Difference between revisions of "Sshbastion"

From HoerupWiki
Jump to: navigation, search
Line 34: Line 34:
 
==PAM==
 
==PAM==
 
Secure bastionhost
 
Secure bastionhost
harden passwords
+
* harden passwords
* apt install libpam-pwquality
+
** apt install libpam-pwquality
* add  password        requisite                      pam_pwquality.so minlen=12 retry=3
+
** add  password        requisite                      pam_pwquality.so minlen=12 retry=3
* to /etc/pam.d/common-passwd
+
** to /etc/pam.d/common-passwdi
 
+
* geoip
* apt install geoip-database-extra libpam-geoip
+
** apt install geoip-database-extra libpam-geoip
* see https://github.com/vetinari/pam_geoip/blob/master/geoip.conf and modify /etc/security/geoip.conf
+
** see https://github.com/vetinari/pam_geoip/blob/master/geoip.conf and modify /etc/security/geoip.conf
* add account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat
+
** add account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat
* to /etc/pam.d/common-account
+
** to /etc/pam.d/common-account

Revision as of 22:16, 28 October 2017

ref

sshd basic

  • make sure ssh root is cert only or disabled
  • PermitRootLogin prohibit-password
  • AllowTcpForwarding no
  • X11Forwarding no
  • Only allow certain group to ssh
  • AllowGroups sshusers


proc

Make sure users can't see other users processes:

  • proc /proc proc defaults,hidepid=2 0 0

firewall to restrict outgoing traffic from bastion

#!/bin/bash
iptables --flush OUTPUT
iptables --append OUTPUT -d security.debian.org -j ACCEPT
iptables --append OUTPUT -d ftp.dk.debian.org -j ACCEPT
iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP
iptables --append OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
iptables --append OUTPUT -m state -d 192.168.12.1 -p udp --dport 53 -j ACCEPT
iptables --append OUTPUT -m state -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT
iptables --append OUTPUT -m -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT
iptables --append OUTOUT -p icmp -j ACCEPT
iptables --append OUTPUT -m state --state NEW -j REJECT

PAM

Secure bastionhost

  • harden passwords
    • apt install libpam-pwquality
    • add password requisite pam_pwquality.so minlen=12 retry=3
    • to /etc/pam.d/common-passwdi
  • geoip