocking.org

... ...
...

... B!n@ry