November 1st, 2008 | nubae
Hardening Ubuntu LTSP server
Making ssh less exploitable from internet brute force break in attempts is something relatively important and straight forward under ubuntu. The way LTSP works right now, makes the ssh handling available to the outside world if you dont block access to port 22 from the wan interface entirely. This is potentially unsafe if your users have weak passwords, because there is potential for anyone on the internet to gain user-level access by brute-force attack. The solution, which is somewhat controversial, as many say you should be making the passwords strong enough so you don't need this, is to create 2 instances of ssh, one serving the internal ip on port 2222 and one serving the wan interface on port 22. If you only have one interface, then both ssh sessions would serve the same interface, but one would serve port 22, and the other 2222. This is how to set this up:
sudo cp /etc/init.d/ssh /etc/init.d/ltsp-ssh sudo cp /etc/default/ssh /etc/default/ltsp-ssh sudo cp /etc/ssh/sshd_config /etc/ltsp/ltsp-sshd_config sudo cp -a /var/run/sshd /var/run/ltsp-ssh sudo sed -ie 's/Port 22/Port 2222/' /etc/ltsp/ltsp-sshd_config
Note that these are the filenames in a Debian-based system. Other systems may vary. Also you are free to use a different port than 2222, it is just used here as an example. If you are using 2 interfaces also do:
sudo sed -ie 's/#ListenAddress 0.0.0.0/ListenAddress 192.168.0.1/' /etc/ltsp/ltsp-sshd_config
Here change 192.168.0.1 as needed.
sudo sed -ie 's/#ListenAddress 0.0.0.0/ListenAddress 10.0.0.42/' /etc/ssh/sshd_config
Change 10.0.0.42 with the address of your wan facing interface.
You will also need to change the .pid of the new ssh instance:
sudo echo "PidFile /var/run/ltsp-sshd.pid" | tee -a /etc/ltsp/ltsp-sshd_config /dev/null sudo sed -ie 's/SSHD_OPTS=/SSHD_OPTS=\"-f \/etc\/ltsp\/ltsp-sshd_config\"/' /etc/default/ltsp-ssh sudo sed -ie 's/AllowUsers/AllowUsers *@192.168.0.0\/24/' /etc/ltsp/ltsp-sshd_config
Finally we harden the outward facing wan interface by doing the following:
sudo sed -ie 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config sudo sed -ie 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config sudo sed -ie 's/AllowUsers/AllowUsers sysadmin nubae/' /etc/ssh/sshd_config
Changing your most trusted sudoing users for sysadmin and nubae in the above example.
To make the second ssh instance default to start also do:
sudo update-rc.d ltsp-ssh defaults
A final note is that the safest approach over all would be to put a firewall and port blocker on a totally different machine and only allow ssh access to one account on that computer, from which one could then access the internal network. But if you just have one server, hopefully this gives you peace of mind.
