Re: Securing SSH

["Kaushik Mukherjee" <kaushik () vfmindia biz>]

Hi,

Use token kind of authentication for users ... for eg. secur Id

Kaushik

----- Original Message ----- 
From: "Joerg Over Dexia" <over () dexia de>
To: <security-basics () securityfocus com>
Sent: Monday, January 12, 2004 4:54 AM
Subject: Re: Securing SSH


> Hi,
>
> Am 12:53 10.01.2004 +1300 teilte Roland Venter mir folgendes mit:
> ->I need to manage several servers remotely via SSH, I'm
> interested in ways to
> ->secure the connection and prevent unauthorised access.
> ->
> ->My thoughts:
> ->Limit access to only allow remote connections from our
> management network
> ->via iptables rules. Works but what if our ISP changes our fixed
> IP, which
> ->means we are effectively locked out from all the servers and
> requires a site
> ->visit to update the rules.
> ->
> ->We also need to provide access to engineers working from home
> using dialup,
> ->etc
> ->
> ->Some sort of client certificates to supplement username and
> password,
> ->
> ->Recommendations on securing the SSH daemon etc
> ->
> ->Any ideas and tips or random thoughts appreciated
>
> We implemented sth like that... authentication is via a pgp
> signed eMail to a special account with sth like the following in
> the body:
>
> host = mailserver
> duration = 2
> service = mail
> date = 06.11.2003
> ip = dial-up-ip-of-somebody
>
> This is parsed by a script and if validated, triggers a hole in
> the firewall for that specific IP and ssh for the given duration.
> Same for the tunnel to the requested host and service.
> Advantages:
> - No possible ssh bug open to the world
> - dialup IPs manageable
> - nice log for the requests (the mailbox)
>
> Behind the ssh login is not a shell, but a simple chrooting
> setuiding-to-worm program, which allows 10 Minutes to establish a
> tunnel and then exits. Therefore I only have one account for ssh,
> one password or .identity, even if these credentials are lost not
> *that* much is lost.
> Key to security are the pgp keys, and I can quite easily manage
> them.
>
> Script controls via lists who is allowed to tunnel to what
> service on which machine.
>
> Disadvantage:
> A little unwieldy. Write a mail, wait for answer, write again
> 'cuz you mucked up the signature ;) , wait again, k now, open the
> ssh tunnel, open the application. Provider kicks you out, got
> another IP, same procedure again.
> But security and comfort rather seldom go hand in hand...
> (btw: Your IP might now be owned by a hacker, who might have the
> latest ssh exploit your ssh might be vulnerable to and might just
> scan your servers IP before the ssh access for that IP is blocked
> again. Chances are rather slim.)
>
> hth and gives you some ideas. Also, if you find severe flaws in
> that concept, I'd also very much like to hear about that.
>
> P.S.: If your ISP changes your fixed IP you pay for without
> notification, you are afaik legally allowed to shoot him.
> Check with local laws anyway before attempting that.
>
> JO
>
> --------------------------------------------------------------------------
-
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
> course! All of our class sizes are guaranteed to be 10 students or less.
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention,
> and many other technical hands on courses.
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off
> any course!
> --------------------------------------------------------------------------
--



---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------