Linux Security > OS & Service Level Security in Linux > sshd server
Linux Security > OS & Service Level Security in Linux > sshd server
SSH Server security
About SSH Server:
An SSH server is a software program which uses the secure shell protocol to accept connections from remote computers. SFTP/SCP file transfers and remote terminal connections are popular use cases for an SSH server. This article compares a selection of popular servers.
Embedded Security With SSH
Service: sshd
Port : 80
Config File: /etc/sshd/sshd-config
———————————————————————-
Changing default port
Everybody knows that ssh works on port no 22 and root user is able to login by default. We can change port no for that, go to config file
# vi /etc/ssh/sshd_config
#Port 22 <– change port
Port 6987
Listen Port 192.168.1.254:6987 <— it allows port 6987 for ssh on IP 192.168.1.254
Disable root login
By enabling this feature , root can not login , we have to access ssh through another user, then switch user to root , for that search
PermitRootLogin
In the config file and modify
#PermitRootLogin yes
PermitRootLogin no <— modify here and allow only some user to login through ssh
AllowUsers vikas prabhat < — add this lines
UsePAM yes
Banner “warning ….” <– always user ssh banner to warn users from unsolicited works
#LoginGraceTime 2m <— login grace time is 2 min by default, we can reduce it
#MaxAuthTries 6 <–maximum password retries, 3 is idle ..here 6 is default
An SSH server is a software program which uses the secure shell protocol to accept connections from remote computers. SFTP/SCP file transfers and remote terminal connections are popular use cases for an SSH server. This article compares a selection of popular servers.
Embedded Security With SSH
Embedded Security With SSH
Service: sshd
Port : 80
Config File: /etc/sshd/sshd-config
Port : 80
Config File: /etc/sshd/sshd-config
———————————————————————-
Changing default port
Everybody knows that ssh works on port no 22 and root user is able to login by default. We can change port no for that, go to config file
Changing default port
Everybody knows that ssh works on port no 22 and root user is able to login by default. We can change port no for that, go to config file
# vi /etc/ssh/sshd_config
#Port 22 <– change port
Port 6987
#Port 22 <– change port
Port 6987
Listen Port 192.168.1.254:6987 <— it allows port 6987 for ssh on IP 192.168.1.254
Disable root login
By enabling this feature , root can not login , we have to access ssh through another user, then switch user to root , for that search
By enabling this feature , root can not login , we have to access ssh through another user, then switch user to root , for that search
PermitRootLogin
In the config file and modify
#PermitRootLogin yes
PermitRootLogin no <— modify here and allow only some user to login through ssh
In the config file and modify
#PermitRootLogin yes
PermitRootLogin no <— modify here and allow only some user to login through ssh
AllowUsers vikas prabhat < — add this lines
UsePAM yes
Banner “warning ….” <– always user ssh banner to warn users from unsolicited works
#LoginGraceTime 2m <— login grace time is 2 min by default, we can reduce it
#MaxAuthTries 6 <–maximum password retries, 3 is idle ..here 6 is default
/etc/nologin
/etc/nologin
Create this file to disallow user logins and notify users when a system will be unavailable for an extended period of time because of a system shutdown or routine maintenance.
If a user attempts to log in to a system where this file exists, the contents of the nologin file is displayed, and the user login is terminated. Superuser logins are not affected
This file is not there by default, we have to create it, this is a blank file only, protect all non root users to login. This option does not effect on existing non root users ,who are already logged in.
/etc/nologin
Create this file to disallow user logins and notify users when a system will be unavailable for an extended period of time because of a system shutdown or routine maintenance.
If a user attempts to log in to a system where this file exists, the contents of the nologin file is displayed, and the user login is terminated. Superuser logins are not affected
This file is not there by default, we have to create it, this is a blank file only, protect all non root users to login. This option does not effect on existing non root users ,who are already logged in.
Secure terminal in Linux : /etc/securetty
# vi /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
#tty5 <—-modified line
tty6
tty7
tty8
tty9
tty10
tty11
root can login in every terminal by default, if we modify this file /etc/securetty , #tty5 for example, root cannot login in this terminal.
Note: /etc/securetty and /etc/nologin is controlled by pam.d , If /etc/nologin file is created, then pam modules pan_nologin deny to all non-root users to login locally. As you can see in third line of/ete/pam.d/login file, pam_securetty modules checks the /etc/securetty file, which terminal are available to root. If terminal is not available in this file then pam_securetty module deny to login on unavailable terminal to root user.
# vi /ete/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_ck_connector.so
# vi /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
#tty5 <—-modified line
tty6
tty7
tty8
tty9
tty10
tty11
console
vc/1
vc/2
vc/3
vc/4
vc/5
vc/6
vc/7
vc/8
vc/9
vc/10
vc/11
tty1
tty2
tty3
tty4
#tty5 <—-modified line
tty6
tty7
tty8
tty9
tty10
tty11
root can login in every terminal by default, if we modify this file /etc/securetty , #tty5 for example, root cannot login in this terminal.
Note: /etc/securetty and /etc/nologin is controlled by pam.d , If /etc/nologin file is created, then pam modules pan_nologin deny to all non-root users to login locally. As you can see in third line of/ete/pam.d/login file, pam_securetty modules checks the /etc/securetty file, which terminal are available to root. If terminal is not available in this file then pam_securetty module deny to login on unavailable terminal to root user.
# vi /ete/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_ck_connector.so
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session optional pam_ck_connector.so
VSFTPD Server Security
About vsftpd server:
vsftpd, (or very secure FTP daemon), is an FTP server for Unix-like systems, including Linux.
Service: vsftpd
Port: 20/21
Config File: /etc/vsftpd/vsftpd.conf
————————————————–
Embeded Security with vsftpd server
security options are already given in config file
pam_service_name=vsftpd
userlist_enable=YES <– control by /etc/vsftpd/userlist
tcp_wrappers=YES <–control by /etc/host.allow and /etc/host.deny
go to /etc/vsftpd
# vi /etc/vsftpd/userlist
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
———————————————————-
modify /etc/vsftpd/vsftpd.conf at the bottom of the file
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO <—place this file here
tcp_wrappers=YES
Note: userlist_deny=NO here means only allow users mentioned in the file /etc/vsftpd/userlist, if we modify like this
# vi /etc/vsftpd/userlist
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
#root
#bin
#daemon
#adm
#lp
#sync
#shutdown
#halt
#mail
#news
#uucp
#operator
#games
#nobody
vikas <—–comment all and placed this two lines
prabhat
this means, user prabhat and vikas can only use ftp service now, other users are denied. ( all users are allowed by default except root)
Other Securities
anonymous_enable=YES
local_enable=YES
anon_mkdir_write_enable=YES
we can control ftp by using this lines, enable disable anonymous ftp ( ftpd without username and password )
——————————————————————————-
About vsftpd server:
vsftpd, (or very secure FTP daemon), is an FTP server for Unix-like systems, including Linux.
Service: vsftpd
Port: 20/21
Config File: /etc/vsftpd/vsftpd.conf
Port: 20/21
Config File: /etc/vsftpd/vsftpd.conf
————————————————–
Embeded Security with vsftpd server
Embeded Security with vsftpd server
security options are already given in config file
pam_service_name=vsftpd
userlist_enable=YES <– control by /etc/vsftpd/userlist
tcp_wrappers=YES <–control by /etc/host.allow and /etc/host.deny
userlist_enable=YES <– control by /etc/vsftpd/userlist
tcp_wrappers=YES <–control by /etc/host.allow and /etc/host.deny
go to /etc/vsftpd
# vi /etc/vsftpd/userlist
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
mail
news
uucp
operator
games
nobody
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
root
bin
daemon
adm
lp
sync
shutdown
halt
news
uucp
operator
games
nobody
———————————————————-
modify /etc/vsftpd/vsftpd.conf at the bottom of the file
pam_service_name=vsftpd
userlist_enable=YES
userlist_deny=NO <—place this file here
tcp_wrappers=YES
userlist_enable=YES
userlist_deny=NO <—place this file here
tcp_wrappers=YES
Note: userlist_deny=NO here means only allow users mentioned in the file /etc/vsftpd/userlist, if we modify like this
# vi /etc/vsftpd/userlist
# vsftpd userlist
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
#root
#bin
#daemon
#adm
#lp
#sync
#shutdown
#halt
#mail
#news
#uucp
#operator
#games
#nobody
vikas <—–comment all and placed this two lines
prabhat
# If userlist_deny=NO, only allow users in this file
# If userlist_deny=YES (default), never allow users in this file, and
# do not even prompt for a password.
# Note that the default vsftpd pam config also checks /etc/vsftpd/ftpusers
# for users that are denied.
#root
#bin
#daemon
#adm
#lp
#sync
#shutdown
#halt
#news
#uucp
#operator
#games
#nobody
vikas <—–comment all and placed this two lines
prabhat
this means, user prabhat and vikas can only use ftp service now, other users are denied. ( all users are allowed by default except root)
Other Securities
anonymous_enable=YES
local_enable=YES
anon_mkdir_write_enable=YES
local_enable=YES
anon_mkdir_write_enable=YES
we can control ftp by using this lines, enable disable anonymous ftp ( ftpd without username and password )
——————————————————————————-
——————————————————————————-
Disable Linux FTP User Account
If you have vsftp server add user to /etc/vsftpd/ftpusers (VSFTPD) file
#/etc/vsftpd/ftpusers
gopal
shahzad
this will protect user gopal and shahzad to use ftp service
————————————————————————–
Deny uploading files to ftp share
deny_file={*.mp3,*.wma,*.rpm,*.private,*.text}
—————————————————————————
Allow interface IP to listen FTP request
listen_address=192.168.0.254 192.168.0.251
—————————————————————————–
Change default Port ( 20,21 ) to specific Port like 2121
listen_port=2121
——————————————————————————-
Place the FTP Directory on its Own Partition
Separation of the operating system files from FTP users files may result into a better and secure system. Restricting the growth of certain file systems is possible using various techniques. For example, use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample/etc/fstab entry:
/dev/sda5 /ftp ext3 defaults,nosuid,nodev,noexec,usrquota 1 2
—————————————————————————
To lock down users to their home directories:
chroot_local_user=NO
——————————————————————
You can create warning banners for all FTP users, by defining the path:
banner_file=/etc/vsftpd/banner
create your own banner
If you have vsftp server add user to /etc/vsftpd/ftpusers (VSFTPD) file
#/etc/vsftpd/ftpusers
gopal
shahzad
gopal
shahzad
this will protect user gopal and shahzad to use ftp service
————————————————————————–
————————————————————————–
Deny uploading files to ftp share
deny_file={*.mp3,*.wma,*.rpm,*.private,*.text}
—————————————————————————
Allow interface IP to listen FTP request
listen_address=192.168.0.254 192.168.0.251
—————————————————————————–
—————————————————————————–
Change default Port ( 20,21 ) to specific Port like 2121
listen_port=2121
——————————————————————————-
——————————————————————————-
Place the FTP Directory on its Own Partition
Separation of the operating system files from FTP users files may result into a better and secure system. Restricting the growth of certain file systems is possible using various techniques. For example, use /ftp partition to store all ftp home directories and mount ftp with nosuid, nodev and noexec options. A sample/etc/fstab entry:
/dev/sda5 /ftp ext3 defaults,nosuid,nodev,noexec,usrquota 1 2
—————————————————————————
To lock down users to their home directories:
chroot_local_user=NO
chroot_local_user=NO
——————————————————————
You can create warning banners for all FTP users, by defining the path:
banner_file=/etc/vsftpd/banner
create your own banner
Post a Comment