Securing SSH

There are several ways to secure access to the sensor. This page will discuss 2 of the possibilities.

hosts.allow

The first method is configuring the hosts.allow file. This way we can restrict access to our sensor by setting up IP addresses in the hosts.allow file. To enable your sensor to use this method, some steps have to be taken when remastering your knoppix image for the sensor.

The first step is setting up the hosts.allow file and make it so that we can change the data in this file without it's changes being lost after a reboot of the sensor.

rm /etc/hosts.allow
ln -s /cdrom/scripts/hosts.allow /etc/hosts.allow

Now we have made a symbolic link to the /etc/hosts.allow file and placed the actual hosts.allow file in the /cdrom/scripts/ directory (just like we did with the wgetrc file).

Now we are ready to setup the allowed hosts that can use the SSH service on the sensor. Open up the /cdrom/scripts/hosts.allow file with your favorite editor.

/cdrom/scripts/hosts.allow

vi /cdrom/scripts/hosts.allow

We will add the following lines:

ALL : 127.0.0.1 LOCAL : ALLOW
ssh sshd : 192.168.10.10 : ALLOW
ALL : ALL@ALL : DENY

Replace the 192.168.10.10 address with the address you want to allow to have access to the sensors. It might be a good idea to use the server IP address here so that you always have access to the sensor via the server.

Thanks to Mr. Hiroshi Suzuki of NTT-CERT for pointing this method out.

iptables

Another way of setting up the SSH access for your sensors is through the use of iptables. This can be done by adding a few iptables lines at the start of the startclient script.

iptables -I INPUT -p tcp --dport 22 --source 192.168.10.10 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP

Just make sure the last iptables line is always the DROP line in the above example.

 
kb/securing_ssh.txt · Last modified: 2012/07/12 11:27 (external edit)
 
Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki