Secure communication with the server using OpenSSH
2010-08-20
Revision History | ||
---|---|---|
Revision 0.1 | 2010-08-20 | FU |
Initital version |
Blocking brute force attempts
After installing the server with the basic operating system we
need a way to reach it securely from a remote location. Here is
where SSH comes in. We want to make sure that we configure SSH
to limit the possibility that anyone else logs in. On the
Internet it is common with brute force attempts to log in via
SSH by some script that tries different names and passwords.
You can find the attempts in the
/var/log/auth.log
. To stop this we install
the Debian package fail2ban
. Using the
standard settings we have a working basic protection.
Next step is to harden the SSH login.
Setting up SSH host keys
We want to make sure that we are talking to our own machine. Following SSH Host Key Protection we set up the proper ssh_known_hosts file on our working computer. To get the servers fingerprint and settings we need to get the keys.
First we log into the machine, ideally locally. If this is not possible we have to hope that no cracker have taken over your machine yet. When we are logging in via SSH we are requested to add the host with a key fingerprint. Then we can check this fingerprint with
ssh-keygen -l -f
/etc/ssh/ssh_host_rsa_key.pub
. That should give us the same result as the SSH login process suggested.
First we need to get the public key:
scp
user@example.org:/etc/ssh/ssh_host_rsa_key.pub
example.org-host_rsa_key.pub
. To create a ssh_known_hosts
key for this machine we need to know by what names this machine
goes: example.org, example.com and example.net. We edit the
example.org-host_rsa_key.pub by removing the user name at the
end (root@example.org), and add the server names in front of
ssh-rsa. Eg. example.org,example.net,example.org
ssh-rsa XXX
. Then we hash the file, Protecting SSH
from known_hosts Address Harvesting, by this command:
ssh-keygen -H -f
example.org-host_rsa_key.pub
. We remove the .old file
rm example.org-host_rsa_key.pub.old
and then
adds the file to /etc/ssh/ssh_known_hosts
:
cat example.org-host_rsa_key.pub >>
/etc/ssh/ssh_known_hosts
Now we can connect to the machine and with any of the names without adding the host to known_hosts.
Setting up a SSH keypair and configuring keychain