UnixServerAdmin

Server Administration & Management

SSH Public key challenge

Sometimes, We get the following prompt, when we try to connect a server using SSH. We type “yes”, but is there a way to avoid this.

The authenticity of host ‘111.222.333.444 (111.222.333.444)’ can’t be established.
RSA key fingerprint is f3:cf:58:ae:71:0b:c8:04:6f:34:a3:b2:e4:1e:0c:8b.
Are you sure you want to continue connecting (yes/no)?

Use the -o option,

ssh -o “StrictHostKeyChecking no” user@host

# vim /etc/ssh/ssh_config

Host *    –> line no 20, Uncomment the line
StrictHostKeyChecking no     –> line no 31, Uncomment the line

# /etc/init.d/sshd restart

Advertisements

August 10, 2013 Posted by | SSH | | Leave a comment

TCP Wrappers – Send Mail after deny SSH login

TCP Wrappers gives the possibility to control and protect the network services, limiting the access and registering (if you want to) all the connections to make the work of detecting and resolving problems easier. To setup TCP Wrappers you work with two access control text files, they are called: /etc/hosts.allow & /etc/hosts.deny. The format to write into these files is: ” daemon_list : client_list [ : shell_command ]”

# vim /etc/hosts.allow

sshd : 192.168.10.12/255.255.255.0 : spawn (echo -e “Connected from IP %h” | mutt -s “SSH Connection is Successful” unixserv@unixserveradmin.com) : ALLOW

# vim /etc/hosts.deny

sshd : ALL : spawn (echo -e “Access denied to external SSH Connection from IP %h ” | mutt -s “Alert – SSH Connection Denied” unixserv@unixserveradmin.com) : DENY

February 21, 2013 Posted by | Security, SSH, Tips & Tricks, Unix/Linux | , , , | Leave a comment

How to disable users from loggin into the server, except the administrator(root)

In cases where you have to disable the login to all users,except root, for example when you have to do a backup, you have to use pam_nologin.so

1) Edit the pam file for the service you want to control, in this example i modify ssh pam control file, located in /etc/pam.d/sshd & Add the line :-

# vim /etc/pam.d/sshd

account required pam_nologin.so

2) Create the /etc/nologin file, just do “touch /etc/nologin”

# touch /etc/nologin

This should disable the login from ssh. If you want to disable the login from terminal, modify the /etc/pam.d/login file.

3) To re-enable the login just remove /etc/nologin

# rm -rvdf /etc/nologin

February 16, 2013 Posted by | Security, SSH, Tips & Tricks, Unix/Linux | , , , , | Leave a comment

How to SSH Port Forwarding without starting a new session

You can forward ports with ssh like this:

# ssh -L 8888:localhost:80 user@remotehost

This will log you into remotehost as user, and port 8888 on your local machine will be tunnelled to port 80 on remotehost. If remotehost can see a machine that you can’t (for example, if it’s on an internal network), you can even do this:

# ssh -L 8888:internalhost:80 user@borderhost

This will log you in to borderhost, and localhost:8888 will be directed to internalhost:80, even though you may not be able to see internalhost directly yourself.

January 17, 2013 Posted by | SSH | , | 5 Comments

How to make SSH listens on multiple port

Although it is a security risks, it is possible to make OpenSSH listens on multiple port. To do that, you need to edit file and enable the “GatewayPorts” option.

# vim /etc/ssh/sshd_config
——————————————
AllowTcpForwarding no
GatewayPorts yes
X11Forwarding no
#X11DisplayOffset 10
——————————————

1. Look for the line that contain “Port 22”, and uncomment it if necessary, and add additional Port line to enable OpenSSH to listen to other ports. Like this:
———————–
Port 22
Port 80
Port 1025
———————–

2. The example will enable OpenSSH to listen to port 22,80,1025 simultaneously. Don’t forget to restart SSH service to enable the change by running:

# /etc/init.d/sshd restart

Warning: Running SSH on multiple port may cause security risk, you have been warned!

November 3, 2012 Posted by | SSH | , | Leave a comment

ssh-keygen: SSH login without using Password

System-1 :- 192.168.1.5
System-2 :- 192.168.1.10

ssh-keygen creates the public and private keys

ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file and also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys.

Step 1: Create public and private keys using ssh-key-gen on local-host –> 192.168.1.5

192.168.1.5# ssh-keygen -t rsa

Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa): [Enter key]
Enter passphrase (empty for no passphrase): [Enter key]
Enter same passphrase again: [Enter key]
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is: 93:58:20:56:72:d7:bd:14:86:9f:42:aa:82:3d:f8:e5 root@192.168.1.5

Step 2: Copy the public key to remote-host –> 192.168.1.10 using ssh-copy-id

192.168.1.5# ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.1.10

root@192.168.1.10’s password:
Now try logging into the machine, with “ssh ‘192.168.1.10’”, and check in:

.ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

Note: ssh-copy-id appends the keys to the 192.168.1.10’s .ssh/authorized_key.

Step 3: Login to remote-host without entering the password

192.168.1.5# ssh 192.168.1.10
Last login: Sun Nov 16 17:22:33 2011 from 192.168.1.5
[Note: SSH did not ask for password.]

192.168.1.10#

[Note: You are on remote-host here]

January 1, 2012 Posted by | Security, SSH, Tips & Tricks | , , | Leave a comment

How to Redirect your website to secure port

# iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 443

# /etc/init.d/iptables save

# chkconfig iptables on

September 12, 2011 Posted by | Apache, Security, SSH, Tips & Tricks | , , , | Leave a comment

How to Email Alert on Root SSH Login

If you want to receive email alert when someone makes a root login to the Server.

1. open the file /root/.bashrc

# vi /root/.bashrc

2. Scroll to the end of the file then add the following:

echo ‘ALERT – Root Shell Access (YourserverName) on:’ `date` `who` | mail -s “Alert: Root Access from `who | cut -d'(‘ -f2 | cut -d’)’ -f1`” you@yourdomain.com

September 10, 2011 Posted by | Mail, Security, SSH, Tips & Tricks | , , , , | 1 Comment

Hardening SSH Server

As with all security it comes in layers. The more layers you add the more difficult it will be to gain access to your server. One of the first things you will want to do is harden sshd as it is a primary avenue to gaining access to your server.

Step 1: First of all we need to make a regular user, since we are disabling direct root login:

# useradd admin

# passwd admin

Step 2: Backup your current sshd_config

# cp /etc/ssh/sshd_config  /etc/ssh/sshd_config.bak

Step 3: Edit  sshd_config file

# vi /etc/ssh/sshd_config

————————————————
## Change to other port is recommended, etc 8875
#Port 22
Port 8875
## Sets listening address on server. default=0.0.0.0
## ListenAddress 192.168.0.1
## Enforcing SSH Protocol 2 only
# Protocol 1,2
Protocol 2
## Disable direct root login, with no you need to login with admin user, then “su -” you into root
#PermitRootLogin Yes
PermitRootLogin no
##
UsePrivilegeSeparation yes
##
AllowTcpForwarding no
## Disables X11Forwarding
X11Forwarding no
## Checks users on their home directority and rhosts, that they arent world-writable
StrictModes yes
## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication
IgnoreRhosts yes
##
HostbasedAuthentication no
## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication.
RhostsRSAAuthentication no
## Adds a login banner that the user can see
Banner /etc/motd
## Enable / Disable sftp server
#Subsystem      sftp    /usr/libexec/openssh/sftp-server
## Add users that are allowed to log in
AllowUsers admin
————————————————

Save the Files

Step 4: Add text to MOTD Banner file (/etc/motd)

# vi /etc/motd

Step 5: Restart the SSHD Daemon

# service sshd restart

September 9, 2011 Posted by | Security, SSH | , | Leave a comment

How to setup SSH keys

If you are going to connect to a remote host computer using public-key authentication, you will have to generate your key pair before connecting.

Public-key authentication is based on the use of digital signatures. Each user creates a pair of ‘key’ files. One of these key files is the user’s public key, and the other is the user’s private key. The server knows the user’s public key, and only the user has the private key.

When the user tries to authenticate herself, the server checks for matching public keys and sends a challenge to the user end. The user is authenticated by signing the challenge using her private key.

Remember that your private key file is used to authenticate you. Never expose your private keys. If anyone else can access your private key file, they can attempt to login to the remote host computer as you, and claim to be you. Therefore it is extremely important that you keep your private key file in a secure place and make sure that no one else has access to it.

Do not use public-key authentication on a computer that is shared with other users. Generate keys only on your personal computer that no one else can access!

So lets get started, lets say you want to be able to ssh as your user “dude” to remote.com without passwords getting in your way…

# ssh root@unixserveradmin.com

and ssh will ask if you want to keep connecting, type “yes”, and then it should ask for your password and open a shell in dude’s home directory on remote.com, just like telnet. If this fails, there is a problem somewhere. Make sure ssh is installed on your end, and also make sure that remote.com is accepting ssh connections. If it’s not, you’re wasting your time.
Once ssh is functioning we will set up the keys so that it will no longer be necessary to send passwords. If you are curious about the theory of this then read up on “public key cryptography”.

Create your keys: You need to create private and public ssh keys and put them in the proper place with the proper permissions. In your home directory create a folder .ssh ($ mkdir .ssh), if there is none. Note that Windows may make it difficult for you to create a file starting with “.” if you try to do it with their tools; e.g. Windows Explorer. Next, create the keys with the command

# ssh-keygen -t dsa

The ssh-keygen program will ask for a passphrase, just hit the “Enter” key unless for some reason you know you want a passphrase. This creates the keys id_dsa and id_dsa.pub and puts them in .ssh/. The private key id_dsa must be readable only by you; change its permissions with

# chmod 600 .ssh/id_dsa

Put the public key on the remote computer: In this section we are assuming the remote computer is also running OpenSSH. Somehow, you must get the .ssh/id_dsa.pub key onto the remote computer, whether by email, ftp, carrying it over on a floppy (sneakernet), etc.; the cool way to do it is to use scp, which was installed along with ssh. Suppose the remote computer is named remote.com, and your account there is “dude”. To copy the file to remote, run

# scp .ssh/id_dsa.pub root@unixserveradmin.com:

Don’t forget the trailing colon. You will be asked for dude’s password on remote before the copying commences. The file will be copied to dude’s home directory on remote. Install the public key on the remote computer: (We assume the remote computer is running OpenSSH on Linux or UNIX!) Once id_dsa.pub is on the remote computer, login into the remote computer (you can use ssh to login with your password as described above). From your home directory (where you should see your newly arrived id_dsa.pub) create a .ssh folder if none exists. Then append your id_dsa.pub to a file in .ssh with

# cat id_dsa.pub >> .ssh/authorized_keys

This will create the file authorized_keys if none exists. The id_dsa.pub key may be removed from the remote computer’s home directory, if you like. The .ssh folder on the remote computer must have the correct permissions, you may set them with

# chmod 700 .ssh

Checking the password-less connection: Now the command

# ssh root@unixserveradmin.com

should give you a password-less connection to remote.com. Likewise, scp should be password-free. By the way, all the commands you do by first logging into the remote computer can be done remotely, one at a time, using ssh. For example, you can run run

# ssh root@unixserveradmin.com ls

and get a listing of your home directory files on the remote system.

September 8, 2011 Posted by | cPanel, Security, SSH, Tips & Tricks | , , , | Leave a comment

Securing SSH against Bruteforce attacks

By IPtables, We can secure SSH server against bruteforce attacks

:- Create a new table…

# iptables -N SSH_WHITELIST

:- On the input chain, mark new packets with the SSH ‘tag’

# iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –set –name SSH

:- Push new ssh connections through the SSH_WHITELIST table

# iptables -A INPUT -p tcp –dport 22 -m state –state NEW -j SSH_WHITELIST

:- Limit 4 connections from an ip per 60 seconds, to be more strict, use 300 seconds.
:- Log connections that go over this limit and drop the packets.

# iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –rttl –name SSH -j ULOG –ulog-prefix SSH_brute_force

# iptables -A INPUT -p tcp –dport 22 -m state –state NEW -m recent –update –seconds 60 –hitcount 4 –rttl –name SSH -j DROP

:- Check source IPs, if they match trusted hosts, remove SSH ‘tag’ and accept the traffic.

# iptables -A SSH_WHITELIST -s 10.0.1.1 -m recent –remove –name SSH -j ACCEPT

# iptables -A SSH_WHITELIST -s 192.168.88.0/24 -m recent –remove –name SSH -j ACCEPT

# /etc/init.d/iptables save

# chkconfig iptables on

September 7, 2011 Posted by | Firewall, Security, SSH | , , | Leave a comment

SSH deamon failing to start

Sometimes the sshd service may be fails, we have check everything, looked fine and reinstall of the service did not work either. There was no error shown at service start-up, but the service status showed it was down :

# /etc/init.d/sshd start
Starting sshd: [ OK ]
# /etc/init.d/sshd status
openssh-daemon is stopped

I checked the /var/log/secure logs to see what error is being thrown and it showed below error :

Sep4 13:54:54 vps sshd[18431]: fatal: daemon() failed: No such device

I had to do some search to find out which device its referring to in this error,  it turned out that its related to /dev/null which is supposed to be a proper character device and not a regular file. In this case it was a regular file so I removed it and recreated the character device as below :

# rm -f /dev/null

# mknod /dev/null c 1 3

Once the character device is created the permissions should look like below :

# ls -lh /dev/null
crw-rw-rw- 1 root root 1, 3 Jan 12 16:07 /dev/null

After this was confirmed that /dev/null is a proper character device , I restarted the service and it came up fine this time :

# /etc/init.d/sshd start
Starting sshd: [ OK ]
# /etc/init.d/sshd status
openssh-daemon (pid 27662) is running…

So if you came across this error for ssh service failure, then make sure that /dev/null is a proper character device, recreating that as proper character device should fix the issue.

September 5, 2011 Posted by | SSH | | Leave a comment

How to restore your SSH access using WHM Autofixer

If you are locked out and can’t SSH to your server, WHM Autofixer may help you!  Read this to know more about WHM Autofixer. Here is process to restore SSH settings and access :-

1. Login to your WHM using the following URL:

https://HOSTNAME-OR-IP:2087/scripts2/autofixer

Change the HOSTNAME-OR-IP as appropriate for you.

2. In the Autofixer interface, put the name safesshrestart as shown on the image.

WHM SSH Autofixer

3. Hit the Submit button.

This will restore your SSH configuration and restart your sshd! You should be able to login easily after that!

September 4, 2011 Posted by | cPanel, SSH | , | 1 Comment

Terminal showing blank after accessing remote server via SSH

You may get blank terminal while accesing the remote server via SSH.  Fix is very simple. Just execute the following command in the remote server.

# setterm -blank 0

If you screen was blanking this should prevent it. This is hardware related issue like overheating, bad motherboard etc.

September 3, 2011 Posted by | SSH | | Leave a comment

How to enable print last login option for SSH

To enable print last login information after login in to shell, we have to login in to shell as root user and make following changes in sshd_config file. Open sshd_config file in your favorite editor.

# vi /etc/ssh/sshd_config

find line “PrintLastLog” and change it from “No” to “Yes”.

PrintLastLog Yes

Save and exit file. Restart the sshd service.

# /etc/init.d/sshd restart

Now open duplicate ssh session and check PrintLastLog option is working or not.

September 2, 2011 Posted by | SSH | , | Leave a comment

Logs files in linux (cPanel)

In a cPanel server, you may find logs are often stored differently comapring a control panel less server. Even Plesk saves logs in different paths. Here is a list of services and their log path that may help you finding the logs.

Apache
/usr/local/apache/logs/access_log
/usr/local/apache/logs/error_log
/usr/local/apache/domlogs/example.com

MySQL
/var/lib/mysql/hostname.err
hostname should be resemble your hostname.

Exim
/var/log/exim_mainlog
/var/log/exim_paniclog
/var/log/exim_rejectlog

Courier-IMAP
/var/log/maillog

cPanel
/usr/local/cpanel/logs/error_log
/usr/local/cpanel/logs/access_log
/usr/local/cpanel/logs/license_log
/usr/local/cpanel/logs/login_log
/usr/local/cpanel/logs/stats_log

Pure-FTP
/var/log/messages
/var/log/xferlog  (symlinked to /usr/local/apache/domlogs/ftpxferlog)

System (cron, syslog, named, etc)
/var/log/messages
/var/log/boot.log
/var/log/cron
/var/log/dmesg

Security (ssh, ModSecurity, etc)
/var/log/secure
/usr/local/apache/logs/audit_log
/var/log/messages

August 15, 2011 Posted by | Apache, cPanel, Cron, DNS, Exim, Mod_Security, MySQL, Pure-FTPd, SSH, Tips & Tricks, Unix/Linux | , , , , , , , , , , | Leave a comment

How to Prevent hostname lookups with OpenSSH

When you connect to an OpenSSH sshd server, it is configured by default to do a hostname lookup on your IP address.
If there are any issues with the DNS configuration on the host machine, or with the DNS server it is using, this can lead to a delay when logging in using ssh for around 30 seconds and making this change may introduce a security risk as full checking is no longer done on the hostname and IP address. It is very easy to switch this host name lookup function off in the sshd_config file.

On most Linux distributions, the sshd_config file will be at /etc/ssh/sshd_config,

UseDNS no

This is correct for recent versions of sshd but older versions might use the following configuration option instead

VerifyReverseMapping yes

After making the above change to the configuration file, it’s simply a matter of reloading the SSH daemon.

# /etc/init.d/sshd restart

UseDNS – Specifies whether sshd should look up the remote host name and check that the resolved host name
for the remote IP address maps back to the very same IP address. The default is “yes”.

February 19, 2011 Posted by | Security, SSH | , , | 1 Comment

Manually run logs for a cPanel account via SSH

Sometimes we manually need to run the logs for particular account in cPanel , we can easily do this via SSH Log in as root, For particular account only use following commands :-

#/scripts/runweblogs username

and for all accounts

#/scripts/runlogsnow

January 17, 2011 Posted by | cPanel, SSH | , , | 1 Comment