Difference between revisions of "Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up SSH password-less login and Port Knocking"

From bering-uClibc
Jump to: navigation, search
(Multiple Ports Knocking setup)
 
(37 intermediate revisions by 2 users not shown)
Line 1: Line 1:
SSH (dropbear) allows password-less login by using RSA security key pairs. To set it up you will have to generate the RSA key pairs on your client machine and copy the public key in your router file /root/.ssh/authorized_keys. If you have more than one client machine, repeat the same process on each of them, and append their respective public keys in your router file /root/.ssh/authorized_keys.
+
{| summary="Navigation header" width="100%"
 +
! colspan="3" align="center" | [[Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up SSH password-less login and Port Knocking | Setting Up SSH password-less login and Port Knocking]]
 +
|-
 +
| width="20%" align="left"  | [[Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up Ad blocking with dnsmasq|Prev]]
 +
! width="60%" align="center" | [[Bering-uClibc 6.x - User Guide]]
 +
| width="20%" align="right"  | [[Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up a Raspberry PI as a net to serial gateway|Next]]
 +
|}
 +
----
 +
 
 +
==SSH password-less login==
 +
 
 +
 
 +
SSH (<code class="filename">dropbear</code>) allows password-less login by using RSA security key pairs. To set it up you will have to generate the RSA key pairs on your client machine (<code class="filename">PuTTYgen</code> on Windows, <code class="filename">ssh-keygen</code> OSX & Linux) and copy the public key in your router file <code class="filename">/root/.ssh/authorized_keys</code>. If you have more than one client machine, repeat the same process on each of them, and append their respective public keys in your router file <code class="filename">/root/.ssh/authorized_keys</code>. On Linux or OSX you can use the <code class="filename">ssh-copy-id</code> utility script that might help you do that.
  
 
Make sure you have this format:
 
Make sure you have this format:
Line 16: Line 28:
 
  firewall#
 
  firewall#
  
You can now login in your firewall without a password from those client machines obviously. You could disable password login but be careful not to lock yourself out... I prefer to use a very very very strong password anyways, you never know when you might have to login from none of your prepared client machines. But you can always keep, at your own risks, a copy of one of the private keys on a portable secure medium..., phone, earrings ...
+
You can now '''very securely''' login in your firewall without a password from those client machines. You could disable password login, it would be even safer, but be careful not to lock yourself out... If you do lock yourself out, you will have to connect through the console port to fix things up. If you still have/want/prefer to use a password anyways, use a very very very strong one, you never know when you might have to login from none of your pre-configured client machines. Keep in mind though, that with passwords, it's just a matter of time for them to get cracked. Finally, you can always keep, at your own risks, a copy of one of the private keys on a portable secure medium...
  
If you intend to login from the internet, you have to add the following rule to /etc/shorewall/rules
+
 
 +
If you intend to login from the internet, you have to add the following rule to <code class="filename">/etc/shorewall/rules</code>
  
 
  SSH(ACCEPT) net fw
 
  SSH(ACCEPT) net fw
  
You can always choose another port like 65022 for SSH to listen to. The port scanners wont usually reach there. There are ongoing debates about the questionable security of this obfuscation... Anyway, if you do, add this rule then:
+
By default, SSH listens on opened port 22, but nothing prevents you from choosing another port like, say 65022, for SSH to listen to. The "port scanners" wont usually reach there. There are ongoing debates about the questionable security of this obfuscation... Anyway, if you do, add this rule then:
  
 
  ACCEPT  net fw tcp 65022
 
  ACCEPT  net fw tcp 65022
and tell dropbear to listen on port 65022...
+
and tell <code class="filename">dropbear</code> to listen on port 65022...
 
  lrcfg -> 3) -> 13) -> 1)
 
  lrcfg -> 3) -> 13) -> 1)
  *DB_PORT=22
+
  #DB_PORT=22
 
  DB_PORT=65022
 
  DB_PORT=65022
  
 +
and use the following command to connect:
 +
ssh -p 65022 root@your.ipaddrs.router
  
If you don't like or remember to type ssh -p 65022 root@your.ipaddrs.router everytime you login, you could always use the default SSH port 22, but keep it hidden with a technique called "port knocking". The port 22 is kept normally closed until you send a proper sequence of random port connection attempts on normally closed ports, using TCP or UDP, hence the name Port Knocking. When the port knocking software detects the right combination sequence, it will then open up port 22 for 60 seconds for instance, thus giving you time enough to make your SSH login connection attempt.  
+
==Port Knocking==
 +
 
 +
Port knocking consists in sending a sequence of random port connection attempts to a router on normally closed ports, using TCP or UDP packets. When the port knocking software on the router detects a predefined combination sequence, it will then open up a specific port for a certain amount of time, thus giving you time enough to make a connection attempt on that port.
 +
 
 +
The most interesting security gain of the "Port Knocking" technique is that it will allow you to hide (close) all your router's ports from the internet, specially this SSH port. Considering that "scanner attackers" would be looking for open or exploitable ports on a typical clueless server, they might not try to dig deeper if they find no opened port on your router, and presumably would go look for another more tempting victim . But if you are a person/site of interest, they might still persist though, and port knocking can only slowed them down, since they will have to try knocking on every ports, while looking if it opens up an ssh port. Knocking on one port only is not too hard to find, but you can knock on more than one and even with UDP or TCP packets. The goal here is, as we said, to slow them down and maybe discourage them from going deeper. Remember you still have your very secure RSA key access in the end.
 +
 
 +
Having the SSH port closed will also prevent overloading your logs...
 +
 
 +
 
 +
===Simple Port Knocking setup===
  
 
Near the end of this article: " http://shorewall.org/Events.html " you will find in Examples a simple Port Knocking setup that works quite well.
 
Near the end of this article: " http://shorewall.org/Events.html " you will find in Examples a simple Port Knocking setup that works quite well.
  
Well using this last example you will still have to remember to type:
+
Going back to our previous case, SSH port 22, or 65022 for that matter, will normally be kept closed until you send a proper sequence of port knocks. The port 22 or 65022 then will stay open for only 60 seconds. If you want to open another session and missed that 60 seconds time window, you will have to knock again.
  ssh -p 1600 root@your.ipaddrs.router  # knock on port 1600
+
 
 +
Here is that example directly copied from http://shorewall.org/Events.html:
 +
 
 +
This example shows a different implementation of the one shown in the [http://shorewall.org/PortKnocking.html Port Knocking] article.
 +
 +
In this example:
 +
 
 +
1- Attempting to connect to port 1600 enables SSH access. Access is enabled for 60 seconds.
 +
 +
2- Attempting to connect to port 1601 disables SSH access (note that in the article linked above, attempting to connect to port 1599 also disables access. This is an port scan defence as explained in the article).
 +
 
 +
 
 +
To implement that approach create or add in:
 +
 
 +
1- <code class="filename">/etc/shorewall/actions</code>
 +
 
 +
#ACTION              OPTION                  DESCRIPTION
 +
Knock                                          #Port Knocking
 +
 
 +
2- <code class="filename">/etc/shorewall/action.Knock</code>
 +
 
 +
#
 +
# Shorewall version 4 - Port-Knocking Action
 +
#
 +
?format 2
 +
###############################################################################
 +
#ACTION              SOURCE        DEST      PROTO      DPORT
 +
IfEvent(SSH,ACCEPT:info,60,1,src,reset)\
 +
                      -              -        tcp        22
 +
SetEvent(SSH,ACCEPT)  -              -        tcp        1600
 +
ResetEvent(SSH,DROP:info)       
 +
 
 +
3- <code class="filename">etc/shorewall/rules</code>
 +
 
 +
#ACTION              SOURCE        DEST      PROTO      DPORT
 +
Knock                net            $FW      tcp        22,1599-1601         
 +
 
 +
 
 +
If you were to login in your router using this last example you would have to type on your client machine:
 +
 
 +
  ssh -p 1600 root@your.ipaddrs.router  # knock on port 1600... opens port 22 for 60 seconds
 
  ssh root@your.ipaddrs.router          # to connect...
 
  ssh root@your.ipaddrs.router          # to connect...
  
I'm not sure anymore if this is a great remembering or typing gain :-) !, but it is a lot more secure, and you won't fill your logs with port 22 scanners attempts... anyways !!!
 
  
  
 +
===Multiple Ports Knocking setup===
 +
 +
 +
If you look again in http://shorewall.org/Events.html at example: " Stateful Port Knocking (knock with a sequence of ports) ", in the PERL module, you will find examples of even up to 8 ports knocks ! you can also use UDPs or TCPs ... there is no limit...
 +
 +
Let's try a simpler 3 knocks example; you will have to copy the PERL module <code class="filename">KnockEnhanced.pm</code> in <code class="filename">/usr/lib/perl5/5.24.0</code> . Easiest way to do that is:
 +
 +
cd /usr/lib/perl5/5.24.0
 +
wget http://shorewall.org/pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm
 +
 +
and add this rule as the last line of <code class="filename">/etc/shorewall/rules</code>:
 +
 +
PERL use KnockEnhanced; KnockEnhanced 'net', '$FW', {name => 'SSH1', log_level => 3, proto => 'tcp', target => 'ssh', knocker => [52245,15623,19845]};
 +
 +
 +
On your client computer, copy this script as <code class="filename">knock.sh</code>:
 +
 +
#!/bin/bash
 +
HOST=$1
 +
shift
 +
for ARG in "$@"
 +
do
 +
        nmap -Pn --host-timeout 100 --max-retries 0 -p $ARG $HOST
 +
done
 +
 +
then from your client computer do:
 +
 +
sh knock.sh your.ipaddrs.router 52245 15623 19845  # knock ports, opens 22 for 60 sec.
 +
ssh root@your.ipaddrs.router                      # to connect...
 +
 +
 +
So, whatever you do,
 
herrrr... don't forget to save Doctor Freeman !!!  
 
herrrr... don't forget to save Doctor Freeman !!!  
  
 
  lrcfg -> s)
 
  lrcfg -> s)
 +
 +
----
 +
{| summary="Navigation footer" width="100%"
 +
| width="40%" align="left"  | [[Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up Ad blocking with dnsmasq|Prev]]
 +
| width="20%" align="center" | [[Bering-uClibc 6.x - User Guide|Up]]
 +
| width="40%" align="right"  | [[Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up a Raspberry PI as a net to serial gateway|Next]]
 +
|}
 +
 +
[[Category:Bering-uClibc 6.x]]
 +
[[Category:User Guide]]

Latest revision as of 18:24, 23 September 2019

Setting Up SSH password-less login and Port Knocking
Prev Bering-uClibc 6.x - User Guide Next

SSH password-less login

SSH (dropbear) allows password-less login by using RSA security key pairs. To set it up you will have to generate the RSA key pairs on your client machine (PuTTYgen on Windows, ssh-keygen OSX & Linux) and copy the public key in your router file /root/.ssh/authorized_keys. If you have more than one client machine, repeat the same process on each of them, and append their respective public keys in your router file /root/.ssh/authorized_keys. On Linux or OSX you can use the ssh-copy-id utility script that might help you do that.

Make sure you have this format:

firewall# pwd
/root/.ssh
firewall# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtKYa9MqShtRkJDa....
...
...
ICxqcbjMXktnN3cygsf3cIU+f/SJ9r7 mywife@macbookpro.private.network
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrpgezG0X9RhuDBBQ...
...
... 
l7bUlGYoouP3tpqfXxIBbQEeMr/2X99 me@ProBook-6560b
firewall#

You can now very securely login in your firewall without a password from those client machines. You could disable password login, it would be even safer, but be careful not to lock yourself out... If you do lock yourself out, you will have to connect through the console port to fix things up. If you still have/want/prefer to use a password anyways, use a very very very strong one, you never know when you might have to login from none of your pre-configured client machines. Keep in mind though, that with passwords, it's just a matter of time for them to get cracked. Finally, you can always keep, at your own risks, a copy of one of the private keys on a portable secure medium...


If you intend to login from the internet, you have to add the following rule to /etc/shorewall/rules

SSH(ACCEPT) net fw

By default, SSH listens on opened port 22, but nothing prevents you from choosing another port like, say 65022, for SSH to listen to. The "port scanners" wont usually reach there. There are ongoing debates about the questionable security of this obfuscation... Anyway, if you do, add this rule then:

ACCEPT  net fw tcp 65022

and tell dropbear to listen on port 65022...

lrcfg -> 3) -> 13) -> 1)
#DB_PORT=22
DB_PORT=65022

and use the following command to connect:

ssh -p 65022 root@your.ipaddrs.router

Port Knocking

Port knocking consists in sending a sequence of random port connection attempts to a router on normally closed ports, using TCP or UDP packets. When the port knocking software on the router detects a predefined combination sequence, it will then open up a specific port for a certain amount of time, thus giving you time enough to make a connection attempt on that port.

The most interesting security gain of the "Port Knocking" technique is that it will allow you to hide (close) all your router's ports from the internet, specially this SSH port. Considering that "scanner attackers" would be looking for open or exploitable ports on a typical clueless server, they might not try to dig deeper if they find no opened port on your router, and presumably would go look for another more tempting victim . But if you are a person/site of interest, they might still persist though, and port knocking can only slowed them down, since they will have to try knocking on every ports, while looking if it opens up an ssh port. Knocking on one port only is not too hard to find, but you can knock on more than one and even with UDP or TCP packets. The goal here is, as we said, to slow them down and maybe discourage them from going deeper. Remember you still have your very secure RSA key access in the end.

Having the SSH port closed will also prevent overloading your logs...


Simple Port Knocking setup

Near the end of this article: " http://shorewall.org/Events.html " you will find in Examples a simple Port Knocking setup that works quite well.

Going back to our previous case, SSH port 22, or 65022 for that matter, will normally be kept closed until you send a proper sequence of port knocks. The port 22 or 65022 then will stay open for only 60 seconds. If you want to open another session and missed that 60 seconds time window, you will have to knock again.

Here is that example directly copied from http://shorewall.org/Events.html:

This example shows a different implementation of the one shown in the Port Knocking article.

In this example:
 
1- Attempting to connect to port 1600 enables SSH access. Access is enabled for 60 seconds.

2- Attempting to connect to port 1601 disables SSH access (note that in the article linked above, attempting to connect to port 1599 also disables access. This is an port scan defence as explained in the article).


To implement that approach create or add in:

1- /etc/shorewall/actions

#ACTION               OPTION                   DESCRIPTION
Knock                                          #Port Knocking

2- /etc/shorewall/action.Knock

#
# Shorewall version 4 - Port-Knocking Action
#
?format 2
###############################################################################
#ACTION               SOURCE         DEST      PROTO      DPORT
IfEvent(SSH,ACCEPT:info,60,1,src,reset)\
                     -              -         tcp        22
SetEvent(SSH,ACCEPT)  -              -         tcp        1600
ResetEvent(SSH,DROP:info)        

3- etc/shorewall/rules

#ACTION               SOURCE         DEST      PROTO      DPORT
Knock                 net            $FW       tcp        22,1599-1601          


If you were to login in your router using this last example you would have to type on your client machine:

ssh -p 1600 root@your.ipaddrs.router   # knock on port 1600... opens port 22 for 60 seconds
ssh root@your.ipaddrs.router           # to connect...


Multiple Ports Knocking setup

If you look again in http://shorewall.org/Events.html at example: " Stateful Port Knocking (knock with a sequence of ports) ", in the PERL module, you will find examples of even up to 8 ports knocks ! you can also use UDPs or TCPs ... there is no limit...

Let's try a simpler 3 knocks example; you will have to copy the PERL module KnockEnhanced.pm in /usr/lib/perl5/5.24.0 . Easiest way to do that is:

cd /usr/lib/perl5/5.24.0
wget http://shorewall.org/pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm

and add this rule as the last line of /etc/shorewall/rules:

PERL use KnockEnhanced; KnockEnhanced 'net', '$FW', {name => 'SSH1', log_level => 3, proto => 'tcp', target => 'ssh', knocker => [52245,15623,19845]};


On your client computer, copy this script as knock.sh:

#!/bin/bash
HOST=$1
shift
for ARG in "$@"
do
       nmap -Pn --host-timeout 100 --max-retries 0 -p $ARG $HOST
done

then from your client computer do:

sh knock.sh your.ipaddrs.router 52245 15623 19845  # knock ports, opens 22 for 60 sec.
ssh root@your.ipaddrs.router                       # to connect...


So, whatever you do, herrrr... don't forget to save Doctor Freeman !!!

lrcfg -> s)

Prev Up Next