2006 Nov 23 - Thu

SSHD Intrusion Prevention

First version: 2006/11/23

There are many 'bots out on the internet that scan for linux hosts and attempt automated sign-ins to machines using common usernames and dictionary passwords. It is tough to lock those bots out but still allow user's to sign into a machine.

To close that loophole in a system's security, there are a couple of things to do. First of all, be sure that telnet access to a machine has been turned off. Telnet is is not a secure remote access technology as all traffic, including passwords, is transmitted in the clear.

The alternate form of remote console access to a machine is through an ssh client. There are a number of primary ssh protocols: ssh1 and ssh2, with the second being more secure than the first. With the ssh daemon running on a machine, in its standard configuration, the bots can still attempt username and password scans on a machine, and possibly through luck of the draw, gain access. Even though passwords and usernames are encrypted, it doesn't prevent the bots from trying them anyway.

In a related article regarding Putty SideKicks, I wrote an article about how to create a public/private key-pairs. This key-pair concept is required for implementing this solution.

Make sure the authorized_keys file in the user's .ssh directory has been updated with their public key. Then, in the sshd_config file, there is an entry called 'PasswordAuthentication'. It is typically set to 'yes'. Set it to no, and restart the sshd daemon.

This will prevent all password based logins to a server. Only users with pre-arranged public/private key-pairs will be allowed access to the server.

This closes down one form of unauthorized access to a server. However, nother remotely accessible applications on a server still need evaluation to determine their risk in permitting server intrusions.

[/OpenSource] permanent link

Tacacs Installation

Updated: 2006/11/23

Here is one of a series of installation procedures for an Open Source monitoring tool.

Tacacs is used for authenticating users in to (mostly) Cisco devices.  The Shrubbery.net's version is used here.

Login into www.shrubbery.net's ftp server and retrieve tac_plus into /usr/src.  Use 'tar -zxvf' to expand out the file and then cd into the newly expanded directory.

You'll need a couple of prerequisites:

apt-get install libwrap0

apt-get install libwrap-devel

You'll need to configure the Makefile:

./configure \

--bindir=/usr/local/bin \

--sbindir=/usr/local/sbin \

--localstatedir=/var/local/tacacs \

--sysconfdir=/etc \

--with-logfile=/var/log/tacacs/tacacs \

--with-pidfile=/var/run/tacacs.pid \

--with-acctfile=/var/log/tacacs/acctfile

Then perform the build and install:

make

make install

mkdir /var/local/tacacs

Update /etc/logrotate.conf:

/var/log/tacacs/acctfile /var/log/tacacs/tacacs {
  rotate 10
  daily
  compress
  }

Here is an example simple configuration file for /etc/tacacs.conf:

key = yourkey

user = outech {

  member = admin

  login = cleartext apassword

  }

user = lastresort {

  member = admin

  login = cleartext apassword

  }

user = webadmin {

  member = level1

  login = cleartext apassword

  }

user = $enab15$ {

  login = cleartext apassword

  }

group = admin {

  default service = permit

  }

group = level1 {

  cmd = show {

    deny run

    permit .*

    }

  }

In the device use a configuration similar to:

conf t

username lastresort secret apassword

ip tacacs source-interface Loopback0

enable secret apassword

aaa new-model

!

tacacs-server host 10.10.10.10 timeout 3

tacacs-server directed-request

tacacs-server key yourkey

aaa session-id common

aaa new-model

aaa authentication login default group tacacs+ local enable

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 0 default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

line vty 0 15

  no pass

  login authen default

end

Then start the service with:

tac_plus -C /etc/tacacs.conf

This configuration places a unique 'lastresort' username, secret, and enable into the device. If the tacacs server becomes unavailable, those are the credentials you use for gaining access to the device. When tacacs is available, the username, secret, and enable credentials as found in the tacacs config file are used.

Further Information

A page showing how to automatically assign privilege levels:

http://www.cisco.com/en/US/partner/tech/tk59/technologies_tech_note09186a008009465c.shtml

[/OpenSource/Debian/Monitoring] permanent link