My thoughts on Slackware, life and everything

Tag: ssh

Securing remote root access

If you ever ran a SSH server on the Internet, you will probably have noticed the massive amount of ssh break-in attempts.

There are a few easy ways to get rid of the attacks and at the same time prevent your root account from being compromised.

  1. move the SSH listen port from TCP port 22 to a non-standard port
  2. disallow connections with the older and easily cracked “Protocol 1”
  3. disallow remote root logins

These countermeasures are easily taken by editing the ssh daemon’s configuration file “/etc/ssh/sshd_config“. below, I will show you the lines to lookup and the changed line which needs to take its place:

  • Move the ssh listen port from 22 to 12345. This will get rid of most break-in attempts right away because these only target the well-known port 22:

#Port 22
Port 12345

  • Disallow the use of the old “Protocol 1”

#Protocol 2,1
Protocol 2

  • Disallow the root user to logon directly

#PermitRootLogin yes
PermitRootLogin no

After these changes have been made, you will have to restart the SSH server:

# /etc/rc.d/rc.sshd restart

When you disable root logon through SSH, the only possibility to become root on this computer remotely is to logon as a normal user first, and then use “su” or “sudo” to become root.

This has negative implications if you are used to make remote backups from your server and connect to it as root… because that is the only way to be able to access and read every file in the filesystem.

When you need remote root access but still want to disable password logins for root, there is a further change you have to make to one of the lines I showed you earlier. What I will show you next is how to prevent password logins for root while still allowing entrance using a SSH key. You can protect this SSH key with a passphrase so that it is impossible for someone who steals this key to force his way in as root – he will have the SSH key in his possession, but will not know the passphrase to unlock it!

In order for this to work, the SSH server must allow Public Key Authentication for Protocol2. In Slackware this is the default anyway:

#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

Now, let’s allow root to use a SSH key for loggin in. Change the following line in “/etc/ssh/sshd_config“:

PermitRootLogin no

to

PermitRootLogin without-password

and then restart the SSH daemon again (see above).

Finally, you will have to generate a SSH key that can be used for remote logins and copy the public keyfile to your SSH server.

ssh-keygen -t rsa

You will have to answer a few questions: under which name should the new keyfile be stored, and what passphrase should be used to protect the keyfile.

Once you have generated this keyfile, copy the public key (which is the keyfile but with the “.pub” extension) to your SSH server and on that server, as user root, append it to root’s “.ssh/authorized_keys” file like this (I am using an example public key filename “your_new_sshkey.pub”):

cat your_new_sshkey.pub >> /root/.ssh/authorized_keys

In case the “authorized_keys” file did not yet exist, you will have to secure other people’s access to the file or else remote logon will still not work:

chmod 600 /root/.ssh/authorized_keys
chmod 700 /root/.ssh

Once this has been done you should now be able to logon to your SSH server as root remotely:

ssh -p 12345 -i ${HOME}/.ssh/your_new_sshkey root@remoteserver

If you want ssh to use this SSH key automatically so that all you need to type is “ssh root@remoteserver“, you should add a few lines to your “~/.ssh/config” file. Perhaps that file does not yet exist in which case you can just create it. Mind the indents, they are required:

Host remoteserver
User root
Port 12345
IdentityFile /home/your_user/.ssh/your_new_sshkey

Good luck with this!

Eric

PS: if you copy your new public key to the server before you have made any of the changes I suggested, then some of the above steps can be combined into one. The following command on your workstation will copy the public key to the SSH server, and add it to root’s “authorized_keys” file, securing that file’s access attributes if needed, all in one go:

ssh-copy-id -i ${HOME}/.ssh/your_new_sshkey root@remoteserver

Remote installation of Slackware using ssh

When you are installing Slackware, you have several options of using the network. Your packages can be on a NFS, HTTP, FTP or SaMBa server. But it still requires you do be physically present behind the keyboard of the computer you are installing Slackware on.

Or does it?

There is a way to make the installer launch an embedded SSH server automatically. Once that SSH server is running,  you can do a remote login to this machine and install Slackware.

I hear you say, “why would I want to install Slackware over a ssh session at all”? Well, this feature is particularly important for people who need to install Slackware on a headless server – think of a server in a data center. You still need to boot the Slackware installer of course, but you do not need a DVD for that. If you have a PXE server, you can boot the installer over the network and never have to visit your computer “in the flesh”.

If you are familiar with Slackware’s installation, you know that you have to answer a few questions before you can start with a network installation. At a minimum, you need to

  • configure your keyboard layout, and
  • the configuration of your network card.

For these to be configured automatically, you must provide the installer with the answers. If both answers are known, then the installer can configure your network card with an IP address and start the embedded SSH server (Slackware uses dropbear as the SSH server). You can then do a remote login as root (no password will be asked! Be sure that your network is secure before you attempt this).

After you have logged on to the dropbear SSH server (you must know what IP address your to-be-installed computer has been configured with of course) you can remotely start Slackware’s “setup” (but first you have to run the command “. /etc/profile” – watch the dot! – which initializes the environment so that the setup utilities become available).

Burning question: how do you tell the installer the answers to the above two questions?

I am assuming you are booting the installer from the network, using a PXE server. Now, let’s assume your keyboard layout is “us“, your network interface is called “eth0” and you have a DHCP server in your network. Then, you need to change the “pxelinux.cfg/default” file like this:  add the following string to the “append” line for your boot kernel:

kbd=us nic=auto:eth0:dhcp

If instead, you want to use a static IP address of “192.168.0.11/255.255.255.0” (i.e. a netmask of 24 bits) the appended string becomes:

kbd=us nic=auto:eth0:static:192.168.0.11:24

Slackware’s installer uses udev for automatic hardware initialization and configuration. If you don’t want to use udev but want to determine yourself what module to load then this would be the appended string (I also added a default gateway of “192.168.0.254” to the mix):

noudev kbd=us nic=e1000:eth0:static:192.168.0.11:24:192.168.0.254

The generic notation for the kbd= and nic= parameters is:

kbd=<keyboard_layout>
nic=<driver>:<interface>:<dhcp|static>[:ipaddr:netmask[:gateway]
]

If your installer uses udev (the installer of Slackware 13.0 and later uses udev by default, earlier versions of Slackware did not have udev in the installer) then the “<driver>” string can be “auto”. Without the use of udev, the “<driver>” must be an actual kernel module for your card, like “e1000” in my example above.

I’d like to hear if you ever used or wanted to use this somewhat hidden feature of the installer!

Eric

Note: If you do a “normal” Slackware installation and want to start the dropbear SSH server manually after configuring the network card, you can do this. Just run:

/etc/rc.d/rc.dropbear start


© 2024 Alien Pastures

Theme by Anders NorenUp ↑