Difference between revisions of "Sshbastion"

From HoerupWiki
Jump to: navigation, search
Line 1: Line 1:
 
This article i based on a debian 9 vm
 
This article i based on a debian 9 vm
  
==Session Recording==
+
=Session Recording=
  
 
* https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/
 
* https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-bastion-host/
Line 18: Line 18:
 
* AllowGroups sshusers
 
* AllowGroups sshusers
  
=== harden ===
+
== harden ==
 
install fail2ban to make lock out brute force attacks
 
install fail2ban to make lock out brute force attacks
  
==proc==
+
=proc=
 
Make sure users can't see other users processes:
 
Make sure users can't see other users processes:
 
* proc /proc proc defaults,hidepid=2 0 0
 
* proc /proc proc defaults,hidepid=2 0 0
  
==firewall to restrict outgoing traffic from bastion==
+
=firewall to restrict outgoing traffic from bastion=
  
 
  #!/bin/bash
 
  #!/bin/bash
Line 42: Line 42:
 
remember to persist with eg iptables-persistent
 
remember to persist with eg iptables-persistent
  
==PAM==
+
=PAM=
 
Secure bastionhost
 
Secure bastionhost
 
* harden passwords
 
* harden passwords
Line 52: Line 52:
 
** add <code>account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat</code> to /etc/pam.d/common-account
 
** add <code>account required pam_geoip.so geoip_db=/usr/share/GeoIP/GeoIPCity.dat</code> to /etc/pam.d/common-account
  
==home dirs==
+
=home dirs=
 
make sure all homedirs are chmod 750  
 
make sure all homedirs are chmod 750  
  
Line 58: Line 58:
  
  
==selinux==
+
=selinux=
  
 
* https://wiki.debian.org/SELinux/Setup
 
* https://wiki.debian.org/SELinux/Setup
 
* test that the setup is ok and monitor with /var/log/audit
 
* test that the setup is ok and monitor with /var/log/audit
 
* when everything is ok, set selinux to enforce mode and check with <code>sestatus</code>
 
* when everything is ok, set selinux to enforce mode and check with <code>sestatus</code>

Revision as of 12:48, 4 January 2018

This article i based on a debian 9 vm

Session Recording

Consider using http://scribery.github.io/tlog/

sshd basic

  • make sure ssh root is cert only or disabled
  • PermitRootLogin prohibit-password
  • AllowTcpForwarding no
  • X11Forwarding no
  • Only allow certain group to ssh
  • AllowGroups sshusers

harden

install fail2ban to make lock out brute force attacks

proc

Make sure users can't see other users processes:

  • proc /proc proc defaults,hidepid=2 0 0

firewall to restrict outgoing traffic from bastion

#!/bin/bash
iptables --flush OUTPUT
iptables --append OUTPUT -d security.debian.org -j ACCEPT
iptables --append OUTPUT -d ftp.dk.debian.org -j ACCEPT
iptables --append OUTPUT -d 192.168.12.1 -p tcp --dport 22 -j DROP
iptables --append OUTPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT
iptables --append OUTPUT -m state -d 192.168.12.1 -p udp --dport 53 -j ACCEPT
iptables --append OUTPUT -m state -d 192.168.12.1 -p tcp --dport 53 -j ACCEPT
iptables --append OUTPUT -m -d 192.168.12.1 -p udp --dport 67:68 -j ACCEPT
iptables --append OUTOUT -p icmp -j ACCEPT
iptables --append OUTPUT -m state --state NEW -j REJECT


remember to persist with eg iptables-persistent

PAM

Secure bastionhost

  • harden passwords
    • apt install libpam-pwquality
    • add password requisite pam_pwquality.so minlen=12 retry=3 to /etc/pam.d/common-passwd
  • geoip

home dirs

make sure all homedirs are chmod 750

set DIR_MODE=0750 in /etc/adduser.conf


selinux

Retrieved from "https://wiki.t-hoerup.dk/index.php?title=Sshbastion&oldid=11891"