Difference between revisions of "Sshbastion"

From HoerupWiki
Jump to: navigation, search
(PAM)
 
(14 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
This article i based on a debian 9 vm
 
This article i based on a debian 9 vm
  
==ref==
 
 
* https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/
 
** if using this script use
 
** chattr +a /var/log/bastion/
 
** add <code>umask 0027</code> to /usr/bin/bastion/shell
 
  
 
=sshd basic=
 
=sshd basic=
* make sure ssh root is cert only or disabled
+
* make sure ssh root is cert only  
* PermitRootLogin prohibit-password
+
** PermitRootLogin prohibit-password
 
* AllowTcpForwarding no
 
* AllowTcpForwarding no
 
* X11Forwarding no
 
* X11Forwarding no
 
* Only allow certain group to ssh
 
* Only allow certain group to ssh
* AllowGroups sshusers
+
** AllowGroups sshusers
  
=== harden ===
+
== harden SSH access==
 
install fail2ban to make lock out brute force attacks
 
install fail2ban to make lock out brute force attacks
  
==proc==
 
Make sure users can't see other users processes:
 
* proc /proc proc defaults,hidepid=2 0 0
 
  
==firewall to restrict outgoing traffic from bastion==
+
=firewall to restrict traffic to and from bastion=
 +
 
  
 
  #!/bin/bash
 
  #!/bin/bash
  iptables --flush OUTPUT
+
  iptables --flush
  iptables --append OUTPUT -d security.debian.org -j ACCEPT
+
  iptables --append OUTPUT -d ftp.dk.debian.org -j ACCEPT
+
iptables --policy INPUT DROP
 +
iptables --policy OUTPUT DROP
 +
 +
 +
  iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
  iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
 +
iptables --append INPUT -p tcp --dport 22 -j ACCEPT
 +
 
  iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP
 
  iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP
  iptables --append OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
+
  iptables --append OUTPUT -p tcp --dport 22 -j ACCEPT
  iptables --append OUTPUT -m state -d 192.168.12.1 -p udp --dport 53 -j ACCEPT
+
  iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 53 -j ACCEPT
  iptables --append OUTPUT -m state -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT
+
  iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT
  iptables --append OUTPUT -m -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT
+
  iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT
  iptables --append OUTOUT -p icmp -j ACCEPT
+
  iptables --append OUTPUT -p icmp -j ACCEPT
  iptables --append OUTPUT -m state --state NEW -j REJECT
+
 +
# depends on DNS so these must be after DNS rule
 +
iptables --append OUTPUT -d security.debian.org -m comment --comment "security.debian.org" -j ACCEPT
 +
  iptables --append OUTPUT -d ftp.dk.debian.org -m comment --comment "ftp.dk.debian.org" -j ACCEPT
  
  
 
remember to persist with eg iptables-persistent
 
remember to persist with eg iptables-persistent
  
==PAM==
+
= Harden OS =
Secure bastionhost
+
 
* harden passwords
+
==proc==
** apt install libpam-pwquality
+
Make sure users can't see other users processes:
** add  <code>password        requisite                      pam_pwquality.so minlen=12 retry=3</code>  to /etc/pam.d/common-passwd
+
* proc /proc proc defaults,hidepid=2 0 0
* geoip
 
** apt install geoip-database-extra libpam-geoip
 
** see https://github.com/vetinari/pam_geoip/blob/master/geoip.conf and modify /etc/security/geoip.conf
 
** add <code>account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat</code> to /etc/pam.d/common-account
 
  
 
==home dirs==
 
==home dirs==
Line 56: Line 55:
  
  
==selinux==
+
=PAM=
 +
* harden passwords
 +
** apt install libpam-pwquality
 +
** add  <code>password        requisite                      pam_pwquality.so  try_first_pass minlen=12 retry=3</code>  to /etc/pam.d/common-passwd
 +
* geoip - restrict ssh access based on geoip
 +
** apt install geoip-database-extra libpam-geoip
 +
** see https://github.com/vetinari/pam_geoip/blob/master/geoip.conf and modify /etc/security/geoip.conf
 +
** add <code>account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat</code> to /etc/pam.d/sshd
 +
* [https://major.io/2013/04/25/limit-access-to-the-su-command/ limit <code>su</code> access]
 +
** groupadd --system wheel
 +
** edit /etc/pam.d/su and uncomment the following line
 +
** <code>#auth required pam_wheel.so</code>
 +
 
 +
Consider adding pam_tally2 to auto-lock a user for a given period. [http://www.deer-run.com/~hal/linux_passwords_pam.html Read more]
 +
 
 +
=selinux=
  
 
* https://wiki.debian.org/SELinux/Setup
 
* https://wiki.debian.org/SELinux/Setup
 
* test that the setup is ok and monitor with /var/log/audit
 
* test that the setup is ok and monitor with /var/log/audit
 
* when everything is ok, set selinux to enforce mode and check with <code>sestatus</code>
 
* when everything is ok, set selinux to enforce mode and check with <code>sestatus</code>
 +
 +
 +
=Session Recording=
 +
 +
* https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/
 +
** if using this script use
 +
** chattr +a /var/log/bastion/
 +
** add <code>umask 0027</code> to /usr/bin/bastion/shell
 +
 +
Consider using http://scribery.github.io/tlog/

Latest revision as of 13:55, 15 January 2018

This article i based on a debian 9 vm


sshd basic

  • make sure ssh root is cert only
    • PermitRootLogin prohibit-password
  • AllowTcpForwarding no
  • X11Forwarding no
  • Only allow certain group to ssh
    • AllowGroups sshusers

harden SSH access

install fail2ban to make lock out brute force attacks


firewall to restrict traffic to and from bastion

#!/bin/bash
iptables --flush

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP


iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables --append INPUT -p tcp --dport 22 -j ACCEPT

iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP
iptables --append OUTPUT -p tcp --dport 22 -j ACCEPT
iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 53 -j ACCEPT
iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT
iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT
iptables --append OUTPUT -p icmp -j ACCEPT

# depends on DNS so these must be after DNS rule
iptables --append OUTPUT -d security.debian.org -m comment --comment "security.debian.org" -j ACCEPT
iptables --append OUTPUT -d ftp.dk.debian.org -m comment --comment "ftp.dk.debian.org" -j ACCEPT


remember to persist with eg iptables-persistent

Harden OS

proc

Make sure users can't see other users processes:

  • proc /proc proc defaults,hidepid=2 0 0

home dirs

make sure all homedirs are chmod 750

set DIR_MODE=0750 in /etc/adduser.conf


PAM

  • harden passwords
    • apt install libpam-pwquality
    • add password requisite pam_pwquality.so try_first_pass minlen=12 retry=3 to /etc/pam.d/common-passwd
  • geoip - restrict ssh access based on geoip
  • limit su access
    • groupadd --system wheel
    • edit /etc/pam.d/su and uncomment the following line
    • #auth required pam_wheel.so

Consider adding pam_tally2 to auto-lock a user for a given period. Read more

selinux


Session Recording

Consider using http://scribery.github.io/tlog/

Retrieved from "https://wiki.t-hoerup.dk/index.php?title=Sshbastion&oldid=11905"