Introduction#
SSH is a widely used protocol to access remote devices. The problem with SSH is at the authentication stage, Brute force attacks are one of the ways an SSH connection is compromised. A malicious actor will constantly hammer the remote host with different passwords until it can gain access. With further configuration of SSH we can make the service a lot more secure.
Configure SSH#
Famous last words: Configuring SSH like many things in Linux is as simple as editing a few config files
Always create a backup file, You can end up locking yourself out of a device. Try this on a machine that is not critical.
Create SSH Keys#
SSH keys use public and private key encryption for authentication.
To create a set of keys, on the client do:
ssh-keygen -t ecdsa -C <username>@<hostname>
- -t ecdsa - sets the key encryption type to ecdsa
- -C - Comment or name of the SSH key. Replace content in <>
Where you want to save the keys, I recommend the default location
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Password for the ssh key, please use a strong password.
Enter passphrase (empty for no passphrase):
Once done you will see a confirmation screen like the one below
Output
Your identification has been saved in /home/user/.ssh/id_rsa
Your public key has been saved in /home/user/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:tIurljnWJRBc1RnHUJQ5GtND7p9HWKnjV6zjE9AFR1Y user@host
The key's randomart image is:
+---[RSA 3072]----+
| . .....oX=o.oE|
| o =oB oo|
| . . +.+ o.|
| . . .... o+ |
| . S .+. +|
| .... ..o+.|
| +.o. .=o.|
| * .. .oo |
| o.o. .. |
+----[SHA256]-----+
Copy SSH Keys#
ssh-copy-id user@host
Quick note: user@host is the username on the remeote host you would like to copy your public key to.
If asked to confirm the connection to the remote host answer yes, this happens when a new machine with an unknown identity wants to connect.
Output
The authenticity of host 'host(host)' can't be established.
ECDSA key fingerprint is xx:xx:xx:xx:xx:xx:xx:xx.
Are you sure you want to continue connecting (yes/no)? yes
Enter a password for the user on the remote host
Output
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user@host's password:
Access the remote device using the SSH key
To verify this, SSH to the device and it should ask for the Keys password not the users
Enter passphrase for key '/home/user/.ssh/id_rsa':
Modify SSH Config#
create a backup
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
open the original file in a text editor
NeoVim BTW!!
sudo vim /etc/ssh/sshd_config
For a new Linux user this might be daunting. Take your time and you will be fine 😊
Lines we want to modify
Note: uncomment lines as well as add missing lines
- Protocol 2
- Port 2222
- PermitRootLogin no
- Max Auth Tries 5
- PasswordAuthentication no
- PermitEmptyPasswords no
- AllowUsers
- ClientAliveInterval 180
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
Protocol 2
Port 2222
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 5
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
AllowUsers <user>
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
ClientAliveInterval 180
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Now lets explain what we just did
- Protocol 2 - released in 2006, SSH2 introduced improved encryption algorithms.
- Port 2222 - The port number can be whatever number you want. Choose something other than 22 this will help hide your device from malicious actors
- PermitRootLogin no - If the root account gets compromised then the attacker has full control so we stop root from logging in over ssh.
- MaxAuthTries 5 - After 5 failed attempts the remote host blocks requests from that IP for some of time.
- PasswordAuthentication no - The SSH key is installed, no need to have password authentication.
- PermitEmptyPasswords no - Don’t allow empty passwords
- AllowUsers username - Add the users you want to connect to the remote host, others will be dropped.
- Client Alive Interval 180 - Drop the connection after 180s of inactivity
Check ability to connect#
restart sshd service
sudo systemctl restart sshd
Keep the current SSH connection open and create a new session.
If you connect to the remote host then you’re set. If not then you still have the initial connection to the remote host to roll back the changes and troubleshoot.
Success#
Setting up Fail2Ban#
Fail2Ban is an intrusion prevention tool. Although we slow down attackers with with MaxAuthTries they can still carry on brute forcing. Which is what Fail2Ban does, it actually blocks the connections from that IP.
Install Fail2Ban#
We will install Fail2Ban on the remote host First upgrade any packages, then install Fail2Ban
sudo apt update && sudo apt upgrade
sudo apt install fail2ban
Now we need to enable the service so it starts when the remote host starts
sudo systemctl enable --now fail2ban
Configure Fail2Ban#
The config file we want to edit is jail.local located in /etc/fail2ban/ open jail.local in your editor of choice
sudo vim /etc/fail2ban/jail.local
The config for Fail2Ban is nice and short
[DEFAULT]
bantime = 8h
ignoreip = 127.0.0.1 <ip addresses to be ignored>
ignoreself = true
[sshd]
enabled = true
port = 2222
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 10m
[Default] - Settings in here apply to all jails
- bantime - how long the ban will last
- ignoreip - IP addresses to ignore
- ignoreself - stops from locking itself out
[sshd] - this is the jail for sshd
- enabled - decides weather the jail is active or not
- port - the port number the service
- filter - tells the jail which filter to use from /etc/fail2ban/filter.d
- logpath - where the log you want fail2ban to read is
- maxretry - Times the client can attempt a login before being banned
- findtime - An amount of time which maxretry must occur to trigger a ban for example in 10 minutes if 3 login attempts fail ban the IP
Restart Fail2Ban to load the configuration
sudo systemctl restart fail2ban
Testing Fail2Ban#
To test Fail2Ban lets create a test user and set a password for the user
sudo useradd test
sudo passwd test
open the sshd config
sudo vim /etc/ssh/sshd_config
Modify the line PasswordAuthentication to say yes and add the test user to AllowUsers
PasswordAuthentication yes
AllowUsers user test
restart the sshd service
sudo systemctl restart sshd
Attempt to login to the remote host using the test account using an incorrect password. After 3 failed attempts it should say connection refused.
ssh test@host -p 2222
Fail2Ban should do something along the lines of …
log back in as your normal user, remove the test user and restore the sshd config.
To remove the user
sudo userdel test
restore the /etc/ssh/sshd_config file
sudo vim /etc/ssh/sshd_config
Set PasswordAuthentication back to no and remove test from AllowUsers
PasswordAuthentication no
AllowUsers user
Conclusion#
well done, you managed to make it through all that !! At least now you can be reassured that if them pesky brute-force attackers decide to target your machine they can have a fun time in Jail 🤣 sorry bad joke.
By now you have managed to setup an ssh key for a client and copy it to a remote host, re-configure the sshd config to lockdown authentication and install and configure Fail2Ban to block pesky attackers.