Password Hardening and SSH (SEC 300) - Chromosom3/TechNotes GitHub Wiki

Disable Root SSH

Open the /etc/ssh/sshd_config file and either un-comment or change the value for PermitRootLogin from Yes to no. This will prevent the root from connecting via SSH. If you need to do any privileged tasks via SSH you can use either sudo or su. If you want to disable SSH for other users you can do DenyUsers $username where $username is the user you want to restrict. If you want to deny SSH for a group you can do DenyGroups $group where $group is the group you want to prevent. Make sure to run systemctl restart sshd for changes to take place. If you use cat /var/log/security | grep "not met" you should see root being prevented from logging on via SSH.

Change logon Banner

Edit the /etc/issue.net file to have the desired logon banner you want. If you want the message displayed on SSH connections you must also edit /etc/ssh/sshd_config and change the value of Banner to /etc/issue.net.

Important: Don't put sensitive information in the banner. Don't put hostname, server version, or os version. Just explain what will be captured.

Example logon Banner:

Logon Banner Image

Note: For changes to take effect you must reload SSH using /etc/init.d/ssh reload

Configuring Password Complexity

First, you must ensure the following software is downloaded on the system:

  • libpam-pwquality
  • cracklib-runtime

Important: Before editing anything with pluggable authentication module (pam) make sure to make a backup. You can do this by copying /etc/pam.d/common-password.

Navigate to /etc/pam.d/common-password to adjust settings. Some examples are as follows (use \ for a new line since word wrap isn't enabled.):

  • minlen=8 : Minimum length
  • maxrepeat=3 : How many letters can be consistently used.
  • ucredit=-1 : One uppercase character is required.
  • lcredit=-1 : One lowercase character is required.
  • dcredit=-1 : One number is required.
  • ocredit=-1 : One special character is required.
  • gecoscheck=-1 : Looks at password file and ensures there is nothing that allows the user to use /home or username as password.
  • reject_username : Can not use username in password
  • enforce_for_root : enforces password policies for root.

You can check /var/log/auth.log for errors if you mess up the config.

Configuring Account Lockouts

Important: Backup /etc/pam.d/common-auth before continuing! Create a section in /etc/pam.d/common-auth for Pam Tally. Make settings auth required so the module has to be successful before it looks at other modules. Make sure it's before other modules. Settings to put in the file:

  • onerr=fail : Drops on error.
  • deny=5 : Locks after 5 failed attempts.
  • unlock_time=600 : Time before account unlocks (seconds).
  • 'audit' : creates audit trail in '/var/log/auth.log'. Example: PAM-Tally

Pam Tally Commands:

  • pam_tally2 -u duane : Get a log of failed logins.
  • pam_tally2 -u duane --reset : resets failures to zero (unlocks the account).
  • pam_tally2 -h : Get help with tally

TCP Wrappers with SSH

To enable TCP wrappers you need to edit /etc/hosts.allow. It is very important to know what programs are using TCP wrappers or you may drop connections and disable network connections.

Example config: sshd: 192.168.1.2 192.168.100. 10.237.237. Notes: On this config the first IP can connect, and the second two are networks that can connect. Can be read as 192.168.100.0/24 or 10.237.237.0/24. I should change the last one to be my specific IP but I'm not sure if it's my VPN IP or if it's my container IP (It was my VPN IP so 10.237.237. should have been '10.237.237.116'). If you need to do IPv6 you can do [::1] or the IP you desire. If you want to do a subnet you can do [::6]/12 or whatever subnet you want.

IMPORTANT: DO HOST.ALLOW FIRST! This will prevent you from kicking yourself out. Once you configure host.allow you need to configure /etc/host.deny. Example Config: ALL : ALL Notes: This is the default and will drop all services with TCP wrappers. Paranoid instead of ALL for the second option will do a reverse lookup of the IP and see what domain it is coming from and deny if the domain doesn't match it will drop the connection. Only really for high-risk systems.

Troubleshooting:

Search /var/log/auth.log for the following errors to troubleshoot issues.

  • tally : Find logs related to tally and failed logins.
  • broken : Find misconfigured config errors.
  • refused connect from : Find TCP wrapper-based entries.
  • egrep -i “tally|broken|refused connect from” /var/log/auth.log : Combination of all the above.