[轉貼]SSH 的一些安全小技巧

原文

SSH 的一些安全小技巧

作者:網中人 <netman@study-area.org>

版本:v0.03

日期:2007-11-26

* 版本歷程:

1) 2005-09-16 v0.01

- 初版

2) 2006-06-02 v0.02

- 修改 sshopen.sh

3) 2007-11-26 v0.03

- deny unmatched ip

---------------------------------------------------------------------

一, 前言

關於 ssh 的好處, 相信不用我多說了吧?

簡而言之, 之前的 rpc command 與 telnet 都全可用 ssh 代替.

比方如下的這些常見功能:

- 遠端登錄

ssh user@remote.machine

- 遠端執行

ssh user@remote.machine 'command ...'

- 遠端複制

scp user@remote.machine:/remote/path /local/path

scp /local/path user@remote.machine:/remote/path

- X forward

ssh -X user@remote.machine

xcommand ...

- Tunnel / Portforward

ssh -L 1234:remote.machine:4321 user@remote.machine

ssh -R 1234:local.machine:4321 user@remote.machine

ssh -L 1234:other.machine:4321 user@remote.machine

至於詳細的用法, 我這就不說了. 請讀者自行研究吧.

我這裡要說的, 是針對 ssh 服務為大家介紹一些安全技巧, 希望大家用得更安心些.

二, 實作

(實作以 RedHat 9 為範例)

--------------------------------------------------

轉往 client 端:

ssh-keygen -t rsa

* 按三下 enter 完成;不需設密碼,除非您會用 ssh-agent .

scp /.ssh/id_rsa.pub user1@server.machine:id_rsa.pub

* 若是 windows client, 可用 puttygen.exe 產生 public key,

然後複制到 server 端後修改之, 使其內容成為單一一行.

* 如果 server 端已經禁止密碼登入, 那請用其它放法復製 publick key.

---------------------------------------------------

登入 server 端:

1) 禁止 root 登錄

# vi /etc/ssh/sshd_config

PermitRootLogin no

2) 廢除密碼登錄, 強迫使用 RSA 驗證(假設 ssh 帳戶為 user1 )

# vi /etc/ssh/sshd_config

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

PasswordAuthentication no

# service sshd restart

# su - user1

mkdir /.ssh 2>/dev/null

chmod 700 /.ssh

touch /.ssh/authorized_keys

chmod 644 /.ssh/authorized_keys

cat /id_rsa.pub >> /.ssh/authorized_keys

rm /id_rsa.pub

exit

3) 限制 su / sudo 名單:

# vi /etc/pam.d/su

auth required /lib/security/ISA/pam_wheel.so use_uid

# visudo

%wheel ALL=(ALL) ALL

# gpasswd -a user1 wheel

4) 限制 ssh 使用者名單

# vi /etc/pam.d/sshd

auth required pam_listfile.so item=user sense=allow file=/etc/ssh_users

# echo user1 >> /etc/ssh_users

5) 封鎖 ssh 連線並改用 web 控管清單

# iptables -I INPUT -p tcp --dport 22 -j DROP

# mkdir /var/www/html/ssh_open

# cat > /var/www/html/ssh_open/.htaccess <<END

AuthName "ssh_open"

AuthUserFile /var/www/html/ssh_open/.htpasswd

AuthType basic

require valid-user

END

# htpasswd -c /var/www/html/ssh_open/.htpasswd user1

(最好還將 SSL 設起來, 或只限 https 連線更佳, 我這裡略過 SSL 設定, 請讀者自補.)

(如需控制連線來源, 那請再補 Allow/Deny 項目, 也請讀者自補.)

# cat > /var/www/html/ssh_open/ssh_open.php <<END

//Set dir path for ip list

dir_path=".";

//Set filename for ip list

ip_list="ssh_open.txt";

//Get client ip

user_ip=_SERVER['REMOTE_ADDR'];

//allow specifying ip if needed

if (@_GET['myip']) {

user_ip=_GET['myip'];

}

//checking IP format

if (user_ip==long2ip(ip2long(user_ip))) {

//Put client ip to a file

if(@!(file = fopen("dir_path/ip_list","w+")))

{

echo "Permission denied!!<br>";

echo "Pls Check your rights to dir dir_path or file ip_list";

}

else

{

fputs(file,"user_ip");

fclose(file);

echo "client ip(user_ip) has put into dir_path/ip_list";

}

} else {

echo "Invalid IP format!!<br>ssh_open.txt was not changed.";

}

END

# touch /var/www/html/ssh_open/ssh_open.txt

# chmod 640 /var/www/html/ssh_open/*

# chgrp apache /var/www/html/ssh_open/*

# chmod g+w /var/www/html/ssh_open/ssh_open.txt

# chmod o+t /var/www/html/ssh_open

# service httpd restart

# mkdir /etc/iptables

# cat > /etc/iptables/sshopen.sh <<END

#!/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin

list_dir=/var/www/html/ssh_open

list_file=list_dir/allow_ssh.txt

bad_list=list_dir/bad_ip.txt

auth_log=list_dir/xinetd.log

trusted_ip="127.0.0.1 4.3.2.1"

chain_name=ssh_rules

mail_to=root

# clear chain if exits, or create chain.

iptables -L -n /bin/grep -q "Chain chain_name" && {

iptables -F chain_name

true

} {

iptables -N chain_name

iptables -I INPUT -p tcp --dport 22 -j chain_name

}

# clear chain on demand

[ "1" = clear ] && {

iptables -F chain_name

cat /dev/null > list_file

exit 0

}

# do nothing while list is empty

[ -s list_file ] exit 1

# deny connection if host dosn't math to list

host_ip=(grep 'myssh from=' auth_log tail -1 awk -F'=' '{print NF}')

list_ip=(cat list_file)

if [ -n "host_ip" -a "host_ip" != "list_ip" ]; then

echo -e "{trusted_ip/ /\n}" grep -q "host_ip" {

/sbin/iptables-save grep -q "INPUT -s host_IP -j DROP" {

/sbin/iptables -I INPUT -s host_ip -j DROP

echo host_ip >> bad_list

echo "host_ip is blocked by 0 on (date)" mail -s "block

ip" mail_to

}

exit 2

# add rule

iptables -A chain_name -p tcp --dport 22 -s (< list_file) -j ACCEPT && \

echo "ssh opened to (< list_file) on (date)" \

mail -s "sshopen" mail_to

exit 0

END

# chmod +x /etc/iptables/sshopen.sh

# echo -e 'sshopen\t\t1234/tcp' >> /etc/services

# cat > /etc/xinetd.d/sshopen <<END

service sshopen

{

log_type = FILE /studyarea/www/phorum/xinetd.log

log_on_success = HOST

log_on_failure = HOST

disable = no

socket_type = stream

protocol = tcp

wait = no

user = root

server = /etc/iptables/sshopen.sh

}

# iptables -I INPUT -p tcp --dport 1234 -j ACCEPT

# cat > /etc/cron.d/sshopen <<END

*/5 * * * * root /etc/iptables/sshopen.sh clear

END

---------------------------

轉往 client 端

在 browser URL 輸入:

http://server.machine/ssh_open/ssh_open.php?myip=1.2.3.4

(若不指定 ?myip=1.2.3.4 則以 client 當時 IP 為準, 若沒經 proxy 的話.)

如此, server 端的 ssh_open.txt 只有單一記錄, 每次蓋寫.

接著:

telnet server.machine 1234

然後你有最多 5 分鐘時間用 ssh 連線 server !

---------------------------

此步驟的基本構思如下:

5.1) 將 sshd 的 firewall 連線全部 block 掉.

5.2) 然後在 httpd 那設一個 directory, 可設 ssl+htpasswd+allow/deny control,

然後在目錄內寫一個 php 將 browser ip 記錄於一份 .txt 文字檔裡.

視你的轉寫能力, 你可自動抓取 browser 端的 IP, 也可讓 browser 端傳入參數來指定.

文字檔只有單一記錄, 每次蓋寫, 定期清空.

5.3) 修改 /etc/services , 增加一個新項目(如 xxx), 並指定一個新 port(如 1234)

5.4) 再用 xinetd 監聽該 port , 並啟動令一隻 script,

設定 iptables , 從 step2 的清單裡取得 IP, 為之打開 ssh 連線.

5.5) 設 crontab 每數分中清理 iptables 關於 ssh 連線的規則及清空記錄.

這並不影響既有連線, 若逾時再連, 則重複上述.

6) 要是上一步驟沒設定, 你或許會擔心過多的人來 try 你的 ssh 服務的話:

# cat > /etc/iptables/sshblock.sh <<END

#!/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin

LOG_FILE=/var/log/secure

KEY_WORD="Illegal user"

KEY_WORD1="Failed password for root"

PERM_LIST=/etc/firewall/bad.list.perm

LIMIT=5

MAIL_TO=root

IPT_SAV="(iptables-save)"

bad_list=(egrep "KEY_WORD" LOG_FILE awk '{print NF}' xargs)

bad_list1=(egrep "KEY_WORD1" LOG_FILE awk '{print 11}' xargs)

bad_list="bad_list bad_list1"

for i in (echo -e "{bad_list// /\n}" sort -u)

hit=(echo bad_list egrep -o "i" wc -l)

[ "hit" -ge "LIMIT" ] && {

echo "IPT_SAV" grep -q "i .*-j DROP" {

echo -e "\ni was dropped on (date)\n" mail -s "DROP by {0##*/}: i" MAIL_TO

iptables -I INPUT -s i -j DROP

}

egrep -q "i" PERM_LIST echo i >> PERM_LIST

}

done

END

# chmod +x /etc/firewall/sshblock.sh

# cat >> /etc/hosts.allow <<END

sshd: ALL: spawn ( /etc/firewall/sshblock.sh )& : ALLOW

END

這樣, 那些亂 try SSH 的家夥, 頂多能試 5 次(LIMIT 可調整), 然後就給 BLOCK 掉了.

此外, 在 PERM_LIST 的 ip, 也可提供給 iptables 的初始 script , 來個永久性封閉:

for i in (< PERM_LIST)

/sbin/iptables -I INPUT -s i -j DROP

done

7) 還有, 你想知道有哪些人對你做 full range port scan 的話:

# iptables -I INPUT -p tcp --dport 79 -j ACCEPT

cat > /etc/xinetd.d/finger <<END

service finger

{

socket_type = stream

wait = no

user = nobody

server = /usr/sbin/in.fingerd

disable = no

}

END

# cat >> /etc/hosts.allow <<END

in.fingerd: ALL : spawn ( echo -e "\nWARNING %a was trying finger.\n(date)" mail -s "finger from %a" root ) & : DENY

END

這裡, 我只是設為發信給 root.

事實上, 你可修改為起動 firewall 將 %a 這個傳回值給 ban 掉也行.

不過, 對方要是有選擇性的做 port scan , 沒掃到 finger 的話, 那當然就沒用了...

三, 結語

security 有蠻多挺好玩的小技巧, 有空再跟大家做分享... _

天兒啊

天兒啊-學習筆記

天兒啊發表在痞客邦留言(0) 人氣(221)

天兒啊-學習筆記

歡迎光臨天兒啊在痞客邦的小天地