Security
Contents
See also
- Where to install ssh-agent?
- A search for the right place on my system to install ssh-agent
Journal
20170722
- Self-Encrypting Disks pose Self-Decrypting Risks
- Investigation of hardware-based full disk encryption (FDE) drives (2012)
20060514
1 Day after allowing ssh I can see brute-force login attempts in /var/log/messages:
... May 2 22:17:16 mybox sshd[24451]: Did not receive identification string from 210.178.224.71 May 2 22:17:43 mybox sshd[24454]: Invalid user postgres from 210.178.224.71 May 2 22:17:46 mybox sshd[24456]: Invalid user accept from 210.178.224.71 May 2 22:17:48 mybox sshd[24458]: Invalid user leo from 210.178.224.71 May 2 22:17:51 mybox sshd[24460]: Invalid user zeppelin from 210.178.224.71 May 2 22:17:53 mybox sshd[24462]: Invalid user hacker from 210.178.224.71 May 2 22:17:56 mybox sshd[24464]: Invalid user olga from 210.178.224.71 May 2 22:17:59 mybox sshd[24466]: Invalid user boris from 210.178.224.71 May 2 22:18:01 mybox sshd[24468]: Invalid user mathew from 210.178.224.71 May 2 22:18:04 mybox sshd[24475]: Invalid user testing from 210.178.224.71 May 2 22:18:06 mybox sshd[24477]: Invalid user galaxy from 210.178.224.71 May 2 22:18:11 mybox sshd[24481]: Invalid user venice from 210.178.224.71 ...
Installed chkrootkit and rkhunter.
Rkhunter gives me this warning:
* Check: SSH
Searching for sshd_config...
Found /etc/ssh/sshd_config
Checking for allowed root login... Watch out Root login possible. Possible risk!
info:
Hint: See logfile for more information about this issue
Checking for allowed protocols... [ Warning (SSH v1 allowed) ]
20060515
Fail2ban should hold some of the fix brute force attacks by modifying firewall rules on the fly.
Used page rootkit warnings - they serious? - LinuxQuestions.org: to secure my ssh (/etc/ssh/sshd_config). Also changed port to a less obvious one:
PermitRootLogin no Port xx # Don't forget to open this port in firewall Protocol 2
Tips to Secure Linux Workstation | Ayman Hourieh's Blog:
20060517
Looking for sshd AllowUser/DenyUser, the message SecurityFocus Secure Shell: Re: AllowUser/DenyUser: directs me to pam
20060604
Whitedust: Recent SSH Brute-Force Attacks
20060610
SSH: Pluggable Authentication Module (PAM) Submethod
20060611
SuSE Help | SUSE Linux Documentation (en) | Reference (en) | System | Authentication with PAM
20060612
It seems I can restrict SSH access on multiple places: firewall, sshd, pam, lids on my box and the firewall on my router.
+-----firewall-------+ |+----sshd----------+| ||+---pam----------+|| |||+--lids--------+||| ||||+-filesystem-+|||| +--firewall--+ _---------_ |||||+----------+||||| |+----------+| ( ) |||||| mybox ++++++------++ myrouter ++------( INTERNET ) |||||+----------+||||| |+----------+| (_ _) ||||+------------+|||| +------------+ --------- |||+--------------+||| ||+----------------+|| |+------------------+| +--------------------+
From PenguinSecurity dot Net - SSH User Identities:
- "The goal of using Identity/Pubkey authentication is to remove the need for static passwords. Instead of providing a password, which could be captured by a keystroke logger or witnessed as you type it, you have a key pair on your disk that you use to authenticate. Your account on the SSH server has a list of Identities/Pubkeys that it trusts, and if you can prove you have the public and private key then you are granted access without supplying a password."
How do I disable keyboard authentication?
From man sshd_config:
- PasswordAuthentication
- Specifies whether password authentication is allowed. The default is “yesâ€.
I can still login by keyboard... The answer is in this thread Google Groups: comp.security.ssh - openssh-2.5.2p2 takes passwords with PasswordAuthentican no?
20061008
Reset /etc/sshd_config:
#X11Forwarding no
See also: Where to install ssh-agent?
