Difference between revisions of "Sshbastion"
(→firewall to restrict outgoing traffic from bastion) |
(→PAM) |
||
(22 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | + | This article i based on a debian 9 vm | |
− | |||
− | |||
− | |||
=sshd basic= | =sshd basic= | ||
− | * make sure ssh root is cert only | + | * make sure ssh root is cert only |
− | * PermitRootLogin prohibit-password | + | ** PermitRootLogin prohibit-password |
* AllowTcpForwarding no | * AllowTcpForwarding no | ||
* X11Forwarding no | * X11Forwarding no | ||
* Only allow certain group to ssh | * Only allow certain group to ssh | ||
− | * AllowGroups sshusers | + | ** AllowGroups sshusers |
− | + | == harden SSH access== | |
install fail2ban to make lock out brute force attacks | install fail2ban to make lock out brute force attacks | ||
− | |||
− | |||
− | |||
− | + | =firewall to restrict traffic to and from bastion= | |
+ | |||
#!/bin/bash | #!/bin/bash | ||
− | iptables --flush OUTPUT | + | iptables --flush |
− | iptables --append OUTPUT - | + | |
− | iptables --append | + | iptables --policy INPUT DROP |
+ | iptables --policy OUTPUT DROP | ||
+ | |||
+ | |||
+ | iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
+ | iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
+ | |||
+ | iptables --append INPUT -p tcp --dport 22 -j ACCEPT | ||
+ | |||
iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP | iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP | ||
− | iptables --append OUTPUT | + | iptables --append OUTPUT -p tcp --dport 22 -j ACCEPT |
− | iptables --append OUTPUT | + | iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 53 -j ACCEPT |
− | iptables --append OUTPUT | + | iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT |
− | iptables --append OUTPUT | + | iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT |
− | iptables --append | + | iptables --append OUTPUT -p icmp -j ACCEPT |
− | iptables --append OUTPUT -m | + | |
+ | # depends on DNS so these must be after DNS rule | ||
+ | iptables --append OUTPUT -d security.debian.org -m comment --comment "security.debian.org" -j ACCEPT | ||
+ | iptables --append OUTPUT -d ftp.dk.debian.org -m comment --comment "ftp.dk.debian.org" -j ACCEPT | ||
remember to persist with eg iptables-persistent | remember to persist with eg iptables-persistent | ||
− | == | + | = Harden OS = |
− | + | ||
+ | ==proc== | ||
+ | Make sure users can't see other users processes: | ||
+ | * proc /proc proc defaults,hidepid=2 0 0 | ||
+ | |||
+ | ==home dirs== | ||
+ | make sure all homedirs are chmod 750 | ||
+ | |||
+ | set DIR_MODE=0750 in /etc/adduser.conf | ||
+ | |||
+ | |||
+ | =PAM= | ||
* harden passwords | * harden passwords | ||
** apt install libpam-pwquality | ** apt install libpam-pwquality | ||
− | ** add password requisite pam_pwquality.so minlen=12 retry=3 | + | ** add <code>password requisite pam_pwquality.so try_first_pass minlen=12 retry=3</code> to /etc/pam.d/common-passwd |
− | + | * geoip - restrict ssh access based on geoip | |
− | * geoip | ||
** apt install geoip-database-extra libpam-geoip | ** apt install geoip-database-extra libpam-geoip | ||
** see https://github.com/vetinari/pam_geoip/blob/master/geoip.conf and modify /etc/security/geoip.conf | ** see https://github.com/vetinari/pam_geoip/blob/master/geoip.conf and modify /etc/security/geoip.conf | ||
− | ** add account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat | + | ** add <code>account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat</code> to /etc/pam.d/sshd |
− | ** | + | * [https://major.io/2013/04/25/limit-access-to-the-su-command/ limit <code>su</code> access] |
+ | ** groupadd --system wheel | ||
+ | ** edit /etc/pam.d/su and uncomment the following line | ||
+ | ** <code>#auth required pam_wheel.so</code> | ||
+ | |||
+ | Consider adding pam_tally2 to auto-lock a user for a given period. [http://www.deer-run.com/~hal/linux_passwords_pam.html Read more] | ||
+ | |||
+ | =selinux= | ||
+ | |||
+ | * https://wiki.debian.org/SELinux/Setup | ||
+ | * test that the setup is ok and monitor with /var/log/audit | ||
+ | * when everything is ok, set selinux to enforce mode and check with <code>sestatus</code> | ||
+ | |||
+ | |||
+ | =Session Recording= | ||
+ | |||
+ | * https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/ | ||
+ | ** if using this script use | ||
+ | ** chattr +a /var/log/bastion/ | ||
+ | ** add <code>umask 0027</code> to /usr/bin/bastion/shell | ||
+ | |||
+ | Consider using http://scribery.github.io/tlog/ |
Latest revision as of 12:55, 15 January 2018
This article i based on a debian 9 vm
Contents
sshd basic
- make sure ssh root is cert only
- PermitRootLogin prohibit-password
- AllowTcpForwarding no
- X11Forwarding no
- Only allow certain group to ssh
- AllowGroups sshusers
harden SSH access
install fail2ban to make lock out brute force attacks
firewall to restrict traffic to and from bastion
#!/bin/bash iptables --flush iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables --append INPUT -p tcp --dport 22 -j ACCEPT iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP iptables --append OUTPUT -p tcp --dport 22 -j ACCEPT iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 53 -j ACCEPT iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT iptables --append OUTPUT -p icmp -j ACCEPT # depends on DNS so these must be after DNS rule iptables --append OUTPUT -d security.debian.org -m comment --comment "security.debian.org" -j ACCEPT iptables --append OUTPUT -d ftp.dk.debian.org -m comment --comment "ftp.dk.debian.org" -j ACCEPT
remember to persist with eg iptables-persistent
Harden OS
proc
Make sure users can't see other users processes:
- proc /proc proc defaults,hidepid=2 0 0
home dirs
make sure all homedirs are chmod 750
set DIR_MODE=0750 in /etc/adduser.conf
PAM
- harden passwords
- apt install libpam-pwquality
- add
password requisite pam_pwquality.so try_first_pass minlen=12 retry=3
to /etc/pam.d/common-passwd
- geoip - restrict ssh access based on geoip
- apt install geoip-database-extra libpam-geoip
- see https://github.com/vetinari/pam_geoip/blob/master/geoip.conf and modify /etc/security/geoip.conf
- add
account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat
to /etc/pam.d/sshd
- limit
su
access- groupadd --system wheel
- edit /etc/pam.d/su and uncomment the following line
#auth required pam_wheel.so
Consider adding pam_tally2 to auto-lock a user for a given period. Read more
selinux
- https://wiki.debian.org/SELinux/Setup
- test that the setup is ok and monitor with /var/log/audit
- when everything is ok, set selinux to enforce mode and check with
sestatus
Session Recording
- https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/
- if using this script use
- chattr +a /var/log/bastion/
- add
umask 0027
to /usr/bin/bastion/shell
Consider using http://scribery.github.io/tlog/