Secure OpenSSH with Key based authentication and TCP Wrappers

SSH-Secure Shell was created to provide secure mechanism for data transfer between source and destination hosts on IP based network. SSH uses encryption techniques and digital signatures data checking to ensure security of data being transferred.
OpenSSH is free and open source. It also supports additional features like tunnelling, TCP port forwarding and X11 forwarding.


Canada colocation

In this article we will use Private/Public Key-Based Authentication with TCP Wrappers security. In this deployment the user on the client has a public key and the server stores corresponding private key.

ssh

Configure Private/Public Key-Based Authentication

  1. We need to make sure user “sam” or any other user you want to use exists on both server and client.

2. We will now generate RSA private/public key combination for user “sam” on the servers. Enter passphrase when prompted.

 ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sam/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/sam/.ssh/id_rsa.
Your public key has been saved in /home/sam/.ssh/id_rsa.pub.
The key fingerprint is:
78:58:97:3d:0e:26:aa:5b:17:2f:f9:dd:3d:ce:4c:8e boris@sampc
The key's randomart image is:
+--[ RSA 2048]----+
|      . +++.     |
|     . =oooo     |
|      o .oo..    |
|       +  .o . ..|
|      o S   . .oo|
|       .      B .|
|             E = |
|                 |
|                 |
+-----------------+

Now if you look at ~/.ssh directory, you should see the following

 $ ls
id_rsa  id_rsa.pub  known_hosts

where id_rsa is your private key and id_rsa.pub is your public key. There is also file called known_hosts. This file stores the hostname, IP address and a copy of the public key of the system that we have accessed.

We must make sure that the system on which you setup Key-Based authentication if physically secured and access is limited to only specified user.

3. Our next step would be copying public key from client to server.

<pre>

$cd ~/.ssh

$ ssh-copy-id -i id_rsa.pub server
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys
sam@server’s password:

Number of key(s) added: 1

Now try logging into the machine, with: “ssh ‘server'”
and check to make sure that only the key(s) you wanted were added.

</pre>

You can now login to your server using with just passphrase. In some cases you may skip creating passphrase and in then you can login without typing anything but this is not recommended.

<pre>

ssh sam@server

</pre>

All login attempts will be logged to /var/log/secure . You will need to have permissions in order to view this file.

Examples of using ssh

Copy files with scp
In this example we will copy demo.txt to sam’s docs directory on the server. User sam will need read/write permissions on remote servers directory.

$scp demo.txt sam@server:/home/sam/docs
$demo.txt                                           100%    0     0.0KB/s   00:00  

Using sftp
In this example we will use sftp to create directory demo on the remote server

$ sftp server Connected to server. sftp> mkdir demo sftp> quit sam@sampc ~ $ ssh sam@server Last login: Tue Mar 29 11:27:51 2016 from 192.168.1.3 [sam@sampc ~]$ ls demo

SSH Security

Ssh security is very important and your biggest threat probably will be automated scripts. The best form of security will be restricting port access to only certain IP addresses  if this is not possible tools like fail2ban exist to limit unauthorised access risks. Aslo whenever possible use v2 as it has many enhancements and improvements over older v1 version. Ones ssh implemented and secured you can disable services like telnetd, rlogind, rshd, rexec, ftpd. Disabling this services and any other unused services will make you linux system more secure.

 

Secure ssh access with TCP Wrappers

TCP Wrappers used to block accesas based on IP addresses to services that are “wrappers aware”. The usage is very simple.

There will be 2 files. /etc/hosts.allow and /etc/hosts.deny. The example below will allow ip 10.10.10.1 and 10.10.10.2 to access ssh , while blocking everyone else

 

vi /etc/hosts.allow
ssh: 10.10.10.1, 10.10.10.2

vi /etc/hosts.deny
ssh: ALL