Perform the following steps to secure your web site

    • Red Hat/CentOS:
      • yum check-update (Print list of packages to be updated.)
      • yum update

      Note that this can be automated using the /etc/init.d/yum-updatesd service (RHEL/CentOS 5) or create a cron job /etc/cron.daily/yum.cron#!/bin/sh /usr/bin/yum -R 120 -e 0 -d 0 -y update yum /usr/bin/yum -R 10 -e 0 -d 0 -y update

    • Ubuntu/Debian:
      • apt-get update (Update package list to the latest version associated with that release of the OS.)
      • apt-get upgrade
  • Reduce the number of network services exposed. These will be started by scripts in /etc/rc.d/rc*.d/ directories. (See full list of services in:/etc/init.d/) There may be no need to run sendmail (mail server), portmap (RPC listener required by NFS), lpd (Line printer server daemon. Hackers probe my system for this service all the time.), innd (News server), linuxconf etc. For example, sendmail can be removed from the boot process using the command: chkconfig –del sendmail or by using the configuration tool ntsysv. The service can be terminated using the command/etc/rc.d/init.d/sendmail stop. At the very least one should run the command chkconfig –list to see what processes are configured to be operable after boot-up. See the YoLinux init process tutorial
  • Verify your configuration. List the open ports and processes which hold them: netstat -punta (Also try netstat -nlp)
  • List RPC services: [root]# rpcinfo -p localhost Ideally you would NOT be running portmapper so not RPC services would be available. Turn off portmapper: service portmap stop (or:/etc/init.d/portmap stop) and remove it from the system boot sequence: chkconfig –del portmap (Portmap is required by NFS.)
  • Anonymous FTP (Using wu_ftpd – Last shipped with RH 8.0. RH 9 and FC use vsftpd): By default Red Hat comes configured for anonymous FTP. This allows users to ftp to your server and log in with the login anonymous and use an email address as the password. If you wish to turn off this feature edit the file /etc/ftpaccess and change: class all real,guest,anonymous * to class all real,guest * For more on FTP configuration see: YoLinux Web server FTP configuration tutorial
  • Use the find command to locate vulnerabilities – find suid and guid files (which can execute with root privileges) as well as world writable files and directories. For example:
    • find / -xdev \( -perm -4000 -o -perm -2000 \) -type f -print Remove suid privileges on executable programs with the command: chmod -s filename
    • find / -xdev \( -nouser -o -nogroup \) -print Find files not owned by a valid user or group.
  • Use the command chattr and lsattr to make a sensitive security file unmodifiable over and above the usual permissions.Make a file unmodifiable: chattr +i /bin/ls Make directories unmodifiable: chattr -R +i /bin /sbin /boot /lib Make a file append only: chattr +a /var/log/messages
  • Use “tripwire” [sourceforge: tripwire] for security monitoring of your system for signs of unauthorized file changes. Tripwire is offered as part of the base Red Hat and Ubuntu distributions. Tripwire configuration is covered below.
  • Watch your log files especially /var/log/messages and /var/log/secure.
  • Avoid generic account names such as guest.
  • Use PAM network wrapper configurations to disallow passwords which can be found easily by crack or other hacking programs. PAM authentication can also disallow root network login access. (Default Red Hat configuration. You must login as a regular user and su – to obtain root access. This is NOT the default for ssh and must be changed as noted below.) See YoLinux Network Admin Tutorial on using PAM
  • Remote access should NOT be done with clear text telnet but with an encrypted connection using ssh. (Later in this tutorial)
  • Proc file settings for defense against attackes. This includes protective measures against IP spoofing, SYN flood or syncookie attacks.
  • DDoS (Distributed Denial of Service) attacks: The only thing you can do is have gobs of bandwidth and processing power/firewall. Lots of processing power or a firewall are useless without gobs of bandwidth as the network can get sooo overloaded from a distributed attack. Also see:
    • Turn off ICMP (look invisible to network scans)
    • Monitor the attack with tcpdump

    Unfortunately the packets are usually spoofed and in my case the FBI didn’t care. If the server is a remote server, have a dial-up modem or a second IP address and route for access because the attacked route is blocked by the flood of network attacks. You can also request that your ISP drop ICMP traffic to the IP addresses of your servers. (and UDP if all you are running is a web server. DNS name servers use UDP.) For very interesting reading see “The Strange Tale” of the GRC.com DDoS attack. (Very interesing read about the anatomy of the hacker bot networks.)

  • User access can be restricted with the following configuration files:
    • /etc/security/limits.conf
    • /etc/security/group.conf
    • /etc/security/time.conf

    See YoLinux SysAdmin tutorial – restrict users

  • Remove un-needed users from the system. See /etc/passwd. By default Red Hat installations have many user accounts created to support various processes. It you do not intend to run these processes, remove the users. i.e. remove user ids games, uucp, rpc, rpcd, …

 

xinetd:

  • It is best for security reasons that you reduce the number of inetd network services exposed. The more sevices exposed, the greater your vulnerability. Reduce the number of network services accessible through the xinet or inet daemon by:
    • inetd: (Red Hat 7.0 and earlier) Comment out un-needed services in the /etc/initd.conf file. Sample: (FTP is the only service I run) ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd -l -a Restart the daemon to apply changes: /etc/rc.d/init.d/inetd restart
    • xinetd: (Red Hat 7.1 and later) All network services are turned off by default during an upgrade. Sample file: /etc/xinetd.d/wu-ftpd:service ftp { disable = yes – Default is off. This line controls xinetd service (enabled or not) socket_type = stream wait = no user = root server = /usr/sbin/in.ftpd server_args = -l -a log_on_success += DURATION USERID log_on_failure += USERID nice = 10 } Turning on/off an xinetd service:
      • Edit the file: /etc/xinetd.d/service-name Changing to the line “disable = yes” turns off an xinetd serivce. Changing to the line “disable = no” turns on an xinetd serivce. Xinetd configuration must be performed for each and every file in the directory /etc/xinetd.d/ in order to configure each and every network service. Restart the daemon to apply changes: /etc/rc.d/init.d/xinetd restart
      • You may also use the command:chkconfig wu-ftpd on OR chkconfig wu-ftpd off 

        This will edit the appropriate file (/etc/xinetd.d/wu-ftpd) and restart the xinetd process.

      Tip:

      • List init settings including all xinetd controlled services: chkconfig –list
      • List status of services (Red Hat/Fedora Core based systems): service –status-all

 

Kernel Configuration:

  • Use Linux firewall rules to protect against attacks. (ipchains: kernel 2.6, 2.4 or iptables: kernel 2.2) Access denial rules can also be imlemented on the fly by portsentry. (Place at the end of /etc/rc.d/rc.local to be executed upon system boot, or some other appropriate script)
    • iptables script:iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 2049 -j DROP – Block NFS iptables -A INPUT -p udp -s 0/0 -d 0/0 –dport 2049 -j DROP – Block NFS iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 6000:6009 -j DROP – Block X-Windows iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 7100 -j DROP – Block X-Windows font server iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 515 -j DROP – Block printer port iptables -A INPUT -p udp -s 0/0 -d 0/0 –dport 515 -j DROP – Block printer port iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 111 -j DROP – Block Sun rpc/NFS iptables -A INPUT -p udp -s 0/0 -d 0/0 –dport 111 -j DROP – Block Sun rpc/NFS iptables -A INPUT -p all -s localhost -i eth0 -j DROP– Deny outside packets from internet which claim to be from your loopback interface.
    • ipchains script:# Allow loopback access. This rule must come before the rules denying port access!! iptables -A INPUT -i lo -p all -j ACCEPT – This rule is essential if you want your own computer iptables -A OUTPUT -o lo -p all -j ACCEPT to be able to access itself throught the loopback interfaceipchains -A input -p tcp -s 0/0 -d 0/0 2049 -y -j REJECT – Block NFS ipchains -A input -p udp -s 0/0 -d 0/0 2049 -j REJECT – Block NFS ipchains -A input -p tcp -s 0/0 -d 0/0 6000:6009 -y -j REJECT – Block X-Windows ipchains -A input -p tcp -s 0/0 -d 0/0 7100 -y -j REJECT – Block X-Windows font server ipchains -A input -p tcp -s 0/0 -d 0/0 515 -y -j REJECT – Block printer port ipchains -A input -p udp -s 0/0 -d 0/0 515 -j REJECT – Block printer port ipchains -A input -p tcp -s 0/0 -d 0/0 111 -y -j REJECT – Block Sun rpc/NFS ipchains -A input -p udp -s 0/0 -d 0/0 111 -j REJECT – Block Sun rpc/NFS ipchains -A input -j REJECT -p all -s localhost -i eth0 -l – Deny and log (“-l”) outside packets from internet which claim to be from your loopback interface.

    Note:

    • iptables uses the chain rule “INPUT” and ipchains uses the lower case descriptor “input”.
    • View rules with iptables -L or ipchains -L command.
    • iptables man page
    • When running an internet web server it is best from a security point of view, that one NOT run printing, X-Window, NFS or any services which may be exploited if a vulnerability is discovered or if misconfigured regardless of firewall rules.

    Also see:

    • YoLinux Internet Gateway Tutorial
    • Red Hat 7.1 firewall GUI configuration tool /usr/sbin/gnome-lokkit
  • Use portsentry to monitor network hacker attacks and dynamically assign firewall rules to thwart attackers. (Later in this tutorial)
  • A monolithic and minimal kernel might also provide a small bit of protection (avoid trojan modules) as well as running on less common hardware (MIPS, Alpha, etc… so buffer overflow instructions will not run.)
  • Kernel Security Enhancements:
    • Red Hat/CentOS SELinux: National Security Agency (NSA): Security-Enhanced Linux – Altered for increased security. For more see the YoLinux.com Systems Admin and Web site configuration tutorials.
    • Ubuntu Apparmor community wiki
  • Enable ExecShield: this is enabled by default on Red Hat EL 5/CentOS 5. ExecShield is a Linux kernel feature which protects the system agains buffer overflow exploits. This feature is performed by random placement of stack memory, prevention of execution of memory used to hold data and text buffer handling. ExecShield can be enabled in the Red Hat/CentOS configuration file /etc/sysctl.conf by adding the following two lines:kernel.exec-shield = 1 kernel.randomize_va_space = 1 The current system configuration can be checked:
    • cat /proc/sys/kernel/exec-shield
    • cat /proc/sys/kernel/randomize_va_space

    Both should be “1”. (System default)Note: Intel XD/AMD NX 32 bit x86 processors only (not x86_64 which can address more that 4Gb): Enable AMD NX or Intel XD support by use of the PAE (Physical Address Extension) kernel. The PAE memory extension is required to access the XD/NX bit. To see if your processor supports NX or XD PAE, use the command: cat /proc/cpuinfo | grep flags to show a field with “pae” and “nx”. Install a Linux kernel (2.6.8+) with PAE support with the command yum install kernel-PAE. The boot loader will also have to specify the PAE kernel for boot. The BIOS will also have to be configured to support it as well. This kernel should only be installed on a system with a x86 32 bit processor which offers this support. The 64 bit x86_64 processors which can natively interact with the XD/NX bit do not need the PAE kernel.

 

Firewall Rules to Block Bad IP Blocks:

It is well known that there are various blocks of IP addresses where nefarious hackers and spam bots reside. These IP blocks were often once owned by legitimate corporations and organizations but have fallen into an unsupervised realm or have been highjacked and sold to criminal spammers. These IP blocks should be blocked by firewall rules.

There are various friendly services which seek and discover these IP blocks to firewall and deny and they share this information with us. Thanks!

The Spamhaus drop list: This is a script to download the total drop list and generate an iptables filter script to block these very IP addresses:

#!/bin/bash # Blacklist of hacker zones and bad domains from spamhaus.org FILE=drop.lasso /bin/rm -f $FILE wget http://www.spamhaus.org/drop/drop.lassoblocks=$(cat $FILE | egrep -v ‘^;’ | awk ‘{ print $1}’) echo “#!/bin/bash” > Spamhaus-drop.lasso.sh for ipblock in $blocks do echo “iptables -I INPUT -s $ipblock -j DROP” >> Spamhaus-drop.lasso.sh done chmod ugo+x Spamhaus-drop.lasso.sh echo “…Done” To block the IP addresses just execute the script on each of your servers: ./Spamhaus-drop.lasso.sh

At the very minimum, these blocks of IP addresses should be denied by all servers.

Block or allow by country: One can deny access by certain countries or the inverse, allow only certain countries to access your server.

See these sites to generate lists:

  • IpInfoDb.com – generates Apache htaccess or iptables rules
  • Country IP block list generator
  • IpDeny.com: CIDR lists

Block forum and comment list spammers: Use the list generated from honeypots operated by StopForumSpam.com

#!/bin/bash # Big list of IP adresses to block # IPs gathered from the last 30 days # Over 100k IP addresses rm -f listed_ip_30.zip wgethttp://www.stopforumspam.com/downloads/listed_ip_30.zip rm -f listed_ip_30.txt unzip listed_ip_30.zip echo “#!/bin/bash” > Stopforumspam-listed_ip_30.sh cat ./listed_ip_30.txt | awk ‘{print “/sbin/iptables -I INPUT -s ” $1 ” -j DROP”}’ >> Stopforumspam-listed_ip_30.sh chmod ugo+x Stopforumspam-listed_ip_30.sh

To block the IP addresses just execute the script: ./Stopforumspam-listed_ip_30.sh

Be aware that this is an extremely long list and can take hours to run. It is also a rapidly changing list which is updated constantly.

[Potential Pitfall]: You may get the following error:iptables: Unknown error 18446744073709551615 I found that by slowing down the execution of the script, I can avoid this error. I added a bash echo to write each line to the screen and it behaved much better although also much slower.#!/bin/bash set -x verbose /sbin/iptables -I INPUT -s XX.XX.XX.XX -j DROP …

 

Apache web server:

  • Apache modules: Turn off modules you are not going to use. With past ssl exploits, those using this philosophy did not get burned.
    • Red Hat EL 5/CentOS 5 Apache 2.2: The configuration file /etc/httpd/conf.d/ssl.conf enables SSL by default. This file is picked up from the line Include conf.d/*.conf in the file /etc/httpd/conf/httpd.conf Rename the file /etc/httpd/conf.d/ssl.conf to ssl.conf_OFF to turn off SSL (any file ending with “.conf” is included in the web server configuration).
    • Ubuntu 8.04: a2dismod ssl This will disable the loading of SSL. The Ubuntu distribution has a fairly frugal use of modules by default. The default configuration has SSL turned off.
    • Apache 1.3.x config file /etc/httpd/conf/httpd.conf#<IfDefine HAVE_SSL> #LoadModule ssl_module modules/libssl.so #</IfDefine> … … #<IfDefine HAVE_SSL> #AddModule mod_ssl.c #</IfDefine> … … <IfDefine HAVE_SSL> Listen 80 #Listen 443 </IfDefine> … … #<IfModule mod_ssl.c> #… #… … #<VirtualHost _default_:443> #… #… … Comment out the use of the ssl module by placing a “#” in the first column.
    • One can also block the https port 443 using firewall rules: iptables -A INPUT -p tcp -s 0/0 -d 0/0 –dport 443 -j DROP iptables -A INPUT -p udp -s 0/0 -d 0/0 –dport 443 -j DROP
  • Apache version exposure: (Version 1.3+) Don’t allow hackers to learn which version of the web server software you are running by inducing an error and thus an automated server response. Attacks are often version specific. Spammers also trigger errors to find email addresses…. ServerAdmin webmaster at megacorp dot com ServerSignature Off … The response may be meaningless anyway if you are using the web server as a proxy to another.
  • Block hackers and countries which will never use your website. Use the Apache directive Deny from to block access.<Directory /home/projectx/public_html> … … … Order allow,deny # Block form bots Deny from 88.191.0.0/16 193.200.193.0/24 194.8.74.0/23 allow from all </Directory> For extensive lists of IP addresses to block, see the Wizcrafts.net block list

 

SSH: (Secure Shell)

SSH protocol suite of network connectivity tools are used to encrypt connections accross the internet. SSH encrypts all traffic including logins and passwords to effectively eliminate network sniffing, connection hijacking, and other network-level attacks. In a regular telnet session the password is transmitted across the Internet unencrypted.

SSH is a commercial product but available freely for non-commercial use from SSH Communications Security at http://www.ssh.com/. Two versions are available, SSH1 and SSH2. The newer SSH2 supports FTP and has more options than SSH1. SSH2 can be purchased and/or downloaded from their web site. Note that SSH1 does have a major vulnerability issues. The “woot-project” web site cracking and defacing gang uses this vulnerability. DO NOT USE SSH1 PROTOCOL!!!!! (“woot-project” exploit/attack description/recovery)

OpenSSH was developed by the the OpenBSD Project and is freely available. OpenSSH is compatable with SSH1 and SSH2. OpenSSH relies on the OpenSSL project for the encrypted communications layer. Current releases of Linux come with OpenSSH/OpenSSL. (Comes with Red Hat Linux 7.x+)

Links:

  • OpenSSH.org – Shell. Supports SSH1 and SSH2 protocols.
    • OpenSSL.org – Encrypted network layer
    • FreeSSH.org – SSH for other platforms
  • SSH:
    • SSh.com – Secure shell
    • FreeSSH.org – SSh for other platforms
  • Secure Shell IETF working group – (Internet Engineering Task Force)

OpenSSH:

  • Download:
    • Download OpenSSH RPM’s (sourceforge) – statically linked with OpenSSL 0.9.5 – Pick this one for an easy complete RPM install
    • Download OpenSSH source (tgz)
    • Red Hat Linux 6.x Open SSL RPM downloads (redhat.com) (SSL only)

    Note: SSH and SSL are included with Red Hat Linux 7.0+

  • Installation:
    • Common to Client and Server:
      • Red Hat/Fedora/CentOS: rpm -ivh openssh-2.9p2-8.7.i386.rpm
      • Ubuntu/Debian: apt-get install ssh
    • Client:
      • Red Hat/Fedora/CentOS: rpm -ivh openssh-askpass-2.9p2-8.7.i386.rpm rpm -ivh openssh-clients-2.9p2-8.7.i386.rpm rpm -ivh openssh-askpass-gnome-2.9p2-8.7.i386.rpm – Gnome desktop users
      • Ubuntu/Debian: apt-get install openssh-client ssh-askpass-gnome
    • Server:
      • Red Hat/Fedora/CentOS: rpm -ivh openssh-server-2.9p2-8.7.i386.rpm
      • Ubuntu/Debian: apt-get install openssh-server

    If upgrading from SSH1 you may have to use the RPM option –force.The rpm will install the appropriate binaries, configuration files and openssh-server will install the init script /etc/rc.d/init.d/sshd so that sshd will start upon system boot.

  • Configuration:
    • Client configuration file /etc/ssh/ssh_config: (Default)# $OpenBSD: ssh_config,v 1.9 2001/03/10 12:53:51 deraadt Exp $ # This is ssh client systemwide configuration file. See ssh(1) for more # information. This file provides defaults for users, and the values can # be changed in per-user configuration files or on the command line. # Configuration data is parsed as follows: # 1. command line options # 2. user-specific file # 3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for various options # Host * # ForwardAgent no # ForwardX11 no # RhostsAuthentication no # RhostsRSAAuthentication yes # RSAAuthentication yes # PasswordAuthentication yes # FallBackToRsh no # UseRsh no # BatchMode no # CheckHostIP yes # StrictHostKeyChecking yes # IdentityFile ~/.ssh/identity # IdentityFile ~/.ssh/id_rsa # IdentityFile ~/.ssh/id_dsa # Port 22 # Protocol 2,1 – Change this line to: Protocol 2 # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ Host * ForwardX11 yes Change the line: # Protocol 2,1 to: Protocol 2 This will eliminate use of SSH1 protocol.Uncomment the options required or accept the hard-coded defaults. The hard coded defaults for OpenSSH client are compatable with SSH1 client files and sshd server. An upgrade to OpenSSH client will not require any changes to the files in $HOME/.ssh/.
    • Server configuration file /etc/ssh/sshd_config: Default:# $OpenBSD: sshd_config,v 1.38 2001/04/15 21:41:29 deraadt Exp $ # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # This is the sshd server system-wide configuration file. See sshd(8) # for more information. Port 22 #Protocol 2,1– Change to: Protocol 2 #ListenAddress 0.0.0.0 #ListenAddress :: HostKey /etc/ssh/ssh_host_key HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key ServerKeyBits 768 LoginGraceTime 600 – Change to: LoginGraceTime 120 KeyRegenerationInterval 3600 PermitRootLogin yes – Change to: PermitRootLogin no # # Don’t read ~/.rhosts and ~/.shosts files IgnoreRhosts yes # Uncomment if you don’t trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes StrictModes yes X11Forwarding yes X11DisplayOffset 10 PrintMotd yes #PrintLastLog no KeepAlive yes # Logging SyslogFacility AUTHPRIV LogLevel INFO #obsoletes QuietMode and FascistLogging RhostsAuthentication no # # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # RSAAuthentication yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords no # Uncomment to disable s/key passwords #ChallengeResponseAuthentication no # Uncomment to enable PAM keyboard-interactive authentication # Warning: enabling this may bypass the setting of ‘PasswordAuthentication’ #PAMAuthenticationViaKbdInt yes # To change Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #AFSTokenPassing no #KerberosTicketCleanup no # Kerberos TGT Passing does only work with the AFS kaserver #KerberosTgtPassing yes #CheckMail yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net #ReverseMappingCheck yes Subsystem sftp /usr/libexec/openssh/sftp-server
      • If changes are made to the configuration file, restart the “sshd” daemon to pick up the new configuration: Ubuntu: /etc/init.d/ssh restart Red Hat: /etc/init.d/sshd restart or service sshd restart
      • Ssh protocol version 1 is not as secure, it should not take 10 minutes to type your password and if someone logs in as root without logging in as a particular user first then tracability is lost if there are multiple admins, thus the changes were made as suggested above.
      • Setting “PermitRootLogin no” mandates that remote logins use an undetermined user login. This removes root, a known login on all Linux systems, from the list of dictionary atttacks available.
      • It is a good idea to change the “Banner” so that a login greeting and legal disclaimer is presented to the user. i.e. change file /etc/issue.netcontents to:     Access is granted to this server only to authorized personel of Mega Corp.

        By default, the /etc/issue.net message presents to the hacker the OS name, kernel release and information which can be used to determine potential vulnerabilities.

      • [Potential Pitfall]: Slow ssh logins – If you get the “login” prompt quickly but the “password” prompt takes 30 seconds to a minute, then you have a DNS lookup delay. Set UseDNS no in the config file /etc/ssh/sshd_config and then restart sshd. The IP address of eth0 (or the NIC used) should also refer to your own hostname in /etc/hosts
  • Generate system keys: /etc/ssh/
    • ssh-keygen -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C ” -N ”
    • ssh-keygen -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C ” -N ”
    • Private keys generated: chmod 600 /etc/ssh/ssh_host_dsa_key /etc/ssh/ssh_host_rsa_key
    • Public keys generated: chmod 644 /etc/ssh/ssh_host_dsa_key.pub /etc/ssh/ssh_host_rsa_key.pub
    • For SELinux:
      • /sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
      • /sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
  • Generate user keys:
    • Client: Use the command: /usr/bin/ssh-keygen -t rsaGenerating public/private rsa key pair. Enter file in which to save the key (/home/user-id/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user-id/.ssh/id_rsa. Your public key has been saved in /home/user-id/.ssh/id_rsa.pub. The key fingerprint is:XXXblablablaXXXaf:90:8f:dc:65:0d:XXXXXXXXXXXXXX user-id@node-nameFiles generated: $HOME/.ssh/id_rsa – binary $HOME/.ssh/id_rsa.pub – ssh-rsa …223564257432 email address – Multiple keys/lines allowd.
    • Server:
      • FTP the file $HOME/.ssh/id_rsa.pub to the server
      • cd $HOME/.ssh/
      • cat id_rsa.pub >> authorized_keys
  • Using ssh: On client use the following command and login as you normally would with a telnet session: ssh name-of serverThe first time you use ssh it will issue the following message:The authenticity of host ‘node.your-domain.com (XXX.XXX.XXX.XXX)’ can’t be established. RSA key fingerprint isXXXXblablablaXXX1:81:29:00:3a:c5:fb:XXXXXXXXXXX. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘node.your-domain.com,XXX.XXX.XXX.XXX’ (RSA) to the list of known hosts. user@node.your-domain.com’s password: Answer yes. It won’t ask again.To use a different user name for the login, state it on the command line: ssh -l username name-of server

Note: You can now also use the command sftp for secure ftp file transfers using ssh.

OpenSSH Man Pages:

  • ssh – OpenSSH SSH client (remote login program)
  • sshd – OpenSSH ssh daemon
  • ssh-keygen – Used to create RSA keys (host keys and user authentication keys)
  • ssh_config – OpenSSH SSH client configuration file
  • sshd_config – OpenSSH SSH daemon configuration file
  • ssh-add – adds RSA or DSA identities for the authentication agent. Used to register new keys with the agent.
  • scp – secure copy (remote file copy program)
  • ssh-agent – authentication agent This can be used to hold RSA keys for authentication.
  • sftp – Secure file transfer program
  • sftp-server – SFTP server subsystem

Other OpenSSH Links:

  • Red Hat Open SSH Guide – Also scp, sftp, Gnome ssh-agent
  • Linux Journal: OpenSSH Part I

SSH for MS/Windows Links:

  • PuTTY. Also see PuTTY configuration
  • Tera Term

SSH Notes:

  • The sshd should not be started using xinetd/inetd due to time necessary to perform calculations when it is initailized.
  • ssh client will suid to root. sshd on the server is run as root. Root privileges are required to communicate on ports lower than 1024. The -p option may be used to run SSH on a different port.
  • RSA is used for key exchange, and a conventional cipher (default Blowfish) is used for encrypting the session.
  • Encryption is started before authentication, and no passwords or other information is transmitted in the clear.
  • Authentication:
    • Login is invoked by the user. The client tells the server the public key that the user wishes to use for authentication.
    • Server then checks if this public key is admissible. If yes then random number is generated and encrypts it with the public key and sends the value to the client.
    • The client then decrypts the number with its private key and computes a checksum. The checksum is sent back to the server
    • The server computes a checksum from the data and compares the checksums.
    • Authentication is accepted if the checksums match.
  • SSH will use $HOME/.rhosts (or $HOME/.shosts)
  • To establish a secure network connection on another TCP port, use “tunneling” options with the ssh command:
    • Forward TCP local port to hostport on the remote-host: ssh remote-host -L port:localhost:hostport command

    Specifying ports lower than 1024 will require root access. FTP opens various ports and thus is not a good candidate. Port 21 is only used to establish the connection.

Leave a Reply

Your email address will not be published. Required fields are marked *