Monday, December 27, 2010

How to deal with SSH ?

SSH (Secure SHell) work on port number 22, which uses encryption to send data to remote host. Now a days we use it in place of Telnet.

Files related to SSH configuration;

  • /etc/ssh/sshd_config - OpenSSH server configuration file.
  • /etc/ssh/ssh_config - OpenSSH client configuration file.
  • ~/.ssh/ - Users ssh configuration directory.
  • ~/.ssh/authorized_keys or ~/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into the user’s account
  • /etc/nologin - If this file exists, sshd refuses to let anyone except root log in.
  • /etc/hosts.allow and /etc/hosts.deny : Access controls lists that should be enforced by tcp-wrappers are defined here.
  • SSH default port : TCP 22

NOTE : After editing "sshd_config" file, please verify configuration and restart "sshd" service to come up with the enabled option.


Verify your sshd_config file before restarting / reloading changes:
#/usr/sbin/sshd -t




#service sshd restart OR
#/etc/init.d/sshd restart



Enabling / Disabling root login access in ssh :

Edit file "/etc/ssh/sshd_config", search for "PermitRootLogin" & make it "yes" Or if commented uncomment it.

#vi /etc/ssh/sshd_config

PermitRootLogin yes



Save & exit.

Next restart "sshd" service,

#service sshd restart OR
#/etc/init.d/sshd restart



How to change ssh port to random port number from port 22 :

#vi /etc/ssh/sshd_config

Search for "Port 22", uncomment it & edit entry "22" as per your requirement. Like "989"

Port 989



Save & exit.

Next restart "sshd" service.


How to connect from ssh to another host if random port number used instead of "22":

#ssh -p <SSH Port> <SSH Server IP>

e.g.

#ssh -p 989 10.10.10.1


How to forward X Session from SSH from remote host :

On Host 1;

#ssh -X root@Host2

Now whenever you open any you open GUI application on HOST 2 it'll be shown to you on HOST 1 to manage through SSH.

Please keep in mind that to forward a X session from SSH from other host to your host first you need to configure X11 forwarding on remote host as given below;

In the "/etc/ssh/sshd_config" file uncomment below lines;


AllowTcpForwarding yes
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes



How to limit user's access on SSH :


To allow only root, mac and  tom users as well as groups like HR, Sales to use the system via SSH, add the following to sshd_config:

AllowUsers root mac tom
AllowGroups HR Sales

Alternatively, you can allow all users and groups to login via SSH but deny only a few users, groups with the following line:

DenyUsers lycan max tim
DenyGroups ISS CMS PreSales



How to configure idle log out timeout interval:


User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:

ClientAliveInterval 300
ClientAliveCountMax 0

You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out).


How to ignore .rhosts file:

Don't read the user's ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:

IgnoreRhosts yes

SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.


How to Enable a Warning Banner

Set a warning banner by updating sshd_config with the following line:

Banner /etc/banner.txt

Sample /etc/banner.txt file:

----------------------------------------------------------------------------------------------
You are accessing a Government Information System that is provided for authorized use only.
----------------------------------------------------------------------------------------------

Above is standard sample, consult your legal team for exact user agreement and legal notice details.


How to bind SSH access to particular IP's:

By default SSH listen to all available interfaces and IP address on the system. To bind to 10.31.10.1 and 10.31.20.2 IPs add the following lines:

ListenAddress 10.31.10.1
ListenAddress 10.31.20.2


How to use TCP Wrappers for SSH:

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 10.31.10.1, 10.31.20.2 IP's and 10.31.30.0 Network:

sshd : 10.31.10.1 10.31.20.2 10.31.30.0 


How to disable empty passwords in SSH:

You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:

PermitEmptyPasswords no


References :



_Enjoy :)

1 comment:

  1. Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic. If possible, as you gain expertise, would you mind updating your blog with extra information? It is extremely useful for me.
    kansas city data recovery

    ReplyDelete