Configure and Secure SSH

SSH-

• Stands for Secure Shell » Provides you with an interface to the Linux system. It takes in your commands and translate them to kernel to manage hardware.

  • ($) » Normal User

  • (#) » Root Logged in

• Open SSH is a package/software

• Its service daemon is sshd

• SSH port #22

• SSH itself is secure, meaning communication through SSH is always encrypted, but there should be some additional configuration can be done to make it more secure.

Following are the most common configuration an administrator should take to secure SSH

1. Configure Idle Timeout Interval

   • Avoid having an unattended SSH session, you can set an Idle timeout interval

   • Become root

   • Edit your /etc/ssh/sshd_config file and add the following line:

     • ClientAliveInterval 600

     • ClientAliveCountMax 0

   • systemctl restart sshd

     The file timeout interval you are setting is in seconds (600secs = 10minutes). once the interval has passed, the idle user will be automatically logged out.

2. Disable root login

   • Disable root login should be one of the measures you should take when setting up the system for the first time. It disable any user to login to the system with root account

   • Steps-

     • Become root

     • Edit your /etc/ssh/sshd_config file and replace PermitRootLogin yes to no

     • PermitRootLogin no

     • systemctl restart sshd

3. Disable Empty Passwords

   • You need to prevent remote logins from accounts with empty passwords for added security.

   • Steps-

     • Become root

     • Edit your /etc/ssh/sshd_config file and rermove # from the following lines

     • PermitEmptyPasswords no

     • systemctl restart sshd

4. Limit Users’ SSH Access

   • To provide another layer of security, you should limit your SSH logins to only certain users who need remote access

   • Steps-

     • Become root

     • Edit your /etc/ssh/sshd_config file and add

     • AllowUsers user1 user2 no

     • systemctl restart sshd

5. Use a different port

   • By defualt SSh port runs on 22. Most hackers looking for any open SSH servers will look for port 22 and changing can make the system much more secure

   • Steps-

     • Become root

     • Edit your /etc/ssh/sshd_config file and rermove # from the following lines and change the port number

     • Port 22

     • systemctl restart sshd

6. SSH Keys- Access Remote Server without Password

   • Two reasons to access a remote machine

     • Repetitive Logins

     • Automation through scripts

   • Keys are generated at user level

     • aditya

     • root

   • Let’s say, we are having a Server machine as “LinuxCentOS10“ and a client machine as “MyFirstLinuxVM“. Everytime, when trying to access client machine from server it is asking for password but after copying over the keys from client to server, it will not ask. It is same as like we are giving our home duplicate keys to a tenant.

   • Steps:

     

     this is what, we need to aviod

     • Generate the key in client machine » ssh-keygen

       

     • Copy the key to the server » ssh-copy-id root@192.168.1.x

       

       

     • login from client to server » ssh root@192.168.1.x OR ssh -l root 192.168.1.x

       

This is how we can login, from client machine to server, without asking for password.

Cockpit

• Cockpit is a server administration tool sponsored by RedHat, focused on providing a modern-looking and user-friendly interface to manage and administer servers.

• Cockpit is the easy-to-use, integrated, glanceable, and open web-based interface for your servers.

• The application is available in most of the Linux distributions such as, CentOS, Redhat, Ubuntu and Fedora.

• It is installed in Redhat 2 by default.

• It can monitor system resources, add or remove accounts, monitor system usage, shutdown the system and perform quite a few other tasks all through a very accessible web connection.

LAB-

1. Install package as root in both the machines.

   

   

2. Enable the service

   systemctl start/enable cockpit

3. Access the web-interface

   https://192.168.1.10:9090

   

   

   Simply login as root.

   

   

   Now, you can just check the options and go through it.

Firewall

Firewall Intro-

• A wall that prevents the spread of fire.

• When data moves in and out of a server its packet information is tested against the firewall rules to see if it should allowed or not.

• In simple words, a firewall is like a watchman, a bouncer, or a shield that has a set of rules given and based on that rule they decide who can enter and leave

• There are 2 types of firewalls in IT-

  • Software = Runs on OS

  • Hardware = A dedicated appliance with firewall software

• There are 2 tools to manage firewall in most of the linux distributions-

  • iptables » For older Linux versions but still widely used

  • firewalld » For newer versions like 7 and up

---

iptables Tool-

• You can run one or the other

  • We will work on iptables

  • Before working with iptables make sure firewalld is not running and disable it

    • systemctl stop firewalld » To stop the service

    • systemctl disable firewalld » To prevent from starting at boot time

    • systemctl mask firewalld » To prevent it from running by other programs

  • Now check for the package iptables-services

  • start the service

    • systemctl start iptables

    • systemctl enable iptables

      

  • To check the iptables rules

    • iptables -L

  • To flush iptables

    • iptables -F

      

---

iptables- tables, chains and targets-

• The function of iptables tool is packet filtering

The packet filtering mechanism is organized into 3 different kinds of structures: tables, chains and targets.

1. tables\= table is something that allows you to process packets in specific ways. There are 4 different types of tables: filter, manage, nat and raw.

2. chains\= The chains are attached to tables, These chains allow you to inspect traffic ay various points. There are 3 main chains used in iptables-

   a. INPUT- incoming traffic

   b. FORWARD- going to a router, from one device to another

   c. OUTPUT- outgoing traffic

   chains allow you to filter traffic by adding rules to learn.

   RULE- if traffic is coming from 192.168.1.10 then go to defined target.

3. targets\= target decides the fate of a packet, such as allowing or rejecting it. There are 3 different types of target

   1. ACCEPT= connection accepted

   2. REJECT= send reject response

   3. DROP= drop connection without sending any response

---

Firewall (firewalld)

• Firewalld works the same way as iptables but of course it has it own commands

  • firewall-cmd

• It has a few pre-defined service rules that are very easy to turn on and off

  • Services such as: NFS, NTP, HTTPD,,etc.

• Firewalld also has the following:

  • Tables

  • Chains

  • Rules

  • Targets

• You can run one or the other » iptables or firewalld

• Make sure iptables is stopped, disabled and mask

  • systemctl stop iptables

  • systemctl disable iptables

  • systemctl mask iptables

• Now check for package

  • rpm -qa | grep firewalld

• start firewall

  • systemctl start firewalld

• Check the rule of firewalld

  • firewall-cmd --list-all

• Get the listing of all service firewalld is aware of:

  • firewall-cmd --get-services

• To make firewalld re-read the configuration added

  • firewall-cmd --reload

---

firewalld - Practical Examples

1. The firewalld has multiple zone, to get a list of all zones

   

2. To get a list of active zones

   

3. To get firewall rules for public zones

   

4. To add a service (http)

   

5. To remove a service (http)

   

6. To reload the firewalld configuration

   

7. To add or remove a service permanently

   1. firewall-cmd --add-service=http --permanent

   2. firewall-cmd --remove-service=http --permanent

8. To add a port

   

9. To remove a port

   

10. To reject incoming traffic from an IP address

    

11. To block and unblock ICMP incoming traffic

    

12. To block outgoing traffic to a specific website/IP address

    

---

Thanks for going through this blog, Happy Learning !! 😁