Recommended
More Related Content
What's hot
What's hot (17)
Similar to openssh portforwarding and linux firewall
Similar to openssh portforwarding and linux firewall (20)
Recently uploaded
Recently uploaded (20)
openssh portforwarding and linux firewall
- 1. CN8822 Assignment #2 2 Assignment 2 – Secure Remote administration and firewalls ________________________________ 3 Part1 _____________________________________________________________________________ 3 Objective: To Study the concepts of remotely administering a server using ssh.__________________ 3 Public-key authentication should be used for the root user __________________________________ 9 Part II-Objective: To study the concepts of ssh port forwarding._____________________________ 12 Part III -Objective: Firewall using IPTABLES ______________________________________________ 17 References ________________________________________________________________________ 21
- 2. CN8822 Assignment #2 3 Assignment 2 – Secure Remote administration and firewalls Part1 Objective: To Study the concepts of remotely administering a server using ssh. 1)You are to secure a Linux server by restricting remote root access by running a separate sshd daemon. Make the necessary changes to have the newly configured sshd daemon comply with following restrictions: 1. Daemon must start on all run levels, i.e. 2345 2. root should have remote access to this server using new sshd daemon and no others. 3. All others should be accessing the server using the existing sshd daemon; again root should not be to access this sshd daemon. 4. Public-key authentication should be used for the root user 5. Feel free to add any configuration directives to further secure the ssh daemon Explanation: There is one SSH daemon runs by default to provide the ssh service on the default port 22. To have a separate SSH daemon we need to have separate run level and configuration files, and to isolate both daemons to work independently we copied binary file with different name . This was achieved by following these steps. 1) Copy sshd binary file with new name sshd_root with the –p option to retain same rights. 2) Copy sshd_config file with new name and make necessary changes to have separate keys for Root user and normal user, have separate pid file, separate port, separate Login Rules, these Rules are highlighted in the file
- 3. CN8822 Assignment #2 4 Also have a separate PID file
- 4. CN8822 Assignment #2 5 Here is the changes which have made in the sshd_root config file and we have highlighted them.
- 5. CN8822 Assignment #2 6 3) Have separate init scripts for sshd daemon and sshd_root daemon, we have highlighted the Changes in both files . In the ssh script file we have pointed to correct config file Also changed the pid file name to new pid file all the corresponding functions. Similar changes were made in the ssh_root init script and we have highlighted them , most important change was to point to new binary sshd_root in the /usr/bin directory. Next change is point to right config file.
- 6. CN8822 Assignment #2 7 3rd change was to have separate pid file as shown After all these changes we were able to successfully register the ssh_root as a separate daemon at the specified runlevels which is 2345 by using debian service register tool We can verify this by checking at the soft links at the rc startup level. After All these changes we were able to start/stop these two daemon separately and verified the login Rules. Here is the screenprint of separate pid files.
- 7. CN8822 Assignment #2 8 We restarted the server and two daemons started independently. We tried to login as root on port 22 it failed Where as normal user login was successful. Similarly root login was successful at port 2501 and normal user failed on this port.
- 8. CN8822 Assignment #2 9 Login as root was successful using port 2501 as shown. From this we were able to confirm that our two ssh daemon are working as expected in our Assignment. Public-key authentication should be used for the root user For the Public Key Authentication we used two machines with IP 192.168.56.101 as Server A And 192.168.56.102 as Server B and we were able to login with password. Here is the steps we had followed. 1) Create a key for root user
- 9. CN8822 Assignment #2 10 2) Copy key to 192.168.56.102 using ssh-copy which copied the key to authorized directoy and Login to 192.168.56.102, login was successful without prompting for Password.
- 11. CN8822 Assignment #2 12 Part II-Objective: To study the concepts of ssh port forwarding. SSH tunnels can be created in several ways using different kinds of port forwarding mechanisms. Ports can be forwarded in three ways. 1) Local port forwarding 2) Remote port forwarding 3) Dynamic port forwarding Port forwarding or port mapping is a name given to the combined technique of 1) translating the address and/or port number of a packet to a new destination 2) possibly accepting such packet(s) in a packet filter(firewall) 3 ) forwarding the packet according to the routing table. To illustrate Port Forwarding Example we have used Local port Forwarding. We have Two Servers A(192.168.56.101) and B (192.168.56.102) both have Apache running One Machine has default Apache test Page which we will treat as Client and Second Machine has Our Custom Page as shown below.
- 12. CN8822 Assignment #2 13 This Machine we will treat as Server with IP 192.168.56.101 and Client one IP is 192.168.56.102 and Apache Page is We will use Local Port Forwarding on Client to Display the server Apache page To achieve this we will use SSH Local forwarding.
- 13. CN8822 Assignment #2 14 SSH Local forwarding Syntax is ssh -L <local-port-to-listen>:<remote-host>:<remote-port> <gateway> In our case we have decided to use Local port 4500 to listen to remote server port 80 using Remote server as gateway. ssh –L 4500:192.168.56.101:80 root@192.168.56.101 Once we are logged into to Server 192.168.56.101, we will be listening port 80 traffic of this box to 192.168.56.102, 4500 port. We can confirm this by netstat
- 14. CN8822 Assignment #2 15 192.168.56.102 port 4500 is opened as local host; we will access this from the box itself
- 15. CN8822 Assignment #2 16 This confirms our configuration of Local port forwarding.
- 16. CN8822 Assignment #2 17 Part III -Objective: Firewall using IPTABLES Firewall implementation using iptables. You are to setup the Appropriate iptables rules to accomplish the following: 1. Using the same VM running the newly configured sshd daemon From Part I; setup a default-deny policy to drop all inbound Traffic. 2. Only allow inbound traffic to both sshd ports, port 22 for public Access and privileged port for root access. Note: Privileged Port is something you choose in Part I when new daemon was Configured. 3. Only allow a trusted network or net-block to access the privileged sshd port. 4. Log all other dropped packets Explanations Firewalls are used to block unauthorized access to Network. All Linux Flavors provide basic firewall in the kernel “IPTABLES” which can be used to provide simple IPv4 and IPV6 packet filtering and Network Address Translation. IP Table provided three set of Rules, knows as chains, which are IPUT CHAIN, Forward Chain and OUT PUT CHAIN. Diagram Below shows high Level IP Packet Filtering in the “ IP Tables”
- 17. CN8822 Assignment #2 18 Our Assignment requirement is to Implement Basic IP table Rules at the INPUT chain We have implemented the Rules by following commands mangle PREROUTING nat PREROUTING filter INPUT filter OUTPUT nat POSTROUTING filter FORWARD Mangle OUTPUT route Local Process Network Network
- 18. CN8822 Assignment #2 19 Since IPTABLE Rules are sequential we have to be careful to have DROP Rule at the End of The Rules. We can verify our Rules by following Command. Checked active ports on server Using TCP dump to see the traffic on these ports.