Security Basics mailing list archives
Re: Securing SSH
From: "Kaushik Mukherjee" <kaushik () vfmindia biz>
Date: Tue, 13 Jan 2004 10:28:17 -0800
Hi, Use token kind of authentication for users ... for eg. secur Id Kaushik ----- Original Message ----- From: "Joerg Over Dexia" <over () dexia de> To: <security-basics () securityfocus com> Sent: Monday, January 12, 2004 4:54 AM Subject: Re: Securing SSH
Hi, Am 12:53 10.01.2004 +1300 teilte Roland Venter mir folgendes mit: ->I need to manage several servers remotely via SSH, I'm interested in ways to ->secure the connection and prevent unauthorised access. -> ->My thoughts: ->Limit access to only allow remote connections from our management network ->via iptables rules. Works but what if our ISP changes our fixed IP, which ->means we are effectively locked out from all the servers and requires a site ->visit to update the rules. -> ->We also need to provide access to engineers working from home using dialup, ->etc -> ->Some sort of client certificates to supplement username and password, -> ->Recommendations on securing the SSH daemon etc -> ->Any ideas and tips or random thoughts appreciated We implemented sth like that... authentication is via a pgp signed eMail to a special account with sth like the following in the body: host = mailserver duration = 2 service = mail date = 06.11.2003 ip = dial-up-ip-of-somebody This is parsed by a script and if validated, triggers a hole in the firewall for that specific IP and ssh for the given duration. Same for the tunnel to the requested host and service. Advantages: - No possible ssh bug open to the world - dialup IPs manageable - nice log for the requests (the mailbox) Behind the ssh login is not a shell, but a simple chrooting setuiding-to-worm program, which allows 10 Minutes to establish a tunnel and then exits. Therefore I only have one account for ssh, one password or .identity, even if these credentials are lost not *that* much is lost. Key to security are the pgp keys, and I can quite easily manage them. Script controls via lists who is allowed to tunnel to what service on which machine. Disadvantage: A little unwieldy. Write a mail, wait for answer, write again 'cuz you mucked up the signature ;) , wait again, k now, open the ssh tunnel, open the application. Provider kicks you out, got another IP, same procedure again. But security and comfort rather seldom go hand in hand... (btw: Your IP might now be owned by a hacker, who might have the latest ssh exploit your ssh might be vulnerable to and might just scan your servers IP before the ssh access for that IP is blocked again. Chances are rather slim.) hth and gives you some ideas. Also, if you find severe flaws in that concept, I'd also very much like to hear about that. P.S.: If your ISP changes your fixed IP you pay for without notification, you are afaik legally allowed to shoot him. Check with local laws anyway before attempting that. JO --------------------------------------------------------------------------
-
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! --------------------------------------------------------------------------
-- --------------------------------------------------------------------------- Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any course! All of our class sizes are guaranteed to be 10 students or less. We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, and many other technical hands on courses. Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off any course! ----------------------------------------------------------------------------
Current thread:
- Securing SSH Roland Venter (Jan 09)
- Re: Securing SSH security (Jan 12)
- Re: Securing SSH Jude Naidoo (Jan 12)
- RE: Securing SSH Vinicius Moreira Mello (Jan 12)
- Re: Securing SSH Kevin Saenz (Jan 12)
- RE: Securing SSH Ethan King (Jan 12)
- Re: Securing SSH Brian C. Lane (Jan 12)
- Re: Securing SSH Miles Stevenson (Jan 12)
- Re: Securing SSH Joerg Over Dexia (Jan 12)
- Re: Securing SSH Kaushik Mukherjee (Jan 13)
- Re: Securing SSH Luca Falavigna (Jan 13)
- <Possible follow-ups>
- RE: Securing SSH Shawn Jackson (Jan 14)