Archive

Archive for the ‘Uncategorized’ Category

Writing Better Shell Scripts – Part 3

December 25, 2011 Leave a comment

The Innovations Technology Solutions Blog, where you can get information, how-tos, tips, tricks, and stay on top of what\’s going on at Innovations

via Writing Better Shell Scripts – Part 3.

Categories: Uncategorized

Writing Better Shell Scripts – Part 2

December 25, 2011 Leave a comment

The Innovations Technology Solutions Blog, where you can get information, how-tos, tips, tricks, and stay on top of what\’s going on at Innovations

via Writing Better Shell Scripts – Part 2.

Categories: Uncategorized

Writing Better Shell Scripts – Part 1

December 25, 2011 Leave a comment

The Innovations Technology Solutions Blog, where you can get information, how-tos, tips, tricks, and stay on top of what\’s going on at Innovations

via Writing Better Shell Scripts – Part 1.

Categories: Uncategorized

OpenSSH Server Best Security Practices

January 12, 2011 Leave a comment

Default Config Files and SSH Port

  • /etc/ssh/sshd_config – OpenSSH server configuration file.
  • /etc/ssh/ssh_config – OpenSSH client configuration file.
  • ~/.ssh/ – Users ssh configuration directory.
  • ~/.ssh/authorized_keys or ~/.ssh/authorized_keys – Lists the public keys (RSA or DSA) that can be used to log into the user’s account
  • /etc/nologin – If this file exists, sshd refuses to let anyone except root log in.
  • /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
  • SSH default port : TCP 22

Only Use SSH Protocol 2

SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:

Protocol 2

Limit Users’ SSH Access

By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn’t in AllowUsers.

Only allow root, sunny and sumi user to use the system via SSH, add the following to sshd_config:

AllowUsers root sumi sunny

Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:

DenyUsers suraj anuja foo

Configure Idle Log Out Timeout Interval

User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:

ClientAliveInterval 300

ClientAliveCountMax 0

You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out).

Disable Host-Based Authentication

To disable host-based authentication, update sshd_config with the following option:

HostbasedAuthentication no

Disable root Login via SSH

There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:

PermitRootLogin no

Firewall SSH Port # 22

You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.

Netfilter (Iptables) Configuration

Update /etc/sysconfig/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 202.54.1.5/29, enter:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACCEPT

If you’ve dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:

 -A RH-Firewall-1-INPUT -s ipv6network::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT

Replace ipv6network::/ipv6mask with actual IPv6 ranges.

*BSD PF Firewall Configuration

If you are using PF firewall update /etc/pf.conf as follows:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state

Change SSH Port and Limit IP Binding

By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:

Port 300
ListenAddress 192.168.1.5
ListenAddress 202.54.1.5

Use Public Key Based Authentication

Use public/private key pair with password protection for the private key. See how to use RSA and DSA key based authentication. Never ever use passphrase free key (passphrase key less) login.

Use Keychain Based Authentication

keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. See how to setup and use keychain software.

Chroot SSHD (Lock Down Users To Their Home Directories)

http://www.debian-administration.org/articles/590

Use TCP Wrappers

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12 :

sshd : 192.168.1.2 172.16.23.12

Disable Empty Passwords

You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:

PermitEmptyPasswords no

Thwart SSH Crackers (Brute Force Attack)

Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares:

  • DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
  • Explains how to setup DenyHosts under RHEL / Fedora and CentOS Linux.
  • Fail2ban is a similar program that prevents brute force attacks against SSH.
  • security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf.
  • security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw.
  • security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter.
  • security/sshblock block abusive SSH login attempts.
  • security/sshit checks for SSH/FTP bruteforce and blocks given IPs.
  • BlockHosts Automatic blocking of abusive IP hosts.
  • Blacklist Get rid of those bruteforce attempts.
  • Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.
  • IPQ BDB filter May be considered as a fail2ban lite.

Rate-limit Incoming Port # 22 Connections

Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22.

Iptables Example

The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:

#!/bin/bash

inet_if=eth1 ssh_port=22

$IPT -I INPUT -p tcp –dport ${ssh_port} -i ${inet_if} -m state –state NEW -m recent —set

$IPT -I INPUT -p tcp –dport ${ssh_port} -i ${inet_if} -m state –state NEW -m recent –update –seconds 60 –hitcount 5 -j DROP

Call above script from your iptables scripts. Another config option:

$IPT -A INPUT -i ${inet_if} -p tcp –dport ${ssh_port} -m state –state NEW -m limit –limit 3/min –limit-burst 3 -j ACCEPT

$IPT -A INPUT -i ${inet_if} -p tcp –dport ${ssh_port} -m state –state ESTABLISHED -j ACCEPT

$IPT -A OUTPUT -o ${inet_if} -p tcp –sport ${ssh_port} -m state –state ESTABLISHED -j ACCEPT

# another one line example

# $IPT -A INPUT -i ${inet_if} -m state –state NEW,ESTABLISHED,RELATED -p tcp –dport 22 -m limit –limit 5/minute –limit-burst 5-j ACCEPT

See iptables man page for more details.

*BSD PF Example

The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.

sshd_server_ip=“202.54.1.5” table <abusive_ips> persist block in quick from <abusive_ips> pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload <abusive_ips> flush)

Use Port Knocking

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:

$IPT -N stage1 $IPT -A stage1 -m recent –remove –name knock $IPT -A stage1 -p tcp –dport 3456 -m recent —set –name knock2   $IPT -N stage2 $IPT -A stage2 -m recent –remove –name knock2 $IPT -A stage2 -p tcp –dport 2345 -m recent —set –name heaven   $IPT -N door $IPT -A door -m recent –rcheck –seconds 5 –name knock2 -j stage2 $IPT -A door -m recent –rcheck –seconds 5 –name knock -j stage1 $IPT -A door -p tcp –dport 1234 -m recent —set –name knock   $IPT -A INPUT -m –state ESTABLISHED,RELATED -j ACCEPT $IPT -A INPUT -p tcp –dport 22 -m recent –rcheck –seconds 5 –name heaven -j ACCEPT $IPT -A INPUT -p tcp –syn -j doo

  • fwknop is an implementation that combines port knocking and passive OS fingerprinting.
  • Multiple-port knocking Netfilter/IPtables only implementation.

Use Log Analyzer

Read your logs using logwatch or logcheck. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:

LogLevel INFO

Patch OpenSSH and Operating Systems

It is recommended that you use tools such as yum, apt-get, freebsd-update and others to keep systems up to date with the latest security patches.

Limit Users’ SSH Access

By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn’t in AllowUsers.

Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:

AllowUsers root vivek jerry

Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:

DenyUsers saroj anjali foo

You can also configure Linux PAM allows or deny login via the sshd server. You can allow list of group name to access or deny access to the ssh.

Categories: Linux, Uncategorized

Install Nginx with Cpanel Apache in proxy mode

November 26, 2010 1 comment

It’s hard to optimizes websites with high number of connections. Let’s think of having 2 web severs running at a time one to serve static contents and the other in the background for serving dynamic contents.

This will considerable reduce the server load, increase performance and there by the website should start loading smoothly. We can have nginx and apache for serving static and dynamic contents respectively.

The installations:

cd /usr/src
wget http://sysoev.ru/nginx/nginx-0.7.63.tar.gz
wget http://stderr.net/apache/rpaf/download/mod_rpaf-0.6.tar.gz
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-7.9.tar.gz
tar xvzf mod_rpaf-0.6.tar.gz
cd mod_rpaf-0.6
/usr/local/apache/bin/apxs -i -c -n mod_rpaf-2.0.so mod_rpaf-2.0.c
cd /usr/src
tar xvzf pcre-7.9.tar.gz
cd pcre-7.9
./configure
make
make install
cd /usr/src
tar xvzf nginx-0.7.63.tar.gz
cd nginx-0.7.63
./configure --with-http_ssl_module --with-http_realip_module --with-http_dav_module --with-http_flv_module --with-http_gzip_static_module
make
make install

Login to WHM and look for :
Main >> Service Configuration >> Apache Setup > Include Editor > Pre Main Include

Add the following configuration and save, LIST_OF_YOUR_IPS changing the IP you occupy in your site:

LoadModule rpaf_module modules/mod_rpaf-2.0.so
RPAFenable On
# Enable reverse proxy add forward
RPAFproxy_ips 127.0.0.1 LIST_OF_YOUR_IPS
# which ips are forwarding requests to us
RPAFsethostname On
# let rpaf update vhost settings
# allows to have the same hostnames as in the "real"
# configuration for the forwarding Apache
RPAFheader X-Real-IP
# Allows you to change which header mod_rpaf looks
# for when trying to find the ip the that is forwarding
# our requests

– Change the apache port to 81 (tweak settings)
Open whm – tweak settings and find 0.0.0.0:80 and change it to 0.0.0.0.:81

Run SSH console

/usr/local/cpanel/whostmgr/bin/whostmgr2 --updatetweaksettings
/scripts/rebuildhttpdconf
httpd restart

wget the automated nginx virtual host creator

wget http://www.hikaro.com/files/nginx.sh

– chmod the file and run it

chmod 755 nginx.sh
./nginx.sh

-Check the configuration

/usr/local/nginx/sbin/nginx -t

-Start nginx

/usr/local/nginx/sbin/nginx

Until now only the managing nginx connections, but is not serving static content. For the latter you must edit the following file:

/usr/local/nginx/conf/vhost.conf

-Remove the 3 # signs of the following lines:

#location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|js|css)$ {
# root   /home/myweb/public_html;
#}

so the final configuration will looks like

location ~* \.(gif|jpg|jpeg|png|wmv|avi|mpg|mpeg|mp4|js|css)$ {
root   /home/myweb/public_html;
}

–Restart nginx in SSH

/usr/local/nginx/sbin/nginx -s reload

 

 

Categories: Uncategorized

Hello world!

August 20, 2010 Leave a comment

Welcome to WordPress.com. This is your first post. Edit or delete it and start blogging!

Categories: Uncategorized