Live Free or PI Hard SSH SECURITY Cohner Marker, Spencer Johnson, Daryl Andes Image: http://fosswire.com/post/2008/01/bullet-proof-your- server-2-ssh/
Live Free or PI Hard
SSH SECURITY
Cohner Marker, Spencer Johnson, Daryl Andes
Image: http://fosswire.com/post/2008/01/bullet-proof-your-server-2-ssh/
Demonstration
Public-Key Encryption
Image: Lecture: “introcrypt”, Computer Security Week03
Key Length & Unicity
Entropy• Maintains disorder, confusion
Unicity Distance• “Ratio of the number of bits required to
express the key divided by the redundancy of English in bits per character.”
• Natural Redundancy of the English Language = 6.8
“password” vs “P@sS\/\/0rD”
Why does it matter?
Image: http://www.webstepbook.com/
Man-In-The-Middle
Image: http://boomer-musings.blogspot.com/
Brute-Force
Rivest-Shair-Aldeman Key Generation
Image: http://http://www.people.vcu.edu/
1. Choose 2 distinct prime numbers: p and q. 2. Set modulus n equal to p * q. ( n is also the key length)3. Compute φ(n) = φ(p)φ(q) = (p − 1)(q − 1) = n - (p + q -1), where φ is Euler's totient function.4. Choose an integer e such that 1 < e < φ(n) and gcd(e, φ(n)) = 1; i.e., e and φ(n) are coprime.5. Determine d as d ≡ e−1 (mod φ(n)); i.e., d is the multiplicative inverse of e (modulo φ(n)).
1. Compute public key ( n , e ). 2. Compute private key m = c^d
** REFER to RFC 4432 **
RSA Key Creationmkdir ~/.sshchmod 700 ~/.sshssh-keygen –t rsa –b 4096ssh-keygen -t rsassh-copy-id <username>@<host>”.
Source: http://phpseclib.sourceforge.net/rsa/examples.html
Securing SSH
Directories that need to be known
*/etc/ssh/
*/var/log/
The Files in these directories
*sshd_config (Where we make our changes)
*auth.log
Importance of auth.log
*It is extremely helpful to see anyone or anything that is trying to authenticate to your server.
*It will record the Hydras failed attempts
Deny Root Over SSH
Allow or Deny Users
Port Number
Permit Empty Passwords No
Python Log Analyzers
Who needs Pearl
*Just Kidding, We don’t want to fail
*Scripting Languages are great for analyzing log files to email, block, or set firewall rules for certain IPs or attacks
Fail2Ban
*Same concept as Script Log Analyzers
*Easy to install program
http://www.fail2ban.org/wiki/index.php/Main_Page
What To Take Away
*Hydra is cool, but is available to everyone
*You must think like a hacker in order to protect your system. What ways could I get in?
*Make sure your encryption and passwords contain entropy and use RSA keys
*MAKE SURE YOU DENY ROOT SSH ACCESS!