Changes

From SME Server
Jump to navigationJump to search
20 bytes removed ,  06:44, 15 March 2007
no edit summary
Line 12: Line 12:  
In order to change the default port used by the sshd server you must change two configuration files on the SME server:
 
In order to change the default port used by the sshd server you must change two configuration files on the SME server:
   −
  1. you must tell sshd what port to listen on in /etc/ssh/sshd_config and
+
*1. you must tell sshd what port to listen on in /etc/ssh/sshd_config and
  2. you must configure /etc/rc.d/init.d/masq to allow inbound traffic on your new sshd port
+
*2. you must configure /etc/rc.d/init.d/masq to allow inbound traffic on your new sshd port
    
SME 7 keeps the firewall information in the 'configuration' database instead of in the 'masq' templates as was done on 5.6 - 6.0x; this howto demonstrates
 
SME 7 keeps the firewall information in the 'configuration' database instead of in the 'masq' templates as was done on 5.6 - 6.0x; this howto demonstrates
   −
  1. how to use a custom template fragment to modify sshd_config
+
*1. how to use a custom template fragment to modify sshd_config
  2. how to change the configuration database to open the desired non-standard port for your sshd server
+
*2. how to change the configuration database to open the desired non-standard port for your sshd server
  3. how to use 'expand-template' to re-generate the new sshd_config and masq files
+
*3. how to use 'expand-template' to re-generate the new sshd_config and masq files
  4. how to force the sshd and firewall services to recognize the new configurations
+
*4. how to force the sshd and firewall services to recognize the new configurations
   −
Procedure
+
=== Procedure ===
   −
    * First, create a custom template to hold the new "Port" setting in /etc/ssh/sshd_config:
+
*First, create a custom template to hold the new "Port" setting in /etc/ssh/sshd_config:
   −
mkdir -p /etc/e-smith/templates-custom/etc/ssh/sshd_config
+
mkdir -p /etc/e-smith/templates-custom/etc/ssh/sshd_config
cp –rip /etc/e-smith/templates/etc/ssh/sshd_config/10Port /etc/e-smith/templates-custom/etc/ssh/sshd_config/
+
cp –rip /etc/e-smith/templates/etc/ssh/sshd_config/10Port /etc/e-smith/templates-custom/etc/ssh/sshd_config/
   −
    * Then change the port number to the new value
+
*Then change the port number to the new value
   −
vi /etc/e-smith/templates-custom/etc/ssh/sshd_config/10Port
+
vi /etc/e-smith/templates-custom/etc/ssh/sshd_config/10Port
   −
    * Next, modify the firewall settings to allow inbound traffic on the new port (only the 2nd command is required, the first and third commands are included only to allow you to verify that the database was updated properly).
+
*Next, modify the firewall settings to allow inbound traffic on the new port (only the 2nd command is required, the first and third commands are included only to allow you to verify that the database was updated properly).
   −
db configuration getprop sshd TCPPort
+
db configuration getprop sshd TCPPort
 
(should return '22')
 
(should return '22')
   −
db configuration setprop sshd TCPPort <newport>
+
db configuration setprop sshd TCPPort <newport>
 
(where <newport> is the same port number you entered into 10Port above. There is no visible result of this command)
 
(where <newport> is the same port number you entered into 10Port above. There is no visible result of this command)
   −
db configuration getprop sshd TCPPort
+
db configuration getprop sshd TCPPort
 
(should now return <newport>)
 
(should now return <newport>)
   −
    * Now expand the templates:
+
*Now expand the templates:
   −
/sbin/e-smith/expand-template /etc/ssh/sshd_config
+
/sbin/e-smith/expand-template /etc/ssh/sshd_config
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
+
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
   −
    * Verify the results:
+
*Verify the results:
   −
grep Port /etc/ssh/sshd_config
+
grep Port /etc/ssh/sshd_config
 
(should return 'Port <newport>')
 
(should return 'Port <newport>')
   −
grep sshd /etc/rc.d/init.d/masq
+
grep sshd /etc/rc.d/init.d/masq
    
(should return '    # sshd: TCPPort <newport>, AllowHosts: 0.0.0.0/0, DenyHosts:')
 
(should return '    # sshd: TCPPort <newport>, AllowHosts: 0.0.0.0/0, DenyHosts:')
Line 60: Line 60:  
While the actual port assignment comes on the next line in /etc/rc.d/init.d/masq, both lines are pulled from the configuration database - if this line looks OK, the actual invocation should look fine, too!
 
While the actual port assignment comes on the next line in /etc/rc.d/init.d/masq, both lines are pulled from the configuration database - if this line looks OK, the actual invocation should look fine, too!
   −
    * Restart the services:
+
*Restart the services:
   −
/etc/rc.d/init.d/sshd reload
+
/etc/rc.d/init.d/sshd reload
/etc/rc.d/init.d/masq restart
+
/etc/rc.d/init.d/masq restart
    
Be sure to test your modifications before you have to rely on them! Make sure you can connect to your server using the new port value from both inside and outside of your network.
 
Be sure to test your modifications before you have to rely on them! Make sure you can connect to your server using the new port value from both inside and outside of your network.
   −
Conslusions
+
=== Conslusions ===
    
This Howto was developed in response to the recommendations in this article at isc.sans.org. The article briefly suggests taking 3 steps to secure your server against ssh attacks:
 
This Howto was developed in response to the recommendations in this article at isc.sans.org. The article briefly suggests taking 3 steps to secure your server against ssh attacks:
   −
  1. Run ssh on a non-standard port
+
1. Run ssh on a non-standard port
  2. Choose good passphrases, and enforce them with PAM or other wrappers.
+
2. Choose good passphrases, and enforce them with PAM or other wrappers.
  3. Monitor your logs, then consciously look at blocking and/or reporting abusive netblocks.
+
3. Monitor your logs, then consciously look at blocking and/or reporting abusive netblocks.
    
Now you know how to run ssh on a non-standard port, at least. Don't be fooled into thinking that this will bring long-term securiy, however! There is a discussion of this issue in the forums here on contribs that concludes that moving ssh to another port will only help until the attackers upgrade their tools. Public/private key security is recommended. (See Guessing passwords)
 
Now you know how to run ssh on a non-standard port, at least. Don't be fooled into thinking that this will bring long-term securiy, however! There is a discussion of this issue in the forums here on contribs that concludes that moving ssh to another port will only help until the attackers upgrade their tools. Public/private key security is recommended. (See Guessing passwords)
985

edits

Navigation menu