Difference between revisions of "Sshbastion"
| Line 10: | Line 10: | ||
* AllowGroups sshusers | * AllowGroups sshusers | ||
| − | == harden == | + | == harden SSH access== |
install fail2ban to make lock out brute force attacks | install fail2ban to make lock out brute force attacks | ||
| − | |||
| − | |||
| − | |||
=firewall to restrict outgoing traffic from bastion= | =firewall to restrict outgoing traffic from bastion= | ||
| Line 33: | Line 30: | ||
remember to persist with eg iptables-persistent | remember to persist with eg iptables-persistent | ||
| + | |||
| + | = Harden OS = | ||
| + | |||
| + | ==proc== | ||
| + | Make sure users can't see other users processes: | ||
| + | * proc /proc proc defaults,hidepid=2 0 0 | ||
| + | |||
=PAM= | =PAM= | ||
| Line 44: | Line 48: | ||
** add <code>account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat</code> to /etc/pam.d/sshd | ** add <code>account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat</code> to /etc/pam.d/sshd | ||
| − | =home dirs= | + | ==home dirs== |
make sure all homedirs are chmod 750 | make sure all homedirs are chmod 750 | ||
set DIR_MODE=0750 in /etc/adduser.conf | set DIR_MODE=0750 in /etc/adduser.conf | ||
| + | |||
| + | =selinux= | ||
| + | |||
| + | * https://wiki.debian.org/SELinux/Setup | ||
| + | * test that the setup is ok and monitor with /var/log/audit | ||
| + | * when everything is ok, set selinux to enforce mode and check with <code>sestatus</code> | ||
| + | |||
=Session Recording= | =Session Recording= | ||
| Line 57: | Line 68: | ||
Consider using http://scribery.github.io/tlog/ | Consider using http://scribery.github.io/tlog/ | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
Revision as of 08:20, 15 January 2018
This article i based on a debian 9 vm
Contents
sshd basic
- make sure ssh root is cert only or disabled
- PermitRootLogin prohibit-password
- AllowTcpForwarding no
- X11Forwarding no
- Only allow certain group to ssh
- AllowGroups sshusers
harden SSH access
install fail2ban to make lock out brute force attacks
firewall to restrict outgoing traffic from bastion
#!/bin/bash iptables --flush OUTPUT iptables --append OUTPUT -d security.debian.org -j ACCEPT iptables --append OUTPUT -d ftp.dk.debian.org -j ACCEPT iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP iptables --append OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT iptables --append OUTPUT -m state -d 192.168.12.1 -p udp --dport 53 -j ACCEPT iptables --append OUTPUT -m state -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT iptables --append OUTPUT -m -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT iptables --append OUTOUT -p icmp -j ACCEPT iptables --append OUTPUT -m state --state NEW -j REJECT
remember to persist with eg iptables-persistent
Harden OS
proc
Make sure users can't see other users processes:
- proc /proc proc defaults,hidepid=2 0 0
PAM
Secure bastionhost
- harden passwords
- apt install libpam-pwquality
- add
password requisite pam_pwquality.so minlen=12 retry=3to /etc/pam.d/common-passwd
- geoip
- apt install geoip-database-extra libpam-geoip
- see https://github.com/vetinari/pam_geoip/blob/master/geoip.conf and modify /etc/security/geoip.conf
- add
account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.datto /etc/pam.d/sshd
home dirs
make sure all homedirs are chmod 750
set DIR_MODE=0750 in /etc/adduser.conf
selinux
- https://wiki.debian.org/SELinux/Setup
- test that the setup is ok and monitor with /var/log/audit
- when everything is ok, set selinux to enforce mode and check with
sestatus
Session Recording
- https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/
- if using this script use
- chattr +a /var/log/bastion/
- add
umask 0027to /usr/bin/bastion/shell
Consider using http://scribery.github.io/tlog/
