Sshbastion

From HoerupWiki
Revision as of 10:47, 4 January 2018 by Torben (talk | contribs)
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

This article i based on a debian 9 vm

Session Recording

Consider using http://scribery.github.io/tlog/

sshd basic

  • make sure ssh root is cert only or disabled
  • PermitRootLogin prohibit-password
  • AllowTcpForwarding no
  • X11Forwarding no
  • Only allow certain group to ssh
  • AllowGroups sshusers

harden

install fail2ban to make lock out brute force attacks

proc

Make sure users can't see other users processes:

  • proc /proc proc defaults,hidepid=2 0 0

firewall to restrict outgoing traffic from bastion

#!/bin/bash
iptables --flush OUTPUT
iptables --append OUTPUT -d security.debian.org -j ACCEPT
iptables --append OUTPUT -d ftp.dk.debian.org -j ACCEPT
iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP
iptables --append OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
iptables --append OUTPUT -m state -d 192.168.12.1 -p udp --dport 53 -j ACCEPT
iptables --append OUTPUT -m state -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT
iptables --append OUTPUT -m -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT
iptables --append OUTOUT -p icmp -j ACCEPT
iptables --append OUTPUT -m state --state NEW -j REJECT


remember to persist with eg iptables-persistent

PAM

Secure bastionhost

  • harden passwords
    • apt install libpam-pwquality
    • add password requisite pam_pwquality.so minlen=12 retry=3 to /etc/pam.d/common-passwd
  • geoip

home dirs

make sure all homedirs are chmod 750

set DIR_MODE=0750 in /etc/adduser.conf


selinux

Retrieved from "https://wiki.t-hoerup.dk/index.php?title=Sshbastion&oldid=11890"