Bering-uClibc 6.x - User Guide - Advanced Topics - Setting Up SSH password-less login and Port Knocking
Setting Up SSH password-less login and Port Knocking | ||
---|---|---|
Prev | Bering-uClibc 6.x - User Guide |
SSH password-less login
SSH (dropbear
) allows password-less login by using RSA security key pairs. To set it up you will have to generate the RSA key pairs on your client machine (PuTTYgen
on Windows, ssh-keygen
OSX & Linux) and copy the public key in your router file /root/.ssh/authorized_keys
. If you have more than one client machine, repeat the same process on each of them, and append their respective public keys in your router file /root/.ssh/authorized_keys
. On Linux or OSX you can use the ssh-copy-id
utility script that might help you do that.
Make sure you have this format:
firewall# pwd /root/.ssh firewall# cat authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDtKYa9MqShtRkJDa.... ... ... ICxqcbjMXktnN3cygsf3cIU+f/SJ9r7 mywife@macbookpro.private.network ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCrpgezG0X9RhuDBBQ... ... ... l7bUlGYoouP3tpqfXxIBbQEeMr/2X99 me@ProBook-6560b firewall#
You can now very securely login in your firewall without a password from those client machines obviously. You could disable password login, it would be even safer, but be careful not to lock yourself out... If you still have/want/prefer to use a password anyways, use a very very very strong one, you never know when you might have to login from none of your prepared client machines. Remember though, that with passwords, it's just a matter of time to get cracked. Finally, you can always keep, at your own risks, a copy of one of the private keys on a portable secure medium..., phone, earrings ...
If you intend to login from the internet, you have to add the following rule to /etc/shorewall/rules
SSH(ACCEPT) net fw
By default, SSH listens on opened port 22, but nothing prevents you from choosing another port like 65022 for SSH to listen to. The port scanners wont usually reach there. There are ongoing debates about the questionable security of this obfuscation... Anyway, if you do, add this rule then:
ACCEPT net fw tcp 65022
and tell dropbear to listen on port 65022...
lrcfg -> 3) -> 13) -> 1) #DB_PORT=22 DB_PORT=65022
and use the following command to connect:
ssh -p 65022 root@your.ipaddrs.router
Port Knocking
The most interesting feature of the "Port Knocking" technique is that it will allow you to have all your router's ports closed as seen from the internet. In our case SSH port 22, or 65022 for that matter, is kept normally closed until you send a proper sequence of random port connection attempts on normally closed ports, using TCP or UDP packets, hence the name Port Knocking. When the port knocking software detects the right combination sequence, it will then open up port 22 for 60 seconds for instance, thus giving you time enough to make your SSH login connection attempt. If you want to open another session and missed the previous 60 seconds time window, you will have to knock again.
Simple Port Knocking setup
Near the end of this article: " http://shorewall.org/Events.html " you will find in Examples a simple Port Knocking setup that works quite well. So here it is:
This example shows a different implementation of the one shown in the Port Knocking article. In this example: 1- Attempting to connect to port 1600 enables SSH access. Access is enabled for 60 seconds. 2- Attempting to connect to port 1601 disables SSH access (note that in the article linked above, attempting to connect to port 1599 also disables access. This is an port scan defence as explained in the article). To implement that approach create in:
/etc/shorewall/actions:
#ACTION OPTION DESCRIPTION Knock #Port Knocking
/etc/shorewall/action.Knock:
# # Shorewall version 4 - Port-Knocking Action # ?format 2 ############################################################################### #ACTION SOURCE DEST PROTO DPORT IfEvent(SSH,ACCEPT:info,60,1,src,reset)\ - - tcp 22 SetEvent(SSH,ACCEPT) - - tcp 1600 ResetEvent(SSH,DROP:info)
etc/shorewall/rules:
#ACTION SOURCE DEST PROTO DPORT Knock net $FW tcp 22,1599-1601
If you were using this last example you would have to type:
ssh -p 1600 root@your.ipaddrs.router # knock on port 1600... opens port 22 for 60 seconds ssh root@your.ipaddrs.router # to connect...
At first glance, the port knocking feels secure, because most scanners attempts would be looking for open ports on a typical clueless server, and unless you are a person/site of interest, they might not try to dig deeper if they find no opened port. But, if they still persist anyway, they would be only slowed down, having to try knocking on every ports, while looking if it opens up an ssh port. Knocking on one port only is not too hard to find though, but you can knock on more than one and even with UDP or TCP packets. If you look again in http://shorewall.org/Events.html at example: " Stateful Port Knocking (knock with a sequence of ports) ", in the PERL module, you will find examples of 8 ports knocks... there is no limit... If you try that last example, you will have to copy the PERL module KnockEnhanced.pm in /usr/lib/perl5/5.24.0 . Easiest way to do that is:
cd /usr/lib/perl5/5.24.0 wget http://shorewall.org/pub/shorewall/contrib/PortKnocking/KnockEnhanced.pm
and add this rule as the last line of /etc/shorewall/rules:
PERL use KnockEnhanced; KnockEnhanced 'net', '$FW', {name => 'SSH1', log_level => 3, proto => 'tcp', target => 'ssh', knocker => [52245,15623,19845]};
On your client computer, copy this script as knock.sh:
#!/bin/bash HOST=$1 shift for ARG in "$@" do nmap -Pn --host-timeout 100 --max-retries 0 -p $ARG $HOST done
then do:
sh knock.sh 192.226.181.138 52245 15623 19845 # knock ports, opens 22 for 60 sec. ssh root@your.ipaddrs.router # to connect...
So, whatever you do,
herrrr... don't forget to save Doctor Freeman !!!
lrcfg -> s)
Prev | Up |