Latest revision as of 13:55, 15 January 2018

This article i based on a debian 9 vm

sshd basic

make sure ssh root is cert only
- PermitRootLogin prohibit-password
AllowTcpForwarding no
X11Forwarding no
Only allow certain group to ssh
- AllowGroups sshusers

harden SSH access

install fail2ban to make lock out brute force attacks

firewall to restrict traffic to and from bastion

#!/bin/bash
iptables --flush

iptables --policy INPUT DROP
iptables --policy OUTPUT DROP


iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables --append INPUT -p tcp --dport 22 -j ACCEPT

iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP
iptables --append OUTPUT -p tcp --dport 22 -j ACCEPT
iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 53 -j ACCEPT
iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT
iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT
iptables --append OUTPUT -p icmp -j ACCEPT

# depends on DNS so these must be after DNS rule
iptables --append OUTPUT -d security.debian.org -m comment --comment "security.debian.org" -j ACCEPT
iptables --append OUTPUT -d ftp.dk.debian.org -m comment --comment "ftp.dk.debian.org" -j ACCEPT

remember to persist with eg iptables-persistent

Harden OS

proc

Make sure users can't see other users processes:

proc /proc proc defaults,hidepid=2 0 0

home dirs

make sure all homedirs are chmod 750

set DIR_MODE=0750 in /etc/adduser.conf

PAM

harden passwords
- apt install libpam-pwquality
- add password requisite pam_pwquality.so try_first_pass minlen=12 retry=3 to /etc/pam.d/common-passwd
geoip - restrict ssh access based on geoip
- apt install geoip-database-extra libpam-geoip
- see https://github.com/vetinari/pam_geoip/blob/master/geoip.conf and modify /etc/security/geoip.conf
- add account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat to /etc/pam.d/sshd
limit su access
- groupadd --system wheel
- edit /etc/pam.d/su and uncomment the following line
- #auth required pam_wheel.so

Consider adding pam_tally2 to auto-lock a user for a given period. Read more

selinux

https://wiki.debian.org/SELinux/Setup
test that the setup is ok and monitor with /var/log/audit
when everything is ok, set selinux to enforce mode and check with sestatus

Session Recording

https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/
- if using this script use
- chattr +a /var/log/bastion/
- add umask 0027 to /usr/bin/bastion/shell

Consider using http://scribery.github.io/tlog/

@@ Line 3: / Line 3: @@
 =sshd basic=
-* make sure ssh root is cert only or disabled
+* make sure ssh root is cert only
-* PermitRootLogin prohibit-password
+** PermitRootLogin prohibit-password
 * AllowTcpForwarding no
 * X11Forwarding no
 * Only allow certain group to ssh
-* AllowGroups sshusers
+** AllowGroups sshusers
 == harden SSH access==
@@ Line 14: / Line 14: @@
-=firewall to restrict outgoing traffic from bastion=
+=firewall to restrict traffic to and from bastion=
   #!/bin/bash
-  iptables --flush OUTPUT
+  iptables --flush
-  iptables --append OUTPUT -d security.debian.org -j ACCEPT
-  iptables --append OUTPUT -d ftp.dk.debian.org -j ACCEPT
+ iptables --policy INPUT DROP
+ iptables --policy OUTPUT DROP
+  iptables --append OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+  iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
+ iptables --append INPUT -p tcp --dport 22 -j ACCEPT
   iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP
-  iptables --append OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
+  iptables --append OUTPUT -p tcp --dport 22 -j ACCEPT
-  iptables --append OUTPUT -m state -d 192.168.12.1 -p udp --dport 53 -j ACCEPT
+  iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 53 -j ACCEPT
-  iptables --append OUTPUT -m state -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT
+  iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT
-  iptables --append OUTPUT -m -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT
+  iptables --append OUTPUT -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT
-  iptables --append OUTOUT -p icmp -j ACCEPT
+  iptables --append OUTPUT -p icmp -j ACCEPT
-  iptables --append OUTPUT -m state --state NEW -j REJECT
+ # depends on DNS so these must be after DNS rule
+ iptables --append OUTPUT -d security.debian.org -m comment --comment "security.debian.org" -j ACCEPT
+  iptables --append OUTPUT -d ftp.dk.debian.org -m comment --comment "ftp.dk.debian.org" -j ACCEPT
@@ Line 36: / Line 48: @@
 Make sure users can't see other users processes:
 * proc /proc proc defaults,hidepid=2 0 0
+==home dirs==
+make sure all homedirs are chmod 750
+set DIR_MODE=0750 in /etc/adduser.conf
@@ Line 41: / Line 58: @@
 * harden passwords
 ** apt install libpam-pwquality
-** add  <code>password        requisite                       pam_pwquality.so minlen=12 retry=3</code>  to /etc/pam.d/common-passwd
+** add  <code>password        requisite                       pam_pwquality.so  try_first_pass minlen=12 retry=3</code>  to /etc/pam.d/common-passwd
 * geoip - restrict ssh access based on geoip
 ** apt install geoip-database-extra libpam-geoip
@@ Line 48: / Line 65: @@
 * [https://major.io/2013/04/25/limit-access-to-the-su-command/ limit <code>su</code> access]
 ** groupadd --system wheel
+** edit /etc/pam.d/su and uncomment the following line
+** <code>#auth required pam_wheel.so</code>
-==home dirs==
+Consider adding pam_tally2 to auto-lock a user for a given period. [http://www.deer-run.com/~hal/linux_passwords_pam.html Read more]
-make sure all homedirs are chmod 750
-set DIR_MODE=0750 in /etc/adduser.conf
 =selinux=

Difference between revisions of "Sshbastion"

Latest revision as of 13:55, 15 January 2018

Contents

sshd basic

harden SSH access

firewall to restrict traffic to and from bastion

Harden OS

proc

home dirs

PAM

selinux

Session Recording

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools