Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Gener Badenas]

On Wed, Feb 17, 2016 at 10:08 PM, Tom Browder  wrote:

> I have several remote Debian 7 servers and would like to secure it in
> the following manner:
>
> 1. root will not be allowed any external access (access is only via a
> user becoming root while logged in)
>
> 2. after initial setup, no ssh access will be allowed via a password
>
> I have seen much documentation on securing such a host, but I don't
> want to be an expert--I just need a recipe.
>

You need to open /etc/ssh/sshd_config and the right settings are obvious
from there.  But I would suggest you setup a key pair login and test it
before applying these changes. Otherwise you might be locked out.  But you
might be able to VNC to it just in case.



>
> Many thanks.
>
> Best regards,
>
> -Tom
>
>


-- 
Code , code , code
, and code 

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Jeremy T. Bouse]

On 2/18/2016 5:05 PM, Roman wrote:
> Seriously, you have to trust someone to achieve goals. So accessing
> server via ssh keys is pretty normal and secure + ldaps auth of course
> (centralized account management), so if someone leaves, just disable
> his account. sudo supports ldap auth, kind of on group level, so if
> user even got into a server for some reason, he can't become root,
> because his account was deleted and not in sudo enebled group anymore.
>
> After you configure the ldap and sudo for this scenario,  just disable
> password auth and  root login in ssh conf. Also setup firewall to
> enable ssh from known IP addresses only (here comes VPN into the game,
> if needed) and move SSH port to something else, but 22. You will be as
> safe as ldap and ssh and ssl are (exploits, exploits.. they're
> everywhere, you can't be 100% secure unless you disconnect the network
> cable from your server, remove the keyboard and USB ports)
>
> So basically security is all about trusting. You HAVE to choose whom
> (and what) you trust. 
> -- 
> Best regards,
> Roman.

I can show a couple examples of just simply having the centralized
account management can fail... in both cases the password was locked but
I had an SSH identity key already setup on the account. I was till able
to log into the server even with my account locked in the LDAP
centralized account management because the SSH keys were still
authorized. As well I had password-less sudo "NOPASSWD:" entries so I
still had full admin rights while being locked out.

All that to say, don't just assume things are secure you have to
verify and maintain it.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Jonathan Dowland]

On Fri, Feb 19, 2016 at 09:30:20AM +1300, Richard Hector wrote:
> That then means that you don't get to choose which people have root on
> which boxes - anyone who gets the rule gets the lot. And that includes
> anyone who leaves, of course.

Yes, but a leaked root password for one host does not translate into a leaked
root password for other hosts, so there are some advantages. If the routine
additionally concatenates a fixed password string, you can rotate that when
staff leave and regenerate/reset all the passwords.

> I think a better solution in the end is to generate a random password
> for each box, and leave it, on paper, in a safe or similar. It's very
> rare anyone needs to use it.

In my past jobs we've always ended up doing something like that in the end,
never getting an algorithmic solution like the above off the ground, but it
does sound attractive to me.

-- 
Jonathan Dowland
Please do not CC me, I am subscribed to the list.

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Jonathan Dowland]

On Wed, Feb 17, 2016 at 02:24:02PM +, Darac Marjal wrote:
> On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote:
> >2. after initial setup, no ssh access will be allowed via a password
> 
> $ echo "PasswordAuthentication No" | sudo tee -a /etc/ssh/sshd_config

Convenient for writing in an email, but doesn't handle the situation where
PasswordAuthentication is already defined in the config file. Better to just
recommend editing the file and setting or changing the value as necessary.

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Dominique Dumont]

On Wednesday 17 February 2016 14:24:02 Darac Marjal wrote:
> >2. after initial setup, no ssh access will be allowed via a password
> 
> $ echo "PasswordAuthentication No" | sudo tee -a /etc/ssh/sshd_config

That's a bad idea: You may end up with 2 PasswordAuthentication entries in 
sshd_config. That's very confusing for the sys admin (been there, done that).

A safer command is :

$ sudo cme modify sshd 'PasswordAuthentication=no'

(requires cme and libconfig-model-openssh-perl packages)

HTH
-- 
 https://github.com/dod38fr/   -o- http://search.cpan.org/~ddumont/
http://ddumont.wordpress.com/  -o-   irc: dod at irc.debian.org

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Richard Hector]

[Please don't cc me; I'm on the list]

On 19/02/16 11:05, Roman wrote:
> 2016-02-18 22:30 GMT+02:00 Richard Hector  >:
> 
> 
> 
> I think a better solution in the end is to generate a random password
> for each box, and leave it, on paper, in a safe or similar. It's very
> rare anyone needs to use it.
> 
> 
> Here is a hint (joke), how to secure root password for servers that are
> physically accessible.
> Just generate a random password during install long enough to be not
> able to remember it. Do not write it down, continue installation.

That's just a marginally less secure version of locking it :-)

> At any given time you need the root session, just get the disk drive
> from your server and connect it to another machine, then just replace
> the hash to one you know password for in /etc/shadow. Place your drive
> back and boot up. After you finish the work, change your root password
> again to some crazy piece of random.
> 

... or just boot from usb/cd/floppy/tape/whatever :-)

Richard

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Roman]

2016-02-18 22:30 GMT+02:00 Richard Hector :

>
>
> I think a better solution in the end is to generate a random password
> for each box, and leave it, on paper, in a safe or similar. It's very
> rare anyone needs to use it.
>
>
> Here is a hint (joke), how to secure root password for servers that are
physically accessible.
Just generate a random password during install long enough to be not able
to remember it. Do not write it down, continue installation.
At any given time you need the root session, just get the disk drive from
your server and connect it to another machine, then just replace the hash
to one you know password for in /etc/shadow. Place your drive back and boot
up. After you finish the work, change your root password again to some
crazy piece of random.

;-)

Seriously, you have to trust someone to achieve goals. So accessing server
via ssh keys is pretty normal and secure + ldaps auth of course
(centralized account management), so if someone leaves, just disable his
account. sudo supports ldap auth, kind of on group level, so if user even
got into a server for some reason, he can't become root, because his
account was deleted and not in sudo enebled group anymore.

After you configure the ldap and sudo for this scenario,  just disable
password auth and  root login in ssh conf. Also setup firewall to enable
ssh from known IP addresses only (here comes VPN into the game, if needed)
and move SSH port to something else, but 22. You will be as safe as ldap
and ssh and ssl are (exploits, exploits.. they're everywhere, you can't be
100% secure unless you disconnect the network cable from your server,
remove the keyboard and USB ports)

So basically security is all about trusting. You HAVE to choose whom (and
what) you trust.
-- 
Best regards,
Roman.

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Richard Hector]

On 18/02/16 11:02, Jeremy T. Bouse wrote:
>>> I do agree locking the root password isn't advisable. As I use
>>> >> configuration management/automation to handle my servers I simply set the
>>> >> root password to generated password that only I know the algorithm to
>>> >> reproduce it when I need to,
>> > Can you give more details on the process (at least generally)?
> It's a technique I picked up from a past job... We took several pieces
> of information we'd know about a machine and concatenated it together
> with a delimiter character, then hashed it and cut it to length then
> used that as the password. So it was then encrypted with the appropriate
> password crypt routine for the host. If we needed the root password we
> could regenerate it from the information but rarely needed it outside of
> a DR situation.

That's essentially equivalent to having one root password for all hosts,
assuming all the info about the host is relatively easy to get. It just
means you need to remember the rules instead of the password.

That then means that you don't get to choose which people have root on
which boxes - anyone who gets the rule gets the lot. And that includes
anyone who leaves, of course.

I think a better solution in the end is to generate a random password
for each box, and leave it, on paper, in a safe or similar. It's very
rare anyone needs to use it.

Richard

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Tom Browder]

On Wed, Feb 17, 2016 at 4:02 PM, Jeremy T. Bouse
 wrote:
> On 2/17/2016 3:31 PM, Tom Browder wrote:
>> On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse
>>  wrote:
...
>>> I do agree locking the root password isn't advisable. As I use
>>> configuration management/automation to handle my servers I simply set the
>>> root password to generated password that only I know the algorithm to
>>> reproduce it when I need to,
>> Can you give more details on the process (at least generally)?
...

Thanks so much, Jeremy!

-Tom

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Jeremy T. Bouse]

On 2/17/2016 3:31 PM, Tom Browder wrote:
> On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse
>  wrote:
>> Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good
>> starts... I'd also check that "ChallengeResponseAuthentication no" is set as
>> well as some PAM modules will utilize it and be able to get around passwords
>> being entered as well as "UsePAM no"
> Okay.
>
>> I do agree locking the root password isn't advisable. As I use
>> configuration management/automation to handle my servers I simply set the
>> root password to generated password that only I know the algorithm to
>> reproduce it when I need to,
> Can you give more details on the process (at least generally)?
It's a technique I picked up from a past job... We took several pieces
of information we'd know about a machine and concatenated it together
with a delimiter character, then hashed it and cut it to length then
used that as the password. So it was then encrypted with the appropriate
password crypt routine for the host. If we needed the root password we
could regenerate it from the information but rarely needed it outside of
a DR situation.
>> but enable sudoers for all other 'root' access.
> Can one use that method and restrict use of "sudo su?"
You can restrict which commands can be executed and limit sudo to only
running certain commands at all. I don't use 'sudo su' as it's quite
redundant. When I do want a root shell I just do 'sudo -i' which I'm not
certain that can be restricted or not I'd have the RTFM on sudo to
investigate. Another thing I do on certain accounts is enable full input
and output logging so I can actually replay their sudo session in it's
entirety. I've had to do this before where we've been forced to give
sudo access to dev admins on a dev box and then they break things and
ask us to help them fix it. We grew tired of hearing "nothing" in
response to asking them what they changed, so we enabled the logging. We
use the same sudoers file site-wide as it's pushed out to all boxes.

>> I also go further by utilizing Duo Security as a MFA for SSH logins to
>> my servers for accounts authorized to log in.
> Hm, so you do allow some accounts password access?
Actually none of the user accounts have password access... All
access is via SSH identity keys that are pushed out via the config
management/automation process. Users can later add keys but the keys
managed via conf mgmt/automation are controlled exclusively from there
so they can be revoked and enforced.
> Thanks, Jeremy!
>
> Best,
>
> -Tom
>




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Tom Browder]

On Wed, Feb 17, 2016 at 9:33 AM, Jeremy T. Bouse
 wrote:
> Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good
> starts... I'd also check that "ChallengeResponseAuthentication no" is set as
> well as some PAM modules will utilize it and be able to get around passwords
> being entered as well as "UsePAM no"

Okay.

> I do agree locking the root password isn't advisable. As I use
> configuration management/automation to handle my servers I simply set the
> root password to generated password that only I know the algorithm to
> reproduce it when I need to,

Can you give more details on the process (at least generally)?

> but enable sudoers for all other 'root' access.

Can one use that method and restrict use of "sudo su?"

> I also go further by utilizing Duo Security as a MFA for SSH logins to
> my servers for accounts authorized to log in.

Hm, so you do allow some accounts password access?

Thanks, Jeremy!

Best,

-Tom

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Jeremy T. Bouse]

Setting SSH "PermitRoot no" and "PasswordAuthentication no" are good
starts... I'd also check that "ChallengeResponseAuthentication no" is
set as well as some PAM modules will utilize it and be able to get
around passwords being entered as well as "UsePAM no"

I do agree locking the root password isn't advisable. As I use
configuration management/automation to handle my servers I simply set
the root password to generated password that only I know the algorithm
to reproduce it when I need to, but enable sudoers for all other 'root'
access.

I also go further by utilizing Duo Security as a MFA for SSH logins
to my servers for accounts authorized to log in.

On 2/17/2016 10:26 AM, Peter Ludikovsky wrote:
> More or less. What I wouldn't agree with is locking the root account
> completely, because, like Thomas said, you'll be locked out should you
> ever be dropped to a rescue shell due to an hardware error.
>
> Regards,
> /peter
>
> Am 17.02.2016 um 15:56 schrieb Tom Browder:
> > On Wed, Feb 17, 2016 at 8:23 AM, Peter Ludikovsky
> >  wrote:
> >> -BEGIN PGP SIGNED MESSAGE-
> > ...
>
> > Thanks, Peter.  Do you agree with Darac's solution?
>
> > Best,
>
> > -Tom
>
>




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, Feb 17, 2016 at 04:26:28PM +0100, Peter Ludikovsky wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> More or less. What I wouldn't agree with is locking the root account
> completely, because, like Thomas said, you'll be locked out should you
> ever be dropped to a rescue shell due to an hardware error.

There are ways around it. For example, you can specify /bin/sh (or bash)
as init. Or you can boot from a rescue system on another medium.

My point was: you *should* know that (and perhaps have given it a dry
run) before disabling root login. When trouble hits it's too late,
because you don't know how to deal with init=/bin/sh or you haven't that
rescue medium conveniently around :-)

regards
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlbEitcACgkQBcgs9XrR2kbTaACeKVNQ1Zk/Pv89pIomKF7G39yJ
uc0AnAigC8J7Fougjj8IEZXx1YpcRf7t
=DDfS
-END PGP SIGNATURE-

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Peter Ludikovsky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

More or less. What I wouldn't agree with is locking the root account
completely, because, like Thomas said, you'll be locked out should you
ever be dropped to a rescue shell due to an hardware error.

Regards,
/peter

Am 17.02.2016 um 15:56 schrieb Tom Browder:
> On Wed, Feb 17, 2016 at 8:23 AM, Peter Ludikovsky
>  wrote:
>> -BEGIN PGP SIGNED MESSAGE-
> ...
> 
> Thanks, Peter.  Do you agree with Darac's solution?
> 
> Best,
> 
> -Tom
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJWxJEkAAoJEM+6Ng5pbtyZgCAP/2a9hxEmLEFwaMTdR4+EwTso
ZAMjRtrVGGMg/scVy5OFit5VLgsyAlv3bOvG2xoyOCN2C7b8TGQ0I5KIC4ycA3fI
hK1tKCiifm3hsJHjhFAy0QghlykxKuaBqY1/k2cDC4ZtfOdFlvPe15ngaL5JqCP2
PEbCgYU5hDeG0IdMw+t979DizWmPb/YtrJwB7r5o6cDUdxcApANVgLle5sI+FdUs
+kVy7OELKT+vNFwXupwL8AvuIT/igE2irHm8OvChHXg8BUQ3tbmVqGGIaU6KjZuE
UYEK2R75X4XgrewF4PpQPMy+WbKzjBi7ezOp6bXzZ3U0JN8VdIuZ9WSMTE7kTdQB
gMHVCQzch/VsRHbZ4DvHtL/rOhPl0JC40xDwcci8I+ua1jcoRJ1doyRNxu5nzdlV
itA1qcojPpj/50RsLELzsL140pg6y9Ne1KCV2jw+bJ9WrXZm2Ak7aJ8oYa5UcRUS
YJGW85SiKINmFq3Y05AHkQYU/fSqb2EkGkJBUKwVTchZe57h2vkggH3HlpS63cMr
zUKQEo2JfrenvvvkJdXKuA2MOks9xITlSbApKV/vkhgdjx6xPYv6+OuRvhZg/QhJ
8cuCSukwOpAKVhElXEIpRs5/yZFxyZ/B07yWRmjBT0PEpBFtfkH4FnSc5m6X78SQ
F9zUUMtJ/QWehfi6l3p8
=i2K+
-END PGP SIGNATURE-

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Tom Browder]

On Wed, Feb 17, 2016 at 8:24 AM, Darac Marjal  wrote:
> On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote:
>>
>> I have several remote Debian 7 servers and would like to secure it in
>> the following manner:
...

I can follow that!  Thanks so much, Darac.

Best,

-Tom

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Tom Browder]

On Wed, Feb 17, 2016 at 8:23 AM, Peter Ludikovsky  wrote:
> -BEGIN PGP SIGNED MESSAGE-
...

Thanks, Peter.  Do you agree with Darac's solution?

Best,

-Tom

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[tomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, Feb 17, 2016 at 02:24:02PM +, Darac Marjal wrote:
> On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote:
> >I have several remote Debian 7 servers and would like to secure it in
> >the following manner:
> >
> >1. root will not be allowed any external access (access is only via a
> >user becoming root while logged in)
> 
> Ensure all users who may be allowed super-user access are in
> /etc/sudoers. Then run "sudo passwd -l". This will LOCK the password
> for root (that is, set the encrypted password to a value which
> cannot be matched. Additionally, the locked password may not be
> changed).
>
> In this manner, root cannot be logged into directly, but users can
> still elevate to root by using sudo.

And what do you do when the system drops you into single user mode
(because, for example, the root partition is in trouble) and asks
you for the root password?

(Yeah, there are ways around it -- but you should tell people about
them *before* you send them this route :-)

regards
- -- tomás
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlbEf9oACgkQBcgs9XrR2kaZlQCfXvfgeqzdlXPEG46T1YXMNVhh
ZpMAnRObltaxMIV0Unnbo3rnj2pJ81UM
=KEGO
-END PGP SIGNATURE-

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Peter Ludikovsky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

The first requirement is simple. Add the line
  PermitRootLogin no
or change it accordingly, and reload the SSH daemon.

For the second: do you want to disallow any logins via passwords, or
are the to be allowed once to set up the keys? The first is easy, with
the line
  PasswordAuthentication no
The latter isn't possible, as far as I know, with the vanilla OpenSSH
daemon.

Regards,
/peter

Am 17.02.2016 um 15:08 schrieb Tom Browder:
> I have several remote Debian 7 servers and would like to secure it
> in the following manner:
> 
> 1. root will not be allowed any external access (access is only via
> a user becoming root while logged in)
> 
> 2. after initial setup, no ssh access will be allowed via a
> password
> 
> I have seen much documentation on securing such a host, but I
> don't want to be an expert--I just need a recipe.
> 
> Many thanks.
> 
> Best regards,
> 
> -Tom
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)

iQIcBAEBAgAGBQJWxIJrAAoJEM+6Ng5pbtyZc1gP/jjPfucXz7DvaGuAOmiSeKof
rBcS+oTU4znY57+whr0cNW+douaH/f7d7Vwcun5b3IUA1EUFHC9G74/CR4bU3XbD
aEKeBGIF6eUVw6jE0Sh5aFs6D+AoFePZKurs173azjfgFcveynYv3eSbzWk/e60U
KgRwtoSRLQu3wKZLJh/lR4/Ukx+spEvGzGvtc3PdkioT79u3OxdSw/FFm8r0N4qH
ifcX2R6hE4HsoVM3QMbEIxhiwbs63+j8Mu0ASfagLsPi1MqKBfLg5Iy1JeV5d1ND
plrDFaSRrzfJqNqO8nxwtUxji9ruQ1XkBo3DvdmXc/ZwOiJzNSCM/wvHuTupCq1x
gn3WfCEKryAZEmUx092CYFtbTLZ2Bu3A0vOHeFdiC2qGNqB85dicmhpMoouAnzq4
NaWDLJHXB8zdkvUL+zRIkoqACH8sBohogrqbnQAXCtJ+9LRqANdlvKs+F2Dp0eGE
GNIU3cscy6RtXYUDVFRFFgwp4oLOx3fE7Lv8EEV8o38KE7v712aNqzsCn8VuirWq
KHSoeUPTtD9o/0z4EOXRbMtwEPDgQjsUOHNPR73YNO/EJluNRA7JJ6E2aIkNTF8f
RwoWD9GhSi1CKzATn9GuaikejrpVGIFfSvdirVDgTOcuW82wfPiL1yyBhw6Kr2Y4
alA2W8K9y7InpEC1I/Ik
=S5IF
-END PGP SIGNATURE-

Re: Debian security: need recipe for blocking root ssh access AND all ssh password access

[Darac Marjal]

On Wed, Feb 17, 2016 at 08:08:26AM -0600, Tom Browder wrote:

I have several remote Debian 7 servers and would like to secure it in
the following manner:

1. root will not be allowed any external access (access is only via a
user becoming root while logged in)


Ensure all users who may be allowed super-user access are in 
/etc/sudoers. Then run "sudo passwd -l". This will LOCK the password for 
root (that is, set the encrypted password to a value which cannot be 
matched. Additionally, the locked password may not be changed).


In this manner, root cannot be logged into directly, but users can still 
elevate to root by using sudo.




2. after initial setup, no ssh access will be allowed via a password


$ echo "PasswordAuthentication No" | sudo tee -a /etc/ssh/sshd_config
$ sudo service ssh restart



I have seen much documentation on securing such a host, but I don't
want to be an expert--I just need a recipe.

Many thanks.

Best regards,

-Tom



--
For more information, please reread.


signature.asc
Description: PGP signature

Debian security: need recipe for blocking root ssh access AND all ssh password access

[Tom Browder]

I have several remote Debian 7 servers and would like to secure it in
the following manner:

1. root will not be allowed any external access (access is only via a
user becoming root while logged in)

2. after initial setup, no ssh access will be allowed via a password

I have seen much documentation on securing such a host, but I don't
want to be an expert--I just need a recipe.

Many thanks.

Best regards,

-Tom