DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 6th April 2009
Nk2Network Nk2Network is offline
Port Guard
 
Join Date: Jan 2009
Posts: 43
Thanked 0 Times in 0 Posts
Default ssh root

Hello

I would like to know How can I disable root access via ssh

Bye

Last edited by Nk2Network; 6th April 2009 at 08:51 PM.
Reply With Quote
  #2   (View Single Post)  
Old 6th April 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

sshd_config(5)

Look for PermitRootLogin
Reply With Quote
  #3   (View Single Post)  
Old 7th April 2009
nacredata nacredata is offline
Port Guard
 
Join Date: May 2008
Posts: 12
Thanked 1 Time in 1 Post
Default

Here's a patch I run against my new setups (as a part of a larger config script) to disable root SSH, allow only public/private key access (no passwords) and set up a template for when I want to allow a sub contractor SFTP-only access to a chroot directory.

Code:
--- sshd_config~    Wed Jan 28 23:45:17 2009
+++ sshd_config    Wed Jan 28 23:47:54 2009
@@ -36,7 +36,7 @@
 # Authentication:
 
 #LoginGraceTime 2m
-#PermitRootLogin yes
+PermitRootLogin no
 #StrictModes yes
 #MaxAuthTries 6
 #MaxSessions 10
@@ -56,7 +56,7 @@
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+PasswordAuthentication no
 #PermitEmptyPasswords no
 
 # Change to no to disable s/key passwords
@@ -97,10 +97,9 @@
 #Banner none
 
 # override default of no subsystems
-Subsystem    sftp    /usr/libexec/sftp-server
+Subsystem    sftp    internal-sftp
 
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#    X11Forwarding no
-#    AllowTcpForwarding no
-#    ForceCommand cvs server
+# Match User ______
+#     ForceCommand internal-sftp
+#     ChrootDirectory /var/www
+
Reply With Quote
  #4   (View Single Post)  
Old 7th April 2009
Nk2Network Nk2Network is offline
Port Guard
 
Join Date: Jan 2009
Posts: 43
Thanked 0 Times in 0 Posts
Default

sudo use and edit the file /etc/ssh/sshd_conf

Code:
PermitRootLogin yes
Code:
change the word yes with no
Code:
PermitRootLogin no
For the changes to take effect

Code:
kill -HUP `cat /var/run/sshd.pid`

apparently its not working

Last edited by Nk2Network; 7th April 2009 at 11:45 AM.
Reply With Quote
  #5   (View Single Post)  
Old 7th April 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

  1. You continue to use [php] blocks, you were asked to use [code] blocks instead. Please use [code] blocks. Why? The [php] blocks assume php code syntax, and will highlight other text innappropriately.
  2. Changing the "yes" to "no" is insufficient. Why? Because the default settings are all commented out: they have leading "#" characters.
Change:

#PermitRootLogin no

to

PermitRootLogin no
Reply With Quote
  #6   (View Single Post)  
Old 7th April 2009
Nk2Network Nk2Network is offline
Port Guard
 
Join Date: Jan 2009
Posts: 43
Thanked 0 Times in 0 Posts
Default

Hello

I comprent not I just check my shhd_config

Code:
# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
Reply With Quote
  #7   (View Single Post)  
Old 7th April 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

You don't seem to have a grasp of English. Please excuse this horrible translation, done by freetranslations.com:

Les lignes qui commence avec "#" sont des commentaires, et sont négligé. Vous devez enlever le "#" si vous souhaitez que la ligne être utilisée par sshd.

Le sshd_config dossier montre les réglages implicites de chaque paramètre, mais est commenté.

J'espère que ceci vous aide.

Reply With Quote
  #8   (View Single Post)  
Old 7th April 2009
mwatkins mwatkins is offline
Flying Circus Master
 
Join Date: Mar 2009
Location: Vancouver
Posts: 23
Thanked 1 Time in 1 Post
Default

changer:
Code:
#PermitRootLogin no
a:
Code:
PermitRootLogin no
puis exécuter:
Code:
kill -HUP `cat /var/run/sshd.pid`
Si le Français est votre première langue:

http://www.freebsd.org/fr/projects/newbies.html

Last edited by mwatkins; 7th April 2009 at 05:14 PM.
Reply With Quote
  #9   (View Single Post)  
Old 7th April 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

This user is using OpenBSD, not FreeBSD mwatkins.

We've pointed him toward the french translation of the FAQ before, and it may have benefited him.. but unfortunately the man pages are English only.

An understanding of English is simply a requirement at this time, at least until translation efforts start spanning beyond the website.

http://www.openbsd.org/fr/index.html
http://www.openbsd.org/faq/fr/index.html
Reply With Quote
Old 7th April 2009
mwatkins mwatkins is offline
Flying Circus Master
 
Join Date: Mar 2009
Location: Vancouver
Posts: 23
Thanked 1 Time in 1 Post
Default

Unfortunately even on the FreeBSD "fr" page some of the resources are english only. I provided the link more for "unix for beginners" content than anything *BSD specific.

Regardless of mother tongue if one can't grasp what a comment character is through intuition, the one is going to have a very hard time with any flavour of Unix.
Reply With Quote
Old 7th April 2009
Nk2Network Nk2Network is offline
Port Guard
 
Join Date: Jan 2009
Posts: 43
Thanked 0 Times in 0 Posts
Default

Hello,


Thank you very much for your help, you could see that my language maternal is the french. Same with links in English I can get out, I managed to make the changes

how to limit the attempts to brute force SSH ?

thank you for your beuacoup
Reply With Quote
Old 7th April 2009
mwatkins mwatkins is offline
Flying Circus Master
 
Join Date: Mar 2009
Location: Vancouver
Posts: 23
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by Nk2Network View Post
how to limit the attempts to brute force SSH
Quick way: I should let someone familiar with OpenBSD answer this but lets assume it is similar to FreeBSD (and most Linuxes), check:

Code:
/etc/hosts.allow 
 
# allow a single machine
sshd : 123.456.789.012 : allow

# allow a range
sshd : 123.123.0.0/255.255.0.0 : allow

# the last line of hosts.allow should be to deny the rest of the world
# deny every other machine in the world
sshd : ALL : deny
Be careful when testing - ensure you have another way into the box, either a console connection or you've left a session (or two or three) connected. /etc/hosts.allow DENY rules will prevent *new* connections but won't affect your connections in place. Try to make a new connection after you've implemented your rule(s) and ensure that YOU can get in. It would be advisable to have someone you know attempt to connect (or try another box you have not authorized via "allow") to ensure the rule is working.


Not so quick: implement your rules in a firewall.

Last edited by mwatkins; 7th April 2009 at 10:40 PM.
Reply With Quote
Old 7th April 2009
nacredata nacredata is offline
Port Guard
 
Join Date: May 2008
Posts: 12
Thanked 1 Time in 1 Post
Default

If you use public key encryption, ignore it.

If you use a weak password, worry.

If it annoys you and you want cleaner logs (though not truly more secure server) switch the port number.

As for allow/disallow you can do that from within sshd.config as well

AllowUsers username

or even more restrictive

AllowUsers username@IP.Number
Reply With Quote
Old 8th April 2009
mwatkins mwatkins is offline
Flying Circus Master
 
Join Date: Mar 2009
Location: Vancouver
Posts: 23
Thanked 1 Time in 1 Post
Default

I like cleaner logs myself; hosts.allow or a firewall will give you that. Unless a hacker happens to be in the same block of IP's as my office or home, they won't be able to make a connection to port 22 or even be aware that it is there behind the wall.

Good point re public key vs password auth - I admit to just assuming no one would do otherwise.

One of the big web hosting sites is down right now - hacked, credit cards stolen, because (if I have the story straight) of a weak password the authors of vbulletin had on the system. The hacker destroyed database records; Webhostingtalk.com had just got back on its feet again more or less when today the hacker proved to them that he had credit card data from their servers. Down again.

Moral of the story: don't use weak passwords; don't use passwords if public key is a viable alternative; don't use the same password for your on-line community accounts as you do for managing services, servers, and software.

Last edited by mwatkins; 8th April 2009 at 12:29 AM.
Reply With Quote
Old 8th April 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

You can use OpenBSD's Packet Filter, PF, to limit brute force attacks. See Stateful Tracking Options in http://www.openbsd.org/faq/pf/filter.html
See overload and flush.

Vous pouvez utiliser le Filtre de Paquet d'OpenBSD, PF, limiter les assauts de force brutaux. Voir Options de Suivi Stateful dans http://www.openbsd.org/faq/pf/fr/filter.html
Voir overload et flush.
Reply With Quote
Old 8th April 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

By the way, you can translate almost any web page into French. Including this one. I like http:///translate.google.com, but there are others.

http://translate.google.com/translat...67&sl=en&tl=fr

En passant, vous pouvez traduire n'importe quelle page Web presque en français. Dont celle-ci. J'aime http:///translate.google.com, mais il en existe d'autres.
Reply With Quote
Old 8th April 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

Note; please don't use web translators to turn French into English.. the majority of the translations are incomprehensible and simply serve to confuse people attempting to help you.
Reply With Quote
Old 8th April 2009
ocicat ocicat is offline
Administrator
 
Join Date: Apr 2008
Posts: 2,873
Thanked 190 Times in 160 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
Note; please don't use web translators to turn French into English.. the majority of the translations are incomprehensible and simply serve to confuse people attempting to help you.
Oh, how memories of psykhe live on...



Sorry for hijacking.

Reply With Quote
Old 8th April 2009
Nk2Network Nk2Network is offline
Port Guard
 
Join Date: Jan 2009
Posts: 43
Thanked 0 Times in 0 Posts
Default

Hello

I can add directly to my pf.conf the following rule


Code:
table  persist
block in quick from
pass in quick on $external inet proto tcp from any to any port ssh flags S/SA keep state ( max-src-conn-rate 4/60 ,overload flush global)
Reply With Quote
Old 8th April 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by BSDfan666 View Post
Note; please don't use web translators to turn French into English..
I was thinking that Nk2Network could use a web translator to read our answers. And, as the man pages are English-only, N2K could use a web translator to convert the web-based Man pages to French. Such as the sshd_config man page. It discussed "#" in the first paragraph.

Quote:
Originally Posted by Nk2Network View Post
I can add directly to my pf.conf the following rule

Code:
table  persist
block in quick from
pass in quick on $external inet proto tcp from any to any port ssh flags S/SA keep state ( max-src-conn-rate 4/60 ,overload flush global)
Yes, but make sure you mention the table! See the difference:
Code:
table <bad-people> persist
block in quick from <bad-people>
pass in quick on $external inet proto tcp from any to any port ssh flags S/SA keep state ( max-src-conn-rate 4/60 ,overload flush global)
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
ZFS root and linproc 7.2-RC1 wnsi FreeBSD Installation and Upgrading 0 20th April 2009 06:54 PM
NTOP as root sniper007 FreeBSD Security 0 27th January 2009 07:42 PM
Wheel Can't su root MetalHead OpenBSD General 2 22nd November 2008 12:44 AM
Run daemon as other user than root phreud FreeBSD General 8 11th November 2008 04:11 AM
root mail sheriff26 FreeBSD General 5 2nd July 2008 04:56 PM


All times are GMT. The time now is 03:20 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick