completes the sshd doc

This commit is contained in:
waldek 2021-07-13 21:12:02 +02:00
parent 211cedccb6
commit c025fd0e46
1 changed files with 162 additions and 9 deletions

View File

@ -403,13 +403,38 @@ This might look a bit intimidating but I'll break down the command line options
* `--ssh-cmd -i student` is needed to specify our specific private key (not needed if you use `~/.ssh/id_rsa.pub`) * `--ssh-cmd -i student` is needed to specify our specific private key (not needed if you use `~/.ssh/id_rsa.pub`)
* `-D` will daemonize the VPN so you can continue to use the shell * `-D` will daemonize the VPN so you can continue to use the shell
A more basic way of creating a VPN over ssh, if you use your main `~/.ssh/id_rsa` file is identity, would be as follows.
You can't execute this command because your public key is not present on this server but it's to give you a more bare bones idea of a valid sshuttle.
Note that here I connect not to the standard port 22 but to a custom port 4040.
This command won't daemonize so you would need to open a second terminal to execute other commands.
```
➜ ~ git:(master) ✗ sshuttle -r pi@home.86thumbs.net:4040 -x home.86thumbs.net 0.0.0.0/0
```
**Can you explain me why you need you're prompted for your `sudo` password?**
## Tweaking the sshd configuration file ## Tweaking the sshd configuration file
All server configuration is done in the `/etc/ssh/sshd_config` file. All server configuration is done in the `/etc/ssh/sshd_config` file.
Starting version TO_CHECK you can use the modern `/etc/ssh/sshd_config.d/` folder system to override default system configuration. Starting version TO_CHECK you can use the modern `/etc/ssh/sshd_config.d/` folder system to override default system configuration.
This way any changes to the standard configuration made by the package maintainers won't mess with your custom preferences and tweaks. This way any changes to the standard configuration made by the package maintainers won't mess with your custom preferences and tweaks.
I highly recommend to read through the `man sshd_config` pages for a detailed explanation of all possible settings.
The Debian configuration is quite secure but we can improve it a bit.
Below are some standard security improvements you'll find on lot's of servers.
### Version **A word of caution.**
You can lock yourself out of your server!
Try out some options now on your virtual machines so you get a firm understanding of what they all do.
If you lock yourself out of a remote server you'll have to either gain physical access or reboot the VPS in rescue mode.
For OVH, the VPS provider I tend to use, the rescue mode is detailed [here](https://support.us.ovhcloud.com/hc/en-us/articles/360010553920-How-to-Recover-Your-VPS-in-Rescue-Mode).
With other providers it will be different but similar.
### Some classic security enhancements
There are more options available but these are some of the most used one.
#### Version
A modern sshd configuration will only allow version 2 but you can check or specify this in the configuration file. A modern sshd configuration will only allow version 2 but you can check or specify this in the configuration file.
You'll probably never have to set this yourself but do keep it in mind when you're confronted with old installations. You'll probably never have to set this yourself but do keep it in mind when you're confronted with old installations.
@ -426,7 +451,135 @@ Protocol
“2,1” is identical to “1,2”. “2,1” is identical to “1,2”.
``` ```
### Some classic security enhancements #### Root login
Most systems we install, and the ones you'll deploy later, perform system management via `sudo` so there is no point in even allowing the `root` user to log in.
We can deny any attempt to log in as root with the following option.
I would advise to always set this option to no.
```
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password,
forced-commands-only, or no. The default is prohibit-password.
If this option is set to prohibit-password (or its deprecated alias, without-password), password and key
board-interactive authentication are disabled for root.
If this option is set to forced-commands-only, root login with public key authentication will be allowed,
but only if the command option has been specified (which may be useful for taking remote backups even if
root login is normally not allowed). All other authentication methods are disabled for root.
If this option is set to no, root is not allowed to log in.
```
#### Key only login
Once you properly understand how to do key based login it's wise to disable password login all together for internet facing servers.
This protects you for [bruteforce](https://en.wikipedia.org/wiki/Brute-force_attack) attacks and script kiddies.
On a LAN you can get away with leaving them but I would still advise to keep it key only as we'll later see how an attacker can forward your ssh server to an off-site remote server.
Here I would put no to override the default.
```
PasswordAuthentication
Specifies whether password authentication is allowed. The default is yes.
```
#### Allow only specific users and groups
On systems with lot's of users and groups it might be wise to only permit certain groups and/or users.
Messing with this setting is a common way of locking oneself out of a server so think before you restart sshd.
It's worth noting that upon a restart of your sshd service, your active connection is **not** interrupted so keep it upen en try a login in a different terminal.
If you would happen to have locked yourself out you can still use the previous connection to rectify the problem.
For VPS servers I often create a group `ssh_allowed` and add myself and other administrators to this group.
Then I set the `AllowGroups ssh_allowed` to block all users not in that group from connecting to the server.
I often use the `AllowUsers` setting together with `Match` blocks to allow TCP forwarding for one special user but more on that later.
```
AllowGroups
This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login
is allowed only for users whose primary group or supplementary group list matches one of the patterns.
Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all
groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers,
DenyGroups, and finally AllowGroups.
See PATTERNS in ssh_config(5) for more information on patterns.
AllowUsers
This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login
is allowed only for user names that match one of the patterns. Only user names are valid; a numerical
user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form
USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particu
lar hosts. HOST criteria may additionally contain addresses to match in CIDR address/masklen format.
The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and
finally AllowGroups.
See PATTERNS in ssh_config(5) for more information on patterns.
```
#### Forwarding
Unless you need, and we'll need it later, port forwarding it's best to set the `DisableForwarding` option to yes.
It is be a bit of an extreme measure but fully understandable.
Why enable it if you don't need it?
```
DisableForwarding
Disables all forwarding features, including X11, ssh-agent(1), TCP and StreamLocal. This option over
rides all other forwarding-related options and may simplify restricted configurations.
```
#### Multiple network interfaces
If you have multiple network interfaces such as an ethernet and a wireless interface you can restrict the server to only listen on one of them.
I rarely use this option but it's good to know it exists.
Do note that similar behavior can be achieved with `iptables`.
```
ListenAddress
Specifies the local addresses sshd(8) should listen on. The following forms may be used:
ListenAddress hostname|address [rdomain domain]
ListenAddress hostname:port [rdomain domain]
ListenAddress IPv4_address:port [rdomain domain]
ListenAddress [hostname|address]:port [rdomain domain]
The optional rdomain qualifier requests sshd(8) listen in an explicit routing domain. If port is not
specified, sshd will listen on the address and all Port options specified. The default is to listen on
all local addresses on the current default routing domain. Multiple ListenAddress options are permitted.
For more information on routing domains, see rdomain(4).
```
#### Maximum of authentication tries
You can limit the amount of tries a user has before the connection is canceled by the server but **watch out with this one**.
It acts differently from how you think it does!
When a user presents himself to the server, every key in their `~/.ssh/` is presented one by one to the server and each key is a try.
So if you set this value too low you might lock yourself out in the future without realizing why.
Imagine you only have one key, then everything is fine with a low value but if later down the line you create more keys this could become a problem and I guarantee you it will take you a while to figure it out.
```
MaxAuthTries
Specifies the maximum number of authentication attempts permitted per connection. Once the number of
failures reaches half this value, additional failures are logged. The default is 6.
```
Have a look at [this](https://unix.stackexchange.com/questions/418582/in-sshd-config-maxauthtries-limits-the-number-of-auth-failures-per-connection) for a more detailed explanation of **what** counts as a **try**.
### Some *fun* stuff
You can set banner and motd (message of the day) files that will be shown to the user upon login.
This is what bandit uses to draw their ASCII banner when you log in.
```
Banner
The contents of the specified file are sent to the remote user before authentication is allowed. If the
argument is none then no banner is displayed. By default, no banner is displayed.
PrintMotd
Specifies whether sshd(8) should print /etc/motd when a user logs in interactively. (On some systems it
is also printed by the shell, /etc/profile, or equivalent.) The default is yes.
```
### Tunneling and X forward ### Tunneling and X forward