• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
SSH: Seguranca no Acesso Remoto
 

SSH: Seguranca no Acesso Remoto

on

  • 4,835 views

Apresentação na Pós-Graduação em Segurança da Informação:...

Apresentação na Pós-Graduação em Segurança da Informação:
- Sniffer de senhas em plain text;
- Ataque de brute-force no SSH;
- Proteção: Firewall, IPS e/ou TCP Wrappers;
- Segurança básica no sshd_config;
- Chaves RSA/DSA para acesso remoto;
- SSH buscando chaves no LDAP;
- Porque previnir o acesso: Fork Bomb

Statistics

Views

Total Views
4,835
Views on SlideShare
4,817
Embed Views
18

Actions

Likes
1
Downloads
76
Comments
1

1 Embed 18

http://www.slideshare.net 18

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel

11 of 1 previous next

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    SSH: Seguranca no Acesso Remoto SSH: Seguranca no Acesso Remoto Presentation Transcript

    • Segurança - Acesso Remoto  Leandro Silva  Leandro Purificacão  David Wallace  Tiago Cruz - http://everlinux.com  Jeferson  Níve: Intermediário  Pre-requisitos: Básico em Inglês, protocolos de rede e universo Unix.
    • Tópicos  Sniffer de senhas em plain text;  Ataque de brute-force no SSH;  Proteção: Firewall, IPS e/ou TCP Wrappers;  Segurança básica no sshd_config;  Chaves RSA/DSA para acesso remoto;  SSH buscando chaves no LDAP;  Porque previnir o acesso: Fork Bomb
    • Segurança - Acesso Remoto  Telnet não tem criptografia, um atacante pode pegar a sua senha usando um sniffer  OpenSSH criptografa a comunicação  Presente em todos os Unixes (*BSD, Solaris, Linux, AIX...) e também nos roteadores  Porém, uma máquina comprometida com um keylogger pode pegar a senha do administrador
    • Capturando senhas sem criptografia (ex: telnet e FTP)
    • ”Snifando” senhas: dsniff
    • Capturando senhas: ettercap
    • Ataques de força-bruta contra o SSH
    • SSH é sempre visado ... Aug 31 23:21:28 localhost sshd[4560]: Illegal user admin from ::ffff:206.113.121.118 Aug 31 23:21:31 localhost sshd[4562]: Illegal user test from ::ffff:206.113.121.118 Aug 31 23:21:36 localhost sshd[4564]: Illegal user guest from ::ffff:206.113.121.118 Aug 31 23:21:39 localhost sshd[4566]: Illegal user webmaster from ::ffff:206.113.121.118 Aug 31 23:21:44 localhost sshd[4568]: Illegal user mysql from ::ffff:206.113.121.118 Aug 31 23:21:47 localhost sshd[4570]: Illegal user oracle from ::ffff:206.113.121.118 Aug 31 23:21:49 localhost sshd[4572]: Illegal user library from ::ffff:206.113.121.118 Aug 31 23:21:52 localhost sshd[4574]: Illegal user info from ::ffff:206.113.121.118 Aug 31 23:21:55 localhost sshd[4576]: Illegal user shell from ::ffff:206.113.121.118 Aug 31 23:21:59 localhost sshd[4578]: Illegal user linux from ::ffff:206.113.121.118 Aug 31 23:22:01 localhost sshd[4580]: Illegal user unix from ::ffff:206.113.121.118 Aug 31 23:22:05 localhost sshd[4582]: Illegal user webadmin from ::ffff:206.113.121.118 Aug 31 23:22:08 localhost sshd[4584]: Illegal user ftp from ::ffff:206.113.121.118 Aug 31 23:22:12 localhost sshd[4586]: Illegal user test from ::ffff:206.113.121.118 Aug 31 23:22:18 localhost sshd[4590]: Illegal user admin from ::ffff:206.113.121.118 Aug 31 23:22:21 localhost sshd[4592]: Illegal user guest from ::ffff:206.113.121.118 Aug 31 23:22:25 localhost sshd[4594]: Illegal user master from ::ffff:206.113.121.118 Aug 31 23:22:28 localhost sshd[4596]: Illegal user apache from ::ffff:206.113.121.118 Aug 31 23:22:33 localhost sshd[4598]: User root not allowed because not listed in AllowUsers Aug 31 23:22:37 localhost sshd[4600]: User root not allowed because not listed in AllowUsers ...
    • ssh-brute force caseiro
    • Gerando senhas aleatórias $ john -stdout -incremental 1952 sammy stark start stack stace steve steen steet samers $ dd if=/dev/random ibs=6 count=1 2> /dev/null | mimencode HKxWMgRD $ pwgen xaif7Nah lie1Ieth gook1aiD ur1Ahthi Noo3eo5M Baz4aeBu ohMeek9a chiex7Iu Sipe0Eiv iDaighu7 Quuz3una AhB0echi go0Um7yu azo6Tiel Thee5aWe Xo8jaim5 caif0ieN HuaWie9n
    • Proteções contra ataques de força-bruta
    • Básico /etc/ssh/sshd_config # Grupos com acesso via SSH AllowGroups sysadmin suporte AllowUsers tcruz maria # Logar direto como root é suicídio: PermitRootLogin no # Mudar a porta padrão mata alguns script kiddies: Port 2258 tcruz@tuxkiller:~$ ssh -p 2258 192.168.15.129 # Change to no to disable tunnelled clear text passwords PasswordAuthentication no tcruz@tuxkiller:~$ ssh userteste@192.168.15.129 Permission denied (publickey).
    • IDS/IPS - OSSEC
    • Brute Force - Mitigação - No servidor a ser protegido: # iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent –set # iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 -j DROP # iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT - Teste na estação ”atacante”: $ for i in `seq 1 10` ; do echo 'exit' | nc 192.168.1.1 22 ; done 192.168.15.129 22 ; done SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 Protocol mismatch. SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 Protocol mismatch. SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 Protocol mismatch. SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 Protocol mismatch. ^C
    • TCP Wrappers O pacote TCP Wrappers (tcp_wrappers) faz parte da instalação padrão e oferece controle de de acesso a serviços de rede baseado no host. O componente mais importante do pacote é a biblioteca /usr/lib/libwrap.a. $ cat /etc/hosts.deny sshd: ALL $ cat /etc/hosts.allow sshd: 10.10.1.0/255.255.255.0 10.10.2.240/255.255.255.240 $ cat /etc/hosts.allow sshd: 200.222.222.55 200.222.222.94: ALLOW
    • Sem senha: chaves públicas e privadas no acesso SSH
    • Chaves de Criptografia tiago@cliente:~$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/tiago/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/tiago/.ssh/id_dsa. Your public key has been saved in /home/tiago/.ssh/id_dsa.pub. The key fingerprint is: 46:de:5d:e5:52:2a:8b:03:2d:75:e9:fd:fa:e6:b7:26 tiago@tuxkiller tiago@cliente:~$ ssh-copy-id -i /home/tiago/.ssh/id_dsa id_dsa id_dsa.pub tiago@cliente:~$ ssh-copy-id -i ~/.ssh/id_dsa.pub 192.168.15.129 tiago@192.168.15.129 password: Now try logging into the machine, with "ssh '192.168.15.129'", and check in: .ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
    • Copiando manualmente Caso você não tenha o ssh-copy-id: root@server:~# cat /home/tiago/.ssh/authorized_keys ssh-dss AAAAB3NzaC1kc3MAAACBANbDleaS26kY1Wukd0LiKhhzdxfG1dZC0EObXp8hIrK+xsNy g6dLRFPbbDYtZGJ06M5/SIqPCFoeLqHIMVroIPzZ 1gDMSdOesSbJMYkTgytJQltG2RHBp9OdTd7sp9xldQj93IAvAPTzFoUUtq9RaBzJJZbu 2ZK9Jqg8Spc/lT8JAAAAFQD5kI62O8bqAS1lFqmf1kklnskl SQAAAIA7Ff28UoKWAoECh0WFE5zqxvUPW+1Qz9sxCXjmXfDIwt2jBgyrGcDrJiyRffqQ kWEAlgqPZPQ6HQ68sFS052CjYU/5HlLbh2lXaiFBEvYpRqPg gnqbMgOcI2lBom1LSYwTCsbb61OZBKE9CC2KptGJdzXesaO4eo8ARzzOolnjUgAAAIEA gBdKmuccKaMtUJPapa3Q7OJxPq5lHnOXNUVRwkavVjLd7MB/ OWJI1FBOcExb9nGuVRVB1DB1VxYjz1QEa9KxNyx8eZQTtvA64McyjUuWJuSS1ld+DqJG TaeVvYDPICkgPK9HlDOvJUZmFHiUdwbn/BLUWAR/Bg106nkn 5s8WnQg= tiago@tuxkiller root@server:~# ls -l /home/tiago/.ssh/authorized_keys -rw------- 1 tiago tiago 605 2009-06-17 15:06 ~/.ssh/authorized_keys root@server:~# ls -ld /home/tiago/.ssh drwx------ 2 tiago tiago 4096 2009-06-17 15:06 /home/tiago/.ssh
    • Logs de acesso  # Log Antes:  Jun 17 15:06:15 ubuntu sshd[2938]: Accepted password for tiago from 192.168.15.1 port 32813 ssh2  # Log Depois:  Jun 17 15:28:26 ubuntu sshd[3184]: Accepted publickey for tiago from 192.168.15.1 port 60079 ssh2
    • Acessando sem senha
    • SSH com as chaves públicas centralizadas em LDAP
    • SSH buscando chave no LDAP OpenSSH-LPK The OpenSSH LDAP Public Key patch provides an easy way of centralizing strong user authentication by using an LDAP server for retrieving public keys instead of ~/.ssh/authorized_keys. => http://code.google.com/p/openssh-lpk/ No Servidor LDAP - slapd.conf: include /etc/openldap/schema/openssh-lpk_openldap.schema Nos clientes - sshd_config: UseLPK yes LpkLdapConf /etc/ldap.conf
    • Busca no LDAP de exemplo [root@testmachine ~]# ldapsearch -x uid=tcruz # tcruz, People, empresa.com.br dn: uid=tcruz,ou=People,dc=empresa,dc=com,dc=br gecos: Tiago Cruz loginShell: /bin/bash objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: ldapPublicKey uid: tcruz uidNumber: 1002 cn: tcruz homeDirectory: /home/tcruz SshPublicKey:: ssh-dss c3NoLWRzcyBBQUFBQjNOemFDMWtjM01BQUFDQkFPTDF0alppRmdXdEdtMkJ2UWx 9DOHJKNVYwaE90R3J3QUFBSUJIZVlzWnJGR2xITG4xblVGUTBTSXB6bzlnNG90RmFje gidNumber: 1010 shadowLastChange: 14196 # search result search: 2 result: 0 Success
    • Um bom motivo para deixar o atacante longe da shell
    • Fork Bomb Um processo que cria várias cópias dele mesmo recursivamente com o objetivo de acabar com os recursos do servidor – DOS ou denial of service A fork bomb using the Microsoft Windows (any version) batch language: %0|%0 In poetic Perl: fork while fork Using Python: import os while True: os.fork() Or in C or C++: #include <unistd.h> int main(void) { while(1) fork(); return 0; }
    • Fork Bomb tcruz@ubuntu:~$ ulimit -a | grep proce max user processes (-u) unlimited tcruz@ubuntu:~$ ulimit -u 1024 tcruz@ubuntu:~$ ulimit -a | grep proce max user processes (-u) 1024 tcruz@ubuntu:~$ :(){ :|:& };: [1] 3755 tcruz@ubuntu:~$ -bash: fork: Resource temporarily unavailable -bash: fork: Resource temporarily unavailable -bash: fork: Resource temporarily unavailable -bash: fork: Resource temporarily unavailable -bash: fork: Resource temporarily unavailable -bash: fork: Resource temporarily unavailable [1]+ Terminated : | : Nota: Utilizado nesse teste uma VM com 512 GB de RAM
    • Referências  http://everlinux.com/blog  http://www.linux.com/archive/feature/61061  http://code.google.com/p/openssh-lpk/  http://en.wikipedia.org/wiki/Fork_bomb  http://www.redhat.com/docs/manuals/enterprise/RH