Welcome the company of trees

Secure communication with the server using OpenSSH

2010-08-20

Revision History
Revision 0.12010-08-20FU
Initital version

Blocking brute force attempts

After installing the server with the basic operating system we need a way to reach it securely from a remote location. Here is where SSH comes in. We want to make sure that we configure SSH to limit the possibility that anyone else logs in. On the Internet it is common with brute force attempts to log in via SSH by some script that tries different names and passwords. You can find the attempts in the /var/log/auth.log. To stop this we install the Debian package fail2ban. Using the standard settings we have a working basic protection.

Next step is to harden the SSH login.

Setting up SSH host keys

We want to make sure that we are talking to our own machine. Following SSH Host Key Protection we set up the proper ssh_known_hosts file on our working computer. To get the servers fingerprint and settings we need to get the keys.

First we log into the machine, ideally locally. If this is not possible we have to hope that no cracker have taken over your machine yet. When we are logging in via SSH we are requested to add the host with a key fingerprint. Then we can check this fingerprint with

ssh-keygen -l -f
      /etc/ssh/ssh_host_rsa_key.pub

. That should give us the same result as the SSH login process suggested.

First we need to get the public key:

scp
      user@example.org:/etc/ssh/ssh_host_rsa_key.pub
      example.org-host_rsa_key.pub

. To create a ssh_known_hosts key for this machine we need to know by what names this machine goes: example.org, example.com and example.net. We edit the example.org-host_rsa_key.pub by removing the user name at the end (root@example.org), and add the server names in front of ssh-rsa. Eg. example.org,example.net,example.org ssh-rsa XXX. Then we hash the file, Protecting SSH from known_hosts Address Harvesting, by this command:

ssh-keygen -H -f
      example.org-host_rsa_key.pub

. We remove the .old file

rm example.org-host_rsa_key.pub.old

and then adds the file to /etc/ssh/ssh_known_hosts :

cat example.org-host_rsa_key.pub >>
      /etc/ssh/ssh_known_hosts

Now we can connect to the machine and with any of the names without adding the host to known_hosts.

Setting up a SSH keypair and configuring keychain