Upload
khubaib-mahar
View
218
Download
3
Embed Size (px)
Citation preview
CN8822
Assignment #2
2
Assignment 2 – Secure Remote administration and firewalls ________________________________ 3
Part1 _____________________________________________________________________________ 3
Objective: To Study the concepts of remotely administering a server using ssh.__________________ 3
Public-key authentication should be used for the root user __________________________________ 9
Part II-Objective: To study the concepts of ssh port forwarding._____________________________ 12
Part III -Objective: Firewall using IPTABLES ______________________________________________ 17
References ________________________________________________________________________ 21
CN8822
Assignment #2
3
Assignment 2 – Secure Remote administration and firewalls
Part1
Objective: To Study the concepts of remotely administering a server using ssh.1)You are to secure a Linux server by restricting remote root access by running a separate sshd daemon.Make the necessary changes to have the newly configured sshd daemon comply with following restrictions:
1. Daemon must start on all run levels, i.e. 23452. root should have remote access to this server using new sshd daemon and no others.3. All others should be accessing the server using the existing sshd daemon; again root should not be toaccess this sshd daemon.4. Public-key authentication should be used for the root user5. Feel free to add any configuration directives to further secure the ssh daemon
Explanation:There is one SSH daemon runs by default to provide the ssh service on the default port 22. To have aseparate SSH daemon we need to have separate run level and configuration files, and to isolate bothdaemons to work independently we copied binary file with different name .This was achieved by following these steps.1) Copy sshd binary file with new name sshd_root with the –p option to retain same rights.
2) Copy sshd_config file with new name and make necessary changes to have separate keys forRoot user and normal user, have separate pid file, separate port, separate Login Rules, theseRules are highlighted in the file
CN8822
Assignment #2
5
Here is the changes which have made in the sshd_root config file and we have highlighted them.
CN8822
Assignment #2
6
3) Have separate init scripts for sshd daemon and sshd_root daemon, we have highlighted theChanges in both files .In the ssh script file we have pointed to correct config file
Also changed the pid file name to new pid file all the corresponding functions.
Similar changes were made in the ssh_root init script and we have highlighted them , mostimportant change was to point to new binary sshd_root in the /usr/bin directory.
Next change is point to right config file.
CN8822
Assignment #2
7
3rd change was to have separate pid file as shown
After all these changes we were able to successfully register the ssh_root as a separate daemon atthe specified runlevels which is 2345 by using debian service register toolWe can verify this by checking at the soft links at the rc startup level.
After All these changes we were able to start/stop these two daemon separately and verified thelogin Rules.Here is the screenprint of separate pid files.
CN8822
Assignment #2
8
We restarted the server and two daemons started independently.We tried to login as root on port 22 it failed
Where as normal user login was successful.
Similarly root login was successful at port 2501 and normal user failed on this port.
CN8822
Assignment #2
9
Login as root was successful using port 2501 as shown.
From this we were able to confirm that our two ssh daemon are working as expected in ourAssignment.Public-key authentication should be used for the root userFor the Public Key Authentication we used two machines with IP 192.168.56.101 as Server AAnd 192.168.56.102 as Server B and we were able to login with password.Here is the steps we had followed.1) Create a key for root user
CN8822
Assignment #2
10
2) Copy key to 192.168.56.102 using ssh-copy which copied the key to authorized directoy andLogin to 192.168.56.102, login was successful without prompting for Password.
CN8822
Assignment #2
12
Part II-Objective: To study the concepts of ssh port forwarding.
SSH tunnels can be created in several ways using different kinds of port forwardingmechanisms. Ports can be forwarded in three ways.1) Local port forwarding2) Remote port forwarding3) Dynamic port forwardingPort forwarding or port mapping is a name given to the combined technique of1) translating the address and/or port number of a packet to a new destination2) possibly accepting such packet(s) in a packet filter(firewall)3 ) forwarding the packet according to the routing table.
To illustrate Port Forwarding Example we have used Local port Forwarding.We have Two Servers A(192.168.56.101) and B (192.168.56.102) both have Apache runningOne Machine has default Apache test Page which we will treat as Client and Second Machine hasOur Custom Page as shown below.
CN8822
Assignment #2
13
This Machine we will treat as Server with IP 192.168.56.101 and Client one IP is192.168.56.102 and Apache Page is
We will use Local Port Forwarding on Client to Display the server Apache pageTo achieve this we will use SSH Local forwarding.
CN8822
Assignment #2
14
SSH Local forwarding Syntax isssh -L <local-port-to-listen>:<remote-host>:<remote-port> <gateway>In our case we have decided to use Local port 4500 to listen to remote server port 80 using Remoteserver as gateway.ssh –L 4500:192.168.56.101:80 [email protected]
Once we are logged into to Server 192.168.56.101, we will be listening port 80 traffic of this box to192.168.56.102, 4500 port.We can confirm this by netstat
CN8822
Assignment #2
15
192.168.56.102 port 4500 is opened as local host; we will access this from the box itself
CN8822
Assignment #2
17
Part III -Objective: Firewall using IPTABLES
Firewall implementation using iptables. You are to setup theAppropriate iptables rules to accomplish the following:1. Using the same VM running the newly configured sshd daemon From Part I; setup a default-denypolicy to drop all inbound Traffic.2. Only allow inbound traffic to both sshd ports, port 22 for public Access and privileged port forroot access. Note: Privileged Port is something you choose in Part I when new daemon wasConfigured.3. Only allow a trusted network or net-block to access the privileged sshd port.4. Log all other dropped packetsExplanationsFirewalls are used to block unauthorized access to Network. All Linux Flavors provide basicfirewall in the kernel “IPTABLES” which can be used to provide simple IPv4 and IPV6 packetfiltering and Network Address Translation.IP Table provided three set of Rules, knows as chains, which are IPUT CHAIN, Forward Chain andOUT PUT CHAIN.Diagram Below shows high Level IP Packet Filtering in the “ IP Tables”
CN8822
Assignment #2
18
Our Assignment requirement is to Implement Basic IP table Rules at the INPUT chainWe have implemented the Rules by following commands
manglePREROUTING
natPREROUTING
filterINPUT
filterOUTPUT
natPOSTROUTING
filterFORWARD
MangleOUTPUT
route
LocalProcess
Network
Network
CN8822
Assignment #2
19
Since IPTABLE Rules are sequential we have to be careful to have DROP Rule at the End ofThe Rules.We can verify our Rules by following Command.
Checked active ports on server
Using TCP dump to see the traffic on these ports.
CN8822
Assignment #2
21
References
http://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/Class Noteswww.uniforum.chi.il.us/slides/iptables_talk2/iptables_talk2.ppthttp://ubuntuforums.org/showthread.php?t=1497376http://fixunix.com/ssh/364505-running-multiple-sshd-instances-one-server.html