Difference between revisions of "Sshbastion"

From HoerupWiki
Jump to: navigation, search
(firewall to restrict outgoing traffic from bastion)
Line 15: Line 15:
  
 
=firewall to restrict outgoing traffic from bastion=
 
=firewall to restrict outgoing traffic from bastion=
 +
<code>
 +
#!/bin/bash
  
#!/bin/bash
+
iptables --flush
iptables --flush OUTPUT
 
iptables --append OUTPUT -d security.debian.org -j ACCEPT
 
iptables --append OUTPUT -d ftp.dk.debian.org -j ACCEPT
 
iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP
 
iptables --append OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
 
iptables --append OUTPUT -m state -d 192.168.12.1 -p udp --dport 53 -j ACCEPT
 
iptables --append OUTPUT -m state -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT
 
iptables --append OUTPUT -m -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT
 
iptables --append OUTOUT -p icmp -j ACCEPT
 
iptables --append OUTPUT -m state --state NEW -j REJECT
 
  
 +
iptables --policy INPUT DROP
 +
iptables --policy OUTPUT DROP
 +
 +
 +
iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
 +
iptables --append INPUT -p tcp --dport 22 -j ACCEPT
 +
 +
iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP
 +
iptables --append OUTPUT -p tcp --dport 22 -j ACCEPT
 +
iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 53 -j ACCEPT
 +
iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT
 +
iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT
 +
iptables --append OUTPUT -p icmp -j ACCEPT
 +
 +
# depends on DNS so these must be after DNS rule
 +
iptables --append OUTPUT -d security.debian.org -m comment --comment "security.debian.org" -j ACCEPT
 +
iptables --append OUTPUT -d ftp.dk.debian.org -m comment --comment "ftp.dk.debian.org" -j ACCEPT
 +
</code>
  
 
remember to persist with eg iptables-persistent
 
remember to persist with eg iptables-persistent

Revision as of 12:00, 15 January 2018

This article i based on a debian 9 vm


sshd basic

  • make sure ssh root is cert only
    • PermitRootLogin prohibit-password
  • AllowTcpForwarding no
  • X11Forwarding no
  • Only allow certain group to ssh
    • AllowGroups sshusers

harden SSH access

install fail2ban to make lock out brute force attacks


firewall to restrict outgoing traffic from bastion

  1. !/bin/bash

iptables --flush

iptables --policy INPUT DROP iptables --policy OUTPUT DROP


iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables --append INPUT -p tcp --dport 22 -j ACCEPT

iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP iptables --append OUTPUT -p tcp --dport 22 -j ACCEPT iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 53 -j ACCEPT iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT iptables --append OUTPUT -p icmp -j ACCEPT

  1. depends on DNS so these must be after DNS rule

iptables --append OUTPUT -d security.debian.org -m comment --comment "security.debian.org" -j ACCEPT iptables --append OUTPUT -d ftp.dk.debian.org -m comment --comment "ftp.dk.debian.org" -j ACCEPT

remember to persist with eg iptables-persistent

Harden OS

proc

Make sure users can't see other users processes:

  • proc /proc proc defaults,hidepid=2 0 0

home dirs

make sure all homedirs are chmod 750

set DIR_MODE=0750 in /etc/adduser.conf


PAM

  • harden passwords
    • apt install libpam-pwquality
    • add password requisite pam_pwquality.so minlen=12 retry=3 to /etc/pam.d/common-passwd
  • geoip - restrict ssh access based on geoip
  • limit su access
    • groupadd --system wheel
    • edit /etc/pam.d/su and uncomment the following line
    • #auth required pam_wheel.so


selinux


Session Recording

Consider using http://scribery.github.io/tlog/