ComputerSecurityStudent (CSS) [Login] [Join Now]

|UNIX >> Fedora >> Current Page |Views: 18002

(Fedora: Lesson 7)

{ Installing, Configuring and Securing SSHD }

Section 0. Background Information
  • What is Secure Shell?
    • Secure Shell (SSH) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network.
    • The protocol specification distinguishes two major versions that are referred to as SSH-1 and SSH-2.
    • The best-known application of the protocol is for access to shell accounts on Unix-like operating systems.
    • It was designed as a replacement for Telnet and other insecure remote shell protocols such as the Berkeley rsh and rexec protocols, which send information, notably passwords, in plaintext, rendering them susceptible to interception and disclosure using packet analysis.
    • The encryption used by SSH is intended to provide confidentiality and integrity of data over an unsecured network, such as the Internet.

  • What Is YUM?:
    • The Yellowdog Updater, Modified (YUM) is an open-source command-line package-management utility for RPM-compatible Linux operating systems and has been released under the GNU General Public License.  YUM has been adopted by Red Hat Enterprise Linux, Fedora, CentOS, and many other RPM-based Linux distributions, including Yellow Dog Linux itself, where it has replaced the original YUP utility 

  • Pre-Requisite Lab
    1. Fedora: Lesson 1: Installing Fedora 14
  • Lab Notes
    • In this lab we will do the following:
      1. Install openssh-server.
      2. Configure openssh-server.
      3. Test openssh-server.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.


Section 1: Edit the Fedora14 Virtual Machine
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player


  2. Edit Fedora 14 Virtual Machine Settings
    • Instructions:
      1. Highlight Fedora14
      2. Click Edit virtual machine settings


  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button


Section 2: Play the Fedora14 Virtual Machine
  1. Start the Fedora14 VM
    • Instructions:
      1. Click on the Fedora14 VM
      2. Click on Play virtual machine


Section 3: Login to your Fedora14 server.
  1. Login As student
    • Instructions:
      1. Click on student
      2. Provide student password
      3. Click the Login Button


  2. Start Up A Terminal.
    • Applications --> System Tools --> Terminal


  3. Switch User to root
    • Instruction:
      1. su - root
      2. Supply the Root Password


  4. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is
      • Please record your IP address.


Section 4: Installing openssh
  1. Check to see if openssh-server is installed.
    • Instruction:
      1. rpm -qa | grep "openssh-server"
    • Note(FYI):
      1. rpm - RPM Package Manager
      2. q = Query
      3. a = all
      4. grep = Search for string "open-server"


  2. Let's update openssh-server
    • Instruction:
      1. yum update openssh-server
    • Note(FYI):
      1. If openssh-server was not found, then your command would be:
        • yum install openssh-server
      2. It's always a good idea to make sure you have the latest update for ssh.


  3. Install openssh-server.
    • Instructions:
      1. Select "y"
    • Note(FYI):
      1. In (Section 4, Step 1) the version of ssh is 5.5p1-21.fc14.2.i686. 
      2. YUM reports that the latest update is 5.5p1-24.fc14.2.


  4. Installation Analysis
    • Note(FYI):
      • You will see that the below packages have been updated followed by the "Complete!" message.


Section 5: Starting openssh
  1. Check to see if sshd is running.
    • Instructions:
      1. ps -eaf | grep sshd | grep -v grep | wc -l
    • Note(FYI):
      1. ps -eaf = List all running processes
      2. grep sshd = search for sshd is the process list.
      3. grep -v grep = ignore the grep process in the process list.
      4. wc -l = count how many times sshd is listed.
      5. As a result, "0" line were counted, which means sshd is not running.


  2. Why is sshd not running although openssh-server was previously installed and now updated?
    • Instructions:
      1. ls -l /etc/rc5.d/* | grep ssh
    • Note(FYI):
      1. We are checking to see if there is a start up script in run-level 5 for sshd.  Remember run-level 5 is the graphical multiuser mode where the file systems are mounted and the network is up.
      2. The result shows us that there is only a kill script, but not a start up script.  All scripts that start with a "K" are kill scripts, and all scripts that start with a "S" are deemed startup scripts. 
      3. Therefore, if there is not a startup script for sshd, then that would explain why sshd is not running.


  3. Let's use chkconfig to verify that there is not a start up script for sshd.
    • Instruction:
      1. chkconfig --list | grep ssh
    • Note(FYI):
      1. chkconfig - updates and queries runlevel information for system services.
      2. chkconfig has five distinct functions: adding new services for management, removing services from management,
        listing the current startup information for services, changing the startup information for services, and checking
        the startup state of a particular service.
      3. Notice that run-levels 0 through 6 do not have a startup script for sshd.


  4. Create Startup scripts for sshd
    • Instructions:
      1. chkconfig sshd --level 2345 on
      2. chkconfig --list | grep ssh
    • Note(FYI):
      1. Create SSHD start up scripts for run-level 2, 3, 4 and 5.
      2. Notice that chkconfig now shows that a startup script exists for run levels 2, 3, 4 and 5.


  5. Verify Startup scripts have been created using the find command.
    • Instructions:
      1. find /etc/rc[0-9].d/* -name "S*sshd*"
    • Note(FYI):
      1. find /etc/rc[0-9].d/*, Search file and directories in /etc/, where rc directories need have a number after the "rc" and before the ".d".  (e.g., rd2.d).
      2. The SSHD start up scripts start with a "S".
      3. -name "S*sshd*", means search for anything that starts with a "S" and contains sshd after the "S".


  6. Let's start up the sshd daemon.
    • Instruction:
      1. service sshd start
    • Note(FYI):
      1. The first time that sshd starts it will generate SSH2 and SSH1 host keys.


  7. Verify sshd is running.
    • Instruction:
      1. ps -eaf | grep sshd | grep -v grep


Section 6: Secure openssh
  1. Make a sshd_config backup file.
    • Instruction:
      1. cd /etc/ssh
      2. cp sshd_config sshd_config.BKP
    • Note(FYI):
      1. Change directory to /etc/ssh.  This is where the ssh configuration files exist.
      2. Make a backup copy, so if you mess something up, you can revert to the original file.


  2. Open sshd_config
    • Instruction:
      1. gedit sshd_config &
    • Note(FYI):
      1. gedit, is a text editor for the GNOME desktop environment.
      2. sshd_config is the name of the file.
      3. &, means put the process of opening gedit sshd_config in the background.


  3. Find LoginGraceTime
    • Instructions:
      1. Arrow down to "#LoginGraceTime 2m"


  4. Reduce the maximum amount of time allowed to successfully login before disconnecting.
    • Instructions:
      1. Delete the "#" character that proceeds "#LoginGraceTime 2m".
      2. Change 2m to 30.
    • Note(FYI):
      1. The default of 2 minutes is too much time to stay open for an unauthenticated connection attempt.  So, we will reduce the amount of time to remain open from 2 minutes to 30 seconds.

  5. Find "#PermitRootLogin yes"
    • Instruction:
      1. Arrow down to "#PermitRootLogin yes"


  6. Configure PermitRootLogin
    • Instructions:
      1. Delete the "#" character that proceeds PermitRootLogin.
      2. Replace "yes" with a "no" and that follows PermitRootLogin.
    • Note(FYI):
      1. This will disabled the ability for somebody to login as root.


  7. Configure PAM authentication
    • Instructions:
      1. Arrow down until you get to the line "#UsePAM no"
      2. Verify "UsePAM yes" exists under the line "#UsePAM no"
    • Note(FYI):
      1. If the line "UsePAM yes" already exists, then you are not required to do anything.  If it does NOT exist, then add it.
      2. Basically, we need to verify that there is a line stating "UsePAM yes".


  8. Find "#MaxStartups 10"
    • Instructions:
      1. Arrow down until you get to the line "#MaxStartups 10"


  9. Limit the maximum number of unauthenticated connections that the ssh server will handle at the same time.
    • Instructions:
      1. Remove the "#" character that proceeds "#MaxStartups 10".
      2. Change 10 to 3:50:10
    • Note(FYI):
      1. The smaller this is, the harder it is for attackers to make parallel, coordinated brute force attempts with multiple connections. 
      2. The colon separated values tells the ssh server to, "allow 3 users to attempt logging in at the same time, and to randomly and increasingly drop connection attempts between 3 and the maximum of 10".
      3. This should be increased on servers with a substantial number of valid ssh users.


  10. Save and Close sshd_config
    1. Instructions:
      1. Click Save
      2. Click the "X" to Close


  11. Restart the sshd daemon.
    • Instructions:
      1. service sshd restart
    • Note(FYI):
      1. When ever you make a change to the sshd_config file, you will need to restart the sshd daemon in order for the changes to take affect.


Section 7: Configure Firewall
  1. Open the Firewall
    • Instructions:
      1. System --> Administration --> Firewall


  2. Firewall Configuration Startup Message
    • Instructions:
      1. Click the Close Button


  3. Enter the root password
    • Instructions:
      1. Supply the root password
      2. Click the Authenticate Button


  4. Enable SSH
    • Instructions:
      1. Check the SSH checkbox
        • If this box is already checked, uncheck and recheck it.
      2. Click on the Apply Green Checkmark


  5. system-config-firewall message
    • Instructions:
      1. Click the Yes button


  6. Reload Firewall
    • Instructions:
      1. Click Reload
      2. Click the X to close


Section 8: Test sshd to not allow root to login
  1. Test sshd to not allow root to login
    • Instructions:
      1. ssh root@localhost
      2. Supply root password
      3. Supply root password again
      4. Supply root password again
    • Note(FYI):
      1. If you get prompted for an RSA key fingerprint, then answer "yes"
      2. Notice that even though you are typing the correct root password you are not able to login.


Section 9: Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. cd /
      2. ls -l /etc/ssh/sshd_config
      3. ls -l /etc/sysconfig/iptables
      4. ps -eaf | grep ssh | grep -v grep
      5. date
      6. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth