By Kurt Seifried Rev 0.1
Securing specific services - SSHD (S07.C03)
SSH is an inherently secure protocol (well a hell of a lot more then telnet anyways). It was designed from the begining to offer a maximum of security, and is designed for remote access of servers in a secure manner. SSH can be used to secure any network based traffic, by setting it up as a 'pipe', ie binding it to a certain port at both ends, this is quite kludgy but good for such things as using X accross the Internet (yikes), in addition to this the server components runs on most unices, and NT, and the client components runs on pretty much anything.
There aren't any 'problems' with SSH per se like there are with telnet, so I'll skip right into the securing it section. SSH typically runs as a daemon, and can easily be locked down by using the sshd_config file. You can also run sshd out of inetd, and thus use tcp_wrappers, however I do not think this is worth the effort, and the pay off is negligable. I have never ever heard of anyone actually being hacked via ssh (either sniffing the data, or a problem with the ssh server/etc however it is best to run the latest version as there are a few problems with older versions.
The firewalling rules for ssh are pretty much identical to telnet, and there is of course no tcp_wrappers unless you decide to run sshd out of inetd, or compile it with suppot for tcp_wrappers (tcp_wrappers offers a few more features then just using directives in sshd_config), the following is an example of allowing people to ssh from internal machines, and a certain C class on the internet (say the C class your ISP uses for it's dial-up pool of modems).
ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 22 ipfwadm -I -a accept -P tcp -S isp.dial.up.pool/24 -D 0.0.0.0/0 22 ipfwadm -I -a deny -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 22
In addition to this ssh has a wonderful configuration file, in /etc/sshd/sshd_config by default in the RPM's available on ftp.replay.com. You can easily restrict who is allowed to login, which hosts, and what type of authentication they are allowed to use. The default configuration file is relatively safe but folowing is a more secure one with explanations. Please note all this info can be obtained by a 'man sshd' which is one of the few well written man pages out there.
Port 22 # runs on port 22, the standard ListenAddress 0.0.0.0 # listens to both interfaces, you might only want to bind a firewall # internally, etc HostKey /etc/ssh/ssh_host_key # where the host key is RandomSeed /etc/ssh/ssh_random_seed # where the random seed is ServerKeyBits 768 # how long the server key is LoginGraceTime 300 # how long they get to punch their credentials in KeyRegenerationInterval 3600 # how often the server key gets regenerated PermitRootLogin no # permit root to login? hell no IgnoreRhosts yes # ignore .rhosts files in users dir? hell yes StrictModes yes # enssures users don't do silly things QuietMode no # if yes it doesn't log anything. yikes. we wanna log logins/etc. X11Forwarding no # forward X11? shouldn't have to on a server FascistLogging no # maybe we don't wanna log toto much. PrintMotd yes # print the message of the day? always nice KeepAlive yes # ensures sessions will be properly disconencted SyslogFacility DAEMON # who's doing the logging? RhostsAuthentication no # allow rhosts to be used for authentication? the default is no # but nice to say it anyways RhostsRSAAuthentication no # is authentication using rhosts or /etc/hosts.equiv sufficient # not in my mind. the default is yes so lets turn it off. RSAAuthentication yes # allow pure RSA authentication? this one is pretty safe PasswordAuthentication yes # allow users to use their normal login/passwd? why not. PermitEmptyPasswords no # permit accoutns with empty password to log in? hell no
Other useful sshd_config directives include:
AllowGroups - explicity allow groups (/etc/group) to login using ssh DenyGroups - explicity disallows groups (/etc/groups) from logging in AllowUsers - explicity allow users to login in using ssh DenyUsers - explicity blocks users from logging in AllowHosts - allow certain hosts, the rest will be denied DenyHosts - blocks certain hosts, the rest will be allowed IdleTimeout time - time in minutes/hours/days/etc, forces a logout by SIGHUP'ing the process.
Securing Sendmail | Back to Section 7
Contact Kurt Seifried, All rights reserved Kurt Seifried 1998, content and information may not be reposted physically or electronically without the express permission of the author, this includes but is not limited to www mirror sites, email, usenet news, etc.