Ubuntu Reference Guide

part of the WillPowered Inc. network
© 2011 William Hall <5/> - This site uses HTML5

Security\SSH

SSH gives you a remote command line to make changes to your Ubuntu whilst not actually in front of it.

SSH options to configure:

AllowGroups group1 group2
Only allow the specified groups to connect. Remember your user account probably has a group with the same name as it. This is an important security measure to stop malicious users logging on with system accounts.
AllowTcpForwarding no
This only makes a difference if users can't install their own forwarders from the terminal. This does stop software like Sequel Pro from connecting to MySQL over SSH obviously.
PermitRootLogin no
Block root login, make sure you have a sudo-capable user before using this parameter!
PrintMotd no
Prints the contents of /etc/motd to the terminal when a user connects. Ubuntu does this anyway so don't say yes to this. Do change /etc/motd though.
X11Forwarding no
Disable if you don't have a gui on the server or want to block the forwarding of X11

SFTP (FTP over SSH)

Traditional FTP is actually quite insecure and can be annoying to set up. SSH already allows you to transfer files through it but what if you want to have people that are not you uploading website files? With a few tweaks to the SSH configuration you can give other users access to a certain directory and not your entire system through SSH.

By chrooting a users login directory away from their home directory, you also break their shell access. Setting the users shell to /bin/false guarantees no shell access.

Use the following command to create a specific group to define restricted access and open the configuration file to edit.

$ sudo groupadd sftponly $ sudo nano /etc/ssh/sshd_config

Firstly change the default sftp server from:

Subsystem sftp /usr/lib/openssh/sftp-server

to

Subsystem sftp internal-sftp

Then add the following section (please note that "Match all" closes the block so you can put this anywhere. If you're scared, add it to the end of the file):

Match group sftponly ChrootDirectory /home/%u ForceCommand internal-sftp Match all

If you are using key authentication then you will have to create a completely separate directory to store the keys in. Add these lines to your Match:

PasswordAuthentication no AuthorizedKeysFile /usr/local/share/keys/%u/.ssh/authorized_keys

Place the authorized_keys files under that separate directory, still in a structure like the home directories.

Now you can create a user and add them to the sftponly group.

$ sudo mkdir /home/fred $ sudo useradd fred -d /home/fred -s /bin/false $ sudo passwd fred $ sudo adduser fred sftponly $ sudo adduser fred www-data

This limits freds SFTP access to his home directory. You can then mount his website directory in his home directory to give him access to it. The fstab line should resemble the following:

/var/sites /home/fred/sites none rw,bind 0 0

Doing things this way means that /home/fred is owned by root. This solution will stop working if you set fred to own the directory. Fred can still upload files because he is part of the www-data group which owns and can edit the sites directory.

I have since used this method to create a set of sites directories and chrooted the SFTP users directly into those folders, bypassing the home directories entirely.

The folder that the user is chrooted to must be owned by root and not allow fred to access it. This stops fred from breaking the chroot.

Denyhosts

On web servers, there is an additional concern. Although you have restricted ports and limited SSH access, malicious people will still attempt to get into your system using SSH. This is where DenyHosts comes in. It monitors your security logs and blocks any repeated failed attempts as per its settings.

To install DenyHosts, run the following command:

$ sudo apt-get install denyhosts

The configuration file is at /etc/denyhosts.conf but the defaults should be sufficient.

Other things to do

PuTTY is the windows client for SSH. WinSCP is a very capable SFTP client but Filezilla and other FTP clients may support SFTP.

SSHFS can mount a directory through SSH onto your local system.

Shortcuts when using Linux and Mac SSH clients

$ touch ~/.ssh/config $ nano ~/.ssh/config Host <shortcutname> HostName <server.com> User <username>

http://nerderati.com/2011/03/17/simplify-your-life-with-an-ssh-config-file/