ComputerSecurityStudent (CSS) [Login] [Join Now]

|UNIX >> CentOS >> CentOS-6.6 >> Current Page |Views: 28322

(CentOS 6.6: Lesson 7)

{ Installing, Configuring and Securing SSHD }

Section 0. Background Information
  • What is Secure Shell?
    • Secure Shell (SSH) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network.
    • The protocol specification distinguishes two major versions that are referred to as SSH-1 and SSH-2.
    • The best-known application of the protocol is for access to shell accounts on Unix-like operating systems.
    • It was designed as a replacement for Telnet and other insecure remote shell protocols such as the Berkeley rsh and rexec protocols, which send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis.
    • The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet.

  • What Is YUM?:
    • The Yellowdog Updater, Modified (YUM) is an open-source command-line package-management utility for RPM-compatible Linux operating systems and has been released under the GNU General Public License.  YUM has been adopted by Red Hat Enterprise Linux, Fedora, CentOS, and many other RPM-based Linux distributions, including Yellow Dog Linux itself, where it has replaced the original YUP utility 

  • Pre-Requisite Lab
    1. CentOS 6.6: Lesson 1: Installing CentOS 6.6
  • Lab Notes
    • In this lab we will do the following:
      1. Install openssh-server.
      2. Configure openssh-server.
      3. Test openssh-server.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2015 No content replication of any kind is allowed without express written permission.


Section 1. Configure CentOS-6.6 Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player
  2. Edit CentOS-6.6 Virtual Machine Settings
    • Instructions:
      1. Highlight CentOS-6.6
      2. Click Edit virtual machine settings


  3. Auto Detect Hard Drive
    • Instructions:
      1. Click on CD/DVD(IDE)
      2. Click the Use physical drive: radio button
      3. Make sure Auto detect is selected


  4. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button


Section 2. Play Virtual Machine
  1. Start the CentOS-6.6 VM
    • Instructions:
      1. Click on the CentOS-6.6 VM
      2. Click on Play virtual machine


Section 3. Login to CentOS
  1. Login to CentOS
    • Note(FYI):
      1. Until you click the user, in this case Security Student, the Password field will not be displayed.
    • Instructions:
      1. Click on Security Student
        • This will display the password text box.
      2. Supply its' password
      3. Click the Log In Button
  2. Open a Terminal
    • Instructions:
      1. Applications --> System Tools --> Terminal


  3. Switch User to root
    • Instruction:
      1. su - root
      2. Supply the Root Password
    • Notes (FYI):
      1. su - root, this command allows the user student to switch user to user root, provided the root password can be supplied.


  4. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is for Network Interface eth1.
        • Please record your IP address
      • The Local Loopback Address is for Network Interface lo.
        • The loopback device is a special, virtual network interface that your computer uses to communicate with itself.  When the network or wifi is disconnected the loopback exists so applications running on your computer can always connect to servers on the same machine.


Section 4. Installing openssh
  1. Check to see if openssh-server is installed.
    • Instruction:
      1. rpm -qa | grep "openssh-server"
      2. rpm -qi openssh-server-5.3p1-104.el6.i686
        • Paste the packate name results after the rpm -qi
    • Note(FYI):
      1. rpm - RPM Package Manager
      2. q = query
      3. a = all packages
      4. i = Display package information, including name, version, and description. 
      5. grep = Search for string "open-server"


  2. Let's update openssh-server
    • Instruction:
      1. yum update openssh-server
    • Note(FYI):
      1. If openssh-server was not found, then your command would be:
        • yum install openssh-server
      2. It's always a good idea to make sure you have the latest update for ssh.


  3. Install openssh-server.
    • Instructions:
      1. Is this ok [y/N]: y
      2. Is this ok [y/N]: y
    • Note(FYI):
      1. YUM reports that the latest update is  5.3p1-104.el6_6.1.


  4. Installation Analysis
    • Note(FYI):
      • You will see that the below packages have been updated followed by the "Complete!" message.


Section 5. Starting openssh
  1. Check to see if sshd is running.
    • Instructions:
      1. service sshd stop
      2. ps -eaf | grep sshd | grep -v grep | wc -l
    • Note(FYI):
      1. service sshd stop
        • I stopped the sshd process on purpose to show you how to use the "ps" command.
      2. ps -eaf | grep sshd | grep -v grep | wc -l
        1. ps -eaf = List all running processes
        2. grep sshd = search for sshd is the process list.
        3. grep -v grep = ignore the grep process in the process list.
        4. wc -l = count how many times sshd is listed.
        5. As a result, "0" line were counted, which means sshd is not running.


  2. Investigating Startup and Kill Scripts
    • Instructions:
      1. ls -l /etc/rc[0-6].d/* | grep ssh
    • Note(FYI):
      1. The /etc directory contains rc (run command) scripts. 
      2. rc scripts contain Startup (e.g., S55sshd) and Kill (e.g., K25sshd) scripts.
      3. The rc scripts dictate which scripts get started or killed during change in run-level.
      4. Run level Explanations
        • 0, Halt, Shuts down the system.
        • 1, Single-user Mode, Mode for administrative tasks.
        • 2, Multi-user Mode, Does not configure network interfaces and does not export networks services.
        • 3, Multi-user Mode with Networking, Starts the system normally.
        • 4, Not used/User-definable, For special purposes.
        • 5, Start the system normally with appropriate display manager. ( with GUI ), Same as runlevel 3 + display manager.
        • 6, Reboot, Reboots the system.


  3. chkconfig relates to rc scripts
    • Instruction:
      1. chkconfig --list | grep ssh
    • Note(FYI):
      1. chkconfig - updates and queries runlevel information for system services.
      2. chkconfig has five distinct functions: adding new services for management, removing services from management,
        listing the current startup information for services, changing the startup information for services, and checking
        the startup state of a particular service.
      3. Notice that run-levels 2,3,4,5 are all on and they have corresponding Start Up Scripts.


  4. Create Startup scripts for sshd
    • Instructions:
      1. chkconfig sshd --level 2345 on
      2. chkconfig --list | grep ssh
    • Note(FYI):
      1. Create SSHD start up scripts for run-level 2, 3, 4 and 5.
      2. Notice that chkconfig now shows that a startup script exists for run levels 2, 3, 4 and 5.


  5. Verify Startup scripts have been created using the find command.
    • Instructions:
      1. chkconfig sshd --level 2345 off
      2. chkconfig --list | grep ssh
      3. ls -l /etc/rc[0-6].d/* | grep sshd
      4. chkconfig sshd --level 2345 off
      5. ls -l /etc/rc[0-6].d/* | grep sshd
    • Note(FYI):
      1. Turn off all the sshd Start Up Scripts for run-levels 2, 3, 4 and 5.
      2. Verify with chkconfig that the sshd Start Up Scripts for run-levels 2, 3, 4 and 5 are off.
      3. Verify with the "ls -l" command that the sshd Start Up Scripts for run-levels 2, 3, 4 and 5 are off.
      4. Turn on all the sshd Start Up Scripts for run-levels 2, 3, 4 and 5.
      5. Verify with chkconfig that the sshd Start Up Scripts for run-levels 2, 3, 4 and 5 are on.


  6. Let's start up the sshd daemon.
    • Instruction:
      1. service sshd start
      2. ps -eaf | grep ssh | grep -v grep
    • Note(FYI):
      1. Start the sshd listening daemon/service.
      2. Display all (ps -eaf | grep ssh) ssh process and ignore (grep -v grep) the actual grep process.


Section 6. Secure openssh
  1. Make a sshd_config backup file.
    • Instruction:
      1. cd /etc/ssh
      2. cp sshd_config ssh_config.BKP
      3. ls -l sshd_config*
    • Note(FYI):
      1. Change directory to /etc/ssh.  This is where the ssh configuration files exist.
      2. Make a backup copy, so if you mess something up, you can revert to the original file.


  2. Open sshd_config
    • Instruction:
      1. gedit sshd_config 2>/dev/null &
    • Note(FYI):
      1. gedit, is a text editor for the GNOME desktop environment.
      2. sshd_config is the name of the file.
      3. 2>/dev/null, send any gedit error messages into a black hole, as in don't display them.
      4. &, means put the process of opening gedit sshd_config in the background.


  3. Find LoginGraceTime
    • Instructions:
      1. Arrow down to "#LoginGraceTime 2m"


  4. Reduce Unauthenticated Disconnect Time
    • Instructions:
      1. Delete the "#" character that proceeds "#LoginGraceTime 2m".
      2. Change 2m to 30.
    • Note(FYI):
      1. The default of 2 minutes is too much time to stay open for an unauthenticated connection attempt.  So, we will reduce the amount of time to remain open from 2 minutes to 30 seconds.

  5. Find "#PermitRootLogin yes"
    • Instruction:
      1. Arrow down to "#PermitRootLogin yes"


  6. Configure and Disable PermitRootLogin
    • Instructions:
      1. Delete the "#" character that proceeds PermitRootLogin.
      2. Replace "yes" with a "no" and that follows PermitRootLogin.
    • Note(FYI):
      1. This will disabled the ability for somebody to login as root.


  7. Configure PAM authentication
    • Instructions:
      1. Arrow down until you get to the line "#UsePAM no"
      2. Verify "UsePAM yes" exists under the line "#UsePAM no"
    • Note(FYI):
      1. If the line "UsePAM yes" already exists, then you are not required to do anything.  If it does NOT exist, then add it.
      2. Basically, we need to verify that there is a line stating "UsePAM yes".


  8. Find "#MaxStartups"
    • Instructions:
      1. Arrow down until you get to the line "#MaxStartups 10:30:100"


  9. Limit the maximum number of unauthenticated connections that the ssh server will handle at the same time.
    • Instructions:
      1. Remove the "#" character that proceeds "#MaxStartups 10:30:100".
      2. Change 10:30:100 to 3:50:10
    • Note(FYI):
      1. The smaller the number is the harder it is for attackers to make parallel, coordinated brute force attempts with multiple connections. 
      2. 3: Allow 3 unauthenticated connections before dropping connections.
      3. 50:  There is a 50 percentage chance of dropping connections once we reach 3 connections.
      4. 10: max number of connections at which we start dropping everything


  10. Save and Close sshd_config
    1. Instructions:
      1. Click Save
      2. Click the "X" to Close


  11. Restart the sshd daemon.
    • Instructions:
      1. service sshd restart
      2. ps -eaf | grep sshd | grep -v grep
    • Note(FYI):
      1. When ever you make a change to the sshd_config file, you will need to restart the sshd daemon in order for the changes to take affect.
      2. Verify the sshd daemon/service is running.


Section 7. Configure Firewall
  1. Open the Firewall
    • Instructions:
      1. System --> Administration --> Firewall


  2. Firewall Configuration Startup Message
    • Instructions:
      1. Click the Close Button


  3. Enter the root password
    • Instructions:
      1. Supply the root password
      2. Click the Authenticate Button


  4. Enable SSH
    • Instructions:
      1. Un-Check and Check the SSH checkbox
        • If this box is already checked, uncheck and recheck it.
      2. Click on the Apply Green Checkmark


  5. system-config-firewall message
    • Instructions:
      1. Click the Yes button


  6. Reload Firewall
    • Instructions:
      1. Click Reload
      2. Click the X to close


Section 8. Test sshd to not allow root to login
  1. Test sshd to not allow root to login
    • Instructions:
      1. ssh root@localhost
      2. Are you sure you want to continue connecting (yes/no)? yes
      3. Supply root password
      4. Supply root password again
      5. Supply root password again
    • Note(FYI):
      1. If you get prompted for an RSA key fingerprint, then answer "yes"
      2. Notice that even though you are typing the correct root password you are not able to login.


Section 9. Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. ls -l /etc/ssh/sshd_config
      2. ls -l /etc/sysconfig/iptables
      3. iptables -L -n | grep ":22"
      4. ps -eaf | grep ssh | grep -v grep
      5. date
      6. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Paste into a word document
      3. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth