I was approached to write some articles for AdminNation.com. Check out my article on SSH Access Using Keys as a beginners guide to using SSH more securely and effectively. http://www.adminnation.com/linux/ssh-access-using-keys/
Tag Archives: ssh
Protecting SSH against brute force attacks
Running a public AWS instance is always asking for unexpected trouble from script kiddies and bots trying to find a vector in to compromise your server.
Sshguard (www.sshguard.net) monitors your log and alters your IPtables firewall accordingly to help keep persistent brute force attackers at bay.
1. Download the latest version from http://www.sshguard.net @ http://freshmeat.net/urls/6ff38f7dc039f95efec2859eefe17d3a
wget -O sshguard-1.5.tar.bz2 http://freshmeat.net/urls/6ff38f7dc039f95efec2859eefe17d3a
2. Unpack
tar jxvf sshguard-1.5.tar.bz2
3. Configure + Make
cd sshguard-1.5 ./configure --with-firewall=iptables make
4. Install (to /usr/local/sbin/sshguard)
sudo make install
5. /etc/init.d/sshguard (chmod 0755)
! /bin/sh
# this is a concept, elaborate to your taste
case $1 in
start)
/usr/local/sbin/sshguard -a 4 -b 5:/var/sshguard/blacklist.db -l
/var/log/auth.log &
;;
stop)
killall sshguard
;;
*)
echo "Use start or stop"
exit 1
;;
esac
6. /etc/iptables.up.rules
# Firewall *filter :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :INPUT DROP [0:0] -N sshguard -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp --dport http -j ACCEPT -A INPUT -p tcp --dport ftp-data -j ACCEPT -A INPUT -p tcp --dport ftp -j ACCEPT -A INPUT -p tcp --dport ssh -j sshguard -A INPUT -p udp --source-port 53 -d 0/0 -j ACCEPT -A OUTPUT -j ACCEPT -A INPUT -j DROP COMMIT # Completed
7. Read in the IPtables rules
iptables-restore < /etc/iptables.up.rules
8. Start Sshguard
mkdir /var/sshguard&&/etc/init.d/sshguard start
Verification
tail -f /var/log/auth.log
iptables -L -n
Amazon EC2 – Ubuntu Quickstart Guide
You will need
- A web browser
- An Amazon AWS Account
- Download PuTTY
Instructions
- Create a new key pair in AWS
https://console.aws.amazon.com/ec2/home#c=EC2&s=KeyPairs
It will automatically download the key for you – go put it somewhere safe (c:\amazon\keys\your-key.pem)
- Load up puttygen.exe
- Conversions… Import Key
- Import c:\amazon\keys\your-key.pem
- Save Public Key:
c:\amazon\keys\PublicKey.ppk - Save Private Key
c:\amazon\keys\PrivateKey.ppkIdeally set a password but not required – what this means is that when you go to connect and it uses your key it will ask for this password
- Launch and instance from AWS
https://console.aws.amazon.com/ec2/home#s=Home
- Choose Community AMI
Search for ami-480df921 (It may take a while – be patient)
This is Canonical’s 32-Bit Ubuntu 10.04 - Click Select then choose a t1.micro (or relevant size) instance
- Keep the rest of the defaults but when it asks for keypair – use the one you created in step 1 from the drop-down
- Go to the end and it will launch…
- In your Instances
https://console.aws.amazon.com/ec2/home#s=Instances
Select your instance then Instance Actions then Connect.
Copy the hostname - In PuTTY paste the hostname into the Hostname or IP box
- Under SSH… Auth browse to c:\amazon\keys\PrivateKey.ppk
- Then back under Sessions click Connect
- When prompted log in as “ubuntu”
Auto mount (autofs) sshfs access
1. Install autofs
Ubuntu/Debian: sudo apt-get install autofs Red Hat/Fedora based: sudo yum install autofs
2. Edit /etc/auto.master and add a line:
/media/sshfs /etc/auto.sshfs uid=1000,gid=1000,--timeout=30,--ghost
3. Edit /etc/auto.sshfs
mountpoint -fstype=fuse,rw,nodev,nonempty,allow_other,reconnect,uid=1000 ,gid=1000,max_read=65536,compression=yes,auto_cache,no_check_root, kernel_cache :sshfs\#user@server\:/remotedir
4. Make the autofs mount point
mkdir -p /media/sshfs
5. SSH Access using Keys – for root
To make efficient use of sshfs access and a prequisite for autofs you need to set up host based key authentication. It is required that you can ssh from the root user to the target user on the remote filesystem using keys.
ssh-keygen -t rsa scp .ssh/id_rsa.pub user@server: ssh user@server mkdir --mode=0700 -p .ssh cat id_rsa.pub >> .ssh/authorized_keys chmod 0600 .ssh/authorized_keys
Now test you can log in to user@remote from the root user without it prompting for a password
6. Start Autofs
Ubuntu/Debian: sudo autofs start RedHat/Fedora: sudo service autofs start
7. Access your remote filesystem by going to /media/sshfs/mountpoint
cd /media/sshfs/mountpoint
You should now be access the remote machine as if it was part of your local filesystem
