Unknown Unknown Author
Title: Linux Security: OS & Service Level Security in Linux Part-1
Author: Unknown
Rating 5 of 5 Des:
Linux Security > OS & Service Level Security in Linux > sshd  server SSH Server security About SSH Server: ...

Linux Security > OS & Service Level Security in Linux > sshd  server

SSH Server security

About SSH Server:

An SSH server is a software program which uses the secure shell protocol to accept connections from remote computers. SFTP/SCP file transfers and remote terminal connections are popular use cases for an SSH server. This article compares a selection of popular servers.
Embedded Security With SSH
Service: sshd
Port : 80
Config File: /etc/sshd/sshd-config
———————————————————————-
Changing default port
Everybody knows that ssh works on port no 22 and root  user is able to login by default. We can change port no  for that, go to config file
# vi /etc/ssh/sshd_config
#Port 22 <– change port
Port 6987
Listen Port  192.168.1.254:6987  <— it allows port 6987 for ssh on IP 192.168.1.254

Disable root login
By enabling this feature , root can not login , we have to access ssh through another user, then switch user to root , for that search
PermitRootLogin
In the config file and modify
#PermitRootLogin yes
PermitRootLogin no   <— modify here and allow only some user to login through ssh
AllowUsers vikas prabhat   < —  add this lines
UsePAM  yes 
Banner  “warning ….”    <– always user ssh banner to warn users from unsolicited works
#LoginGraceTime 2m   <— login grace time is 2 min by default, we can reduce it
#MaxAuthTries 6   <–maximum password retries, 3 is idle ..here 6 is default

/etc/nologin

/etc/nologin
Create this file to disallow user logins and notify users when a system will be unavailable for an extended period of time because of a system shutdown or routine maintenance.
If a user attempts to log in to a system where this file exists, the contents of the nologin file is displayed, and the user login is terminated. Superuser logins are not affected
This file is not there by default, we have to create it, this is a blank file only, protect all non root users to login. This option does not effect on existing non root users ,who are already logged in.

Secure terminal in Linux : /etc/securetty

# vi /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
#tty5   <—-modified  line 
tty6
tty7
tty8
tty9
tty10
tty11
root can login in every terminal by default, if we modify this file /etc/securetty ,  #tty5  for example, root cannot login  in this terminal.
Note: /etc/securetty and /etc/nologin is controlled by  pam.d , If /etc/nologin file is created, then pam modules pan_nologin deny to all non-root users to login locally. As you can see in third line of/ete/pam.d/login file, pam_securetty modules checks the /etc/securetty file, which terminal are available to root. If terminal is not available in this file then pam_securetty module deny to login on unavailable terminal to root user.
# vi /ete/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_ck_connector.so

VSFTPD Server Security

About vsftpd server:
vsftpd, (or very secure FTP daemon), is an FTP server for Unix-like systems, including Linux.
Service:  vsftpd
Port: 20/21
Config File: /etc/vsftpd/vsftpd.conf
————————————————–
Embeded Security with vsftpd server
security options are already given in config file
pam_service_name=vsftpd
userlist_enable=YES <– control by /etc/vsftpd/userlist
tcp_wrappers=YES  <–control by /etc/host.allow and /etc/host.deny
go to /etc/vsftpd
vi /etc/vsftpd/userlist
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
———————————————————-
modify /etc/vsftpd/vsftpd.conf  at the bottom of the file
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO  <—place this file here
tcp_wrappers=YES
Note: userlist_deny=NO  here means only allow users mentioned in the file /etc/vsftpd/userlist, if we modify like this
# vi /etc/vsftpd/userlist
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
#root
#bin
#daemon
#adm
#lp
#sync
#shutdown
#halt
#mail
#news
#uucp
#operator
#games
#nobody
vikas    <—–comment all and placed this two lines
prabhat
this means, user prabhat and vikas can only use ftp service now, other users are denied. ( all users are allowed by default except root)
Other Securities
anonymous_enable=YES
local_enable=YES
anon_mkdir_write_enable=YES
we can control ftp by using this lines, enable disable anonymous ftp ( ftpd without username and password )
——————————————————————————-

Disable Linux FTP User Account

If you have vsftp server  add user to /etc/vsftpd/ftpusers (VSFTPD) file
#/etc/vsftpd/ftpusers
gopal
shahzad
this will protect user gopal and shahzad to use ftp service
————————————————————————–
Deny uploading files to ftp share
deny_file={*.mp3,*.wma,*.rpm,*.private,*.text}
—————————————————————————
Allow interface IP to listen FTP request
listen_address=192.168.0.254 192.168.0.251
—————————————————————————–
Change default Port ( 20,21 ) to specific Port like 2121 
listen_port=2121
——————————————————————————-
Place the FTP Directory on its Own Partition
Separation of the operating system files from FTP users files may result into a better and secure system. Restricting the growth of certain file systems is possible using various techniques. For example, use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample/etc/fstab entry:
/dev/sda5  /ftp          ext3    defaults,nosuid,nodev,noexec,usrquota 1 2
—————————————————————————
To lock down users to their home directories:
chroot_local_user=NO
——————————————————————
You can create warning banners for all FTP users, by defining the path:
banner_file=/etc/vsftpd/banner
create your own banner

About Author

Advertisement

Post a Comment

 
Top