SECURE SSH CONFIGURATION We want to configure our SSH server in a more secure manner. We want to implement a few minor changes to substantially increase the security of our SSH server. NOTE: The following will be conducted on your NAMESERVER machine: (your NOC box should already have this configuration!) 1. Connect to your NAMESERVER machine (192.168.10X.10) 2. Edit your /etc/ssh/sshd_config file (SSH Server Configuration File) NS1-TLDX> sudo pico /etc/ssh/sshd_config Uncomment the "AllowUsers" entry Change the "AllowUsers" entry to include all authorized users AllowUsers root trtiadmin tldadmin Change "PasswordAuthentication yes" to "PasswordAuthentication no" Change "PubkeyAuthentication no" to "PubkeyAuthentication yes" Make sure "PermitEmptyPasswords" is set to "no" 3. Restart your SSH server NS1-TLDX> sudo /etc/init.d/ssh restart 4. Try logging into your NameServer's SSH server with just a password NS1-TLDX> ssh tldadmin@127.0.0.1 ** You should get an error message (Permission denied (publickey).) 5. Try logging into your SSH server with your tldadmin key NS1-TLDX> ssh -i /home/tldadmin/.ssh/tldadmin tldadmin@127.0.0.1 ** This should work ** Note: the password you are prompted for is the IDENTITY KEY password and NOT the account password - but the two passwords are the same... Note: * Do not change the "PermitRootLogin" entry Doing so will make your configuration more secure - but will break our ability to remotely assist you! Other Interesting Settings * "PermitEmptyPasswords" should be set to "no" * "Port" can be any port - you should change this to something other than port 22 to avoid automated SSH attacks * "LoginGraceTime" - you should set this to a short time to close the connection after a short period of time (say 30 seconds) to avoid keeping unproductive connections open. * Restrict "Banner" such that it doesn't provide any identifying information * Set "MaxAuthTries" to a low number (say 3) such that a user gets only three attempts to enter a password before the connection is closed 6. Find and delete the weak user account that caused your server to be compromised Examine the /var/log/auth.log file for successful ssh logins NS1-TLDX> sudo deluser 7. Restrict access to your network via ssh at the router - Please include the management subnet here so we can get back into the router! - Remember Dr. Evil is on the 130.X subnet, so he will be blocked by this! Login to your router: NS1-TLDX> ssh tldadmin@192.168.10X.1 Update your Access List 100 that you setup in a previous exercise TLDX-RTR> en TLDX-RTR# config terminal TLDX-RTR(config)# no access-list 100 TLDX-RTR(config)# no access-list 101 TLDX-RTR(config)# access-list 100 permit tcp 192.168.128.0 0.0.0.255 any eq 22 log TLDX-RTR(config)# access-list 100 deny tcp any any eq 22 log TLDX-RTR(config)# access-list 100 permit tcp any any eq telnet syn log TLDX-RTR(config)# access-list 100 permit tcp any any eq smtp syn log TLDX-RTR(config)# access-list 100 permit tcp any any eq pop3 syn log TLDX-RTR(config)# access-list 100 permit tcp any any eq 143 syn log TLDX-RTR(config)# access-list 100 permit ip any any TLDX-RTR(config)# interface FastEthernet 0/1 TLDX-RTR(config)# ip access-group 100 in TLDX-RTR(config)# CTRL-Z TLDX-RTR(config)# copy run start #exit