November 1st, 2008 |
Hardening Ubuntu LTSP server
Making ssh less exploitable from internet brute force break in attempts is something relatively important and straight forward under ubuntu. The way LTSP works right now, makes the ssh handling available to the outside world if you dont block access to port 22 from the wan interface entirely. This is potentially unsafe if your users have weak passwords, because there is potential for anyone on the internet to gain user-level access by brute-force attack. The solution, which is somewhat controversial, as many say you should be making the passwords strong enough so you don't need this, is to create 2 instances of ssh, one serving the internal ip on port 2222 and one serving the wan interface on port 22. If you only have one interface, then both ssh sessions would serve the same interface, but one would serve port 22, and the other 2222. This is how to set this up:
sudo cp /etc/init.d/ssh /etc/init.d/ltsp-ssh sudo cp /etc/default/ssh /etc/default/ltsp-ssh sudo cp /etc/ssh/sshd_config /etc/ltsp/ltsp-sshd_config sudo cp -a /var/run/sshd /var/run/ltsp-ssh sudo sed -ie 's/Port 22/Port 2222/' /etc/ltsp/ltsp-sshd_config
Note that these are the filenames in a Debian-based system. Other systems may vary. Also you are free to use a different port than 2222, it is just used here as an example. If you are using 2 interfaces also do:
sudo sed -ie 's/#ListenAddress 0.0.0.0/ListenAddress 192.168.0.1/' /etc/ltsp/ltsp-sshd_config
Here change 192.168.0.1 as needed.
sudo sed -ie 's/#ListenAddress 0.0.0.0/ListenAddress 10.0.0.42/' /etc/ssh/sshd_config
Change 10.0.0.42 with the address of your wan facing interface.
You will also need to change the .pid of the new ssh instance:
sudo echo "PidFile /var/run/ltsp-sshd.pid" | tee -a /etc/ltsp/ltsp-sshd_config /dev/null sudo sed -ie 's/SSHD_OPTS=/SSHD_OPTS=\"-f \/etc\/ltsp\/ltsp-sshd_config\"/' /etc/default/ltsp-ssh sudo sed -ie 's/AllowUsers/AllowUsers *@192.168.0.0\/24/' /etc/ltsp/ltsp-sshd_config
Finally we harden the outward facing wan interface by doing the following:
sudo sed -ie 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sudo sed -ie 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config sudo sed -ie 's/AllowUsers/AllowUsers sysadmin nubae/' /etc/ssh/sshd_config
Changing your most trusted sudoing users for sysadmin and nubae in the above example.
To make the second ssh instance default to start also do:
sudo update-rc.d ltsp-ssh defaults
A final note is that the safest approach over all would be to put a firewall and port blocker on a totally different machine and only allow ssh access to one account on that computer, from which one could then access the internal network. But if you just have one server, hopefully this gives you peace of mind.
November 11th, 2009 | Andy Figueroa
This guide was very helpful and needed. Although my LTSP server has two interfaces, both were using a single sshd at port 22, and although root logins from ssh are not allowed, there was constant hacker activity in the logs. Using this guide, I hid my external LAN IP address behind an uncommon ssh port leaving my client connection at port 22, but only watching it's unique IP address.
I slightly deviated from the indicated naming and file locations as follows: all file names begin with ssh or sshd as appropriate. The sshd-ltsp_config I placed in /etc/ssh because that is the normal location for that file.
I also had to extensively edit the ssh-ltsp file in /etc/init.d/ to point to the correct tailored files, especially the many related to the PID (changing all instances of sshd.pid to sshd-ltsp.pid) and similar edits.
Finally, the suggested "AllowUsers *@192.168.0.0/24" in the sshd-ltsp_config file does not work, effectively disallowing all users. Leaving the AllowUsers parameter to remain commented out still effectively only allows users on the subnet 192.168.0.0 to log in because the only interface listened to ssh on port 22 is also only on that local net.
Thank you!