≡ Menu


Top 20 OpenSSH Server Best Security Practices

Don't tell anyone that I'm free

OpenSSH is the implementation of the SSH protocol. OpenSSH is recommended for remote login, making backups, remote file transfer via scp or sftp, and much more. SSH is perfect to keep confidentiality and integrity for data exchanged between two networks and systems. However, the main advantage is server authentication, through the use of public key cryptography. From time to time there are rumors about OpenSSH zero day exploit. Here are a few things you need to tweak in order to improve OpenSSH server security.
[click to continue…]

What To Do: Users Still Wants Telnet

TELNET ( TELecommunication NETwork ) is a network protocol used on the Internet or local area network (LAN) connections. It was developed in late 60s with RFC 15. Telnet is pretty old for login into remote system and it has serious security problem. Most admins will recommend using Open SSH (secure shell) for all remote activities. But you may find users who are still demanding telnet over ssh as they are comfortable with Telnet. Some users got scripts written in 90s and they don't want to change it. So what do you do when users demands telnet?

The problem with telnet

Telnet sends everything in clear text format including username and password. You can use tcpdump or snoop to see all information.

Secure telnet

You can install Kerberos enabled telnetd. Discussion related to Kerberos and secure telnet is beyond the scope of this blog post but I do recommend Kerberos Infrastructure HOWTO for further information. Following packages under Debian will install secure telnet including Kerberos server:
# apt-get install krb5-telnetd krb5-clients
CentOS / RHEL / Red Hat / Fedora Linux user need to install package called krb5-workstation:
# yum install krb5-workstation
You need to configure Kerberos server and Kerberos enabled telnet / ftp. Please see the man pages for further information.

Bottom line: migrate users to ssh

I highly recommend migrating your users to SSH and discarding telnet, ftp and all r* services. First, you need to educate users about telnet and insecure protocols. Once user(s) made aware of the problem, help them to migrate to SSH:

  • Disable telnet and force to use them ssh based tools
  • Explain basic ssh syntax
  • Explains password less login
  • Explain how to use ssh in scripts
  • Explain how to use sftp instead of ftp client
  • Explain how to use scp instead of rcp client

Critical Red hat / Fedora Linux Openssh Security Update

Last week one or more of Red Hat's servers got cracked. Now, it has been revealed that both Fedora and Red Hat servers have been compromised. As a result Fedora is changing their package signing key. The intruder was able to sign a small number of OpenSSH packages relating only to Red Hat Enterprise Linux 4 (i386 and x86_64 architectures only) and Red Hat Enterprise Linux 5 (x86_64
architecture only).

This update has been rated as having critical security impact. If your Red hat based server directly connected to the Internet, immediately patch up the system.

From the RHN announcement:

Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test
the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than
those of official Red Hat subscribers.

Following products are affected:
=> Red Hat Desktop (v. 4)
=> Red Hat Enterprise Linux (v. 5 server)
=> Red Hat Enterprise Linux AS (v. 4)
=> Red Hat Enterprise Linux AS (v. 4.5.z)
=> Red Hat Enterprise Linux Desktop (v. 5 client)
=> Red Hat Enterprise Linux ES (v. 4)
=> Red Hat Enterprise Linux ES (v. 4.5.z)
=> Red Hat Enterprise Linux WS (v. 4)

How do I patch up my system?

Login as the root and type the following command:
# yum update

This is the main reason I don't use Fedora in a production.

More information:

Now, Red hat did not disclosed how the hell attacker got in to the server. I'd like to know more about that - was it 0 day bug or plain old good social engineering hack?

Updated for accuracy - CentOS is not affected by this bug, see the comments below.

Download Of The Day: OpenSSH 5.1

OpenSSH server and client version 5.1 has just been released and available for download. New features in OpenSSH 5.1:
=> Introduce experimental SSH Fingerprint ASCII Visualisation to ssh(1) and ssh-keygen(1).

=> sshd now support CIDR address/masklen matching.

=> Added an extended test mode (-T) to sshd(8) to request that it write its effective configuration to stdout and exit.

=> ssh(1) now prints the number of bytes transferred and the overall connection throughput for SSH protocol 2 sessions when in verbose mode.

=> Added a MaxSessions option to sshd_config(5) to allow control of the number of multiplexed sessions supported over a single TCP connection.

Download OpenSSH 5.1

=> Visit offical site to grab latest OpenSSH 5.1

Download of the Day: OpenSSH Server 5.0 ( security fix release )

OpenSSH Logo
One of the most popular remote server management service has just released security fix version. This version avoid possible hijacking of X11-forwarded connections by refusing to listen on a port unless all address families bind successfully. You can download OpenSHH Server from official project web site or wait for your distro to release updated version.

Chroot in OpenSSH / SFTP Feature Added To OpenSSH

For regular user accounts, a properly configured chroot jail is a rock solid security system. I've already written about chrooting sftp session using rssh. According to OpenBSD journal OpenSSH devs Damien Miller and Markus Friedl have recently added a chroot security feature to openssh itself:

Unfortunately, setting up a chroot(2) environment is complicated, fragile and annoying to maintain. The most frequent reason our users have given when asking for chroot support in sshd is so they can set up file servers that limit semi-trusted users to be able to access certain files only. Because of this, we have made this particular case very easy to configure.

This commit adds a chroot(2) facility to sshd, controlled by a new sshd_config(5) option "ChrootDirectory". This can be used to "jail" users into a limited view of the filesystem, such as their home directory, rather than letting them see the full filesystem.

Happy 8th Birthday, OpenSSH!

OpenSSH is most prominent implementation of the SSH protocol. I can’t imagine my life without OpenSSH. Almost all of my devices / server / network equipment such as routers and tiny embedded device has OpenSSH these days.
Happy 8th Birthday, OpenSSH! - Logo
From OpenBSD journal:

Eight years ago today, Sept 26 1999, Theo de Raadt committed the initial source code for OpenSSH to the OpenBSD repository. The code was a fork of Björn Grönvall's OSSH, which was derived from an early version of the increasingly "less free" ssh from Tatu Ylönen.