Securing SSH
-
Following on from my post, what do people recommend.
This is open for both Internal Only servers (like me) or hosted servers that you might need/want SSH on.
-
I think the common things i've seen so far are -
Password or Password Less Public/Private Keys
Timeouts
Disallow root logon
Harden Firewall
White-list IP's that can access.Steps I used to connect to my Zabbix Server (CentOS
from Win10created a folder c:\users<username>.ssh
in powershell ran this commandssh-keygen -o -a 100 -t ed25519 -C "my@email.com Desktop"Typed on the password i wanted to use (you can run a different command to have a password less key - see below)
This generated two files in .ssh - id_ed25519 and id_ed25519.pubstill in powershell i ssh'd onto the zabbix server
ssh <user>@<ip>Once in ran the following commands
sudo mkdir ~/.ssh sudo nano ~/.ssh/authorized_keyscopy the contents of the .pub file on the windows machine
sudo chown YourUserName:YourUserName ~/.ssh -R sudo chmod 700 ~/.ssh sudo chmod 600 ~/.ssh/authorized_keysThen from powershell
ssh <user>@<ip>and it just asked me for the key password and i'm in
Updated - 28/02/2020
-
Is it normal to use the same key over many servers at a user level? or a different key for each server for each person?
-
I have the same questions posted above, so I await the answers.
Plus, how do others protect their own private key? In some folder on an encrypted drive/volume?
-
@Dashrender said in Securing SSH:
Is it normal to use the same key over many servers at a user level? or a different key for each server for each person?
Yes. You would use the same key per user (not sever) , but have some form of MFA.
You would store your key in an encrypted drive like druva or one drive
-
@IRJ said in Securing SSH:
@Dashrender said in Securing SSH:
Is it normal to use the same key over many servers at a user level? or a different key for each server for each person?
Yes. You would use the same key per user (not sever) , but have some form of MFA.
You would store your key in an encrypted drive like druva or one drive
Just to make sure I get this right.
I create my pub/private keys, put my own private key in an encrypted drive, then copy my public key to serverA, serverB, serverC, etc., correct?
(its one of those foggy brained days)
-
@Dashrender said in Securing SSH:
Is it normal to use the same key over many servers at a user level? or a different key for each server for each person?
Yes, that is standard.
-
@pmoncho said in Securing SSH:
@IRJ said in Securing SSH:
@Dashrender said in Securing SSH:
Is it normal to use the same key over many servers at a user level? or a different key for each server for each person?
Yes. You would use the same key per user (not sever) , but have some form of MFA.
You would store your key in an encrypted drive like druva or one drive
Just to make sure I get this right.
I create my pub/private keys, put my own private key in an encrypted drive, then copy my public key to serverA, serverB, serverC, etc., correct?
(its one of those foggy brained days)
Correct. We put our public keys into scripts to deploy and have them listed on a wiki, too. So that it is easy to add users to a system.
-
@scottalanmiller said in Securing SSH:
@pmoncho said in Securing SSH:
@IRJ said in Securing SSH:
@Dashrender said in Securing SSH:
Is it normal to use the same key over many servers at a user level? or a different key for each server for each person?
Yes. You would use the same key per user (not sever) , but have some form of MFA.
You would store your key in an encrypted drive like druva or one drive
Just to make sure I get this right.
I create my pub/private keys, put my own private key in an encrypted drive, then copy my public key to serverA, serverB, serverC, etc., correct?
(its one of those foggy brained days)
Correct. We put our public keys into scripts to deploy and have them listed on a wiki, too. So that it is easy to add users to a system.
Interesting. I am starting to add more linux systems so I will look into doing the same.
-
Here's some ideas for you. https://mangolassi.it/topic/10391/fairly-hardened-jump-box
-
I used duo for MFA with push on my phone and yubikeys.
-
@stacksofplates said in Securing SSH:
Here's some ideas for you. https://mangolassi.it/topic/10391/fairly-hardened-jump-box
I would also look at CIS benchmarks when creating your images.
-
@hobbit666 said in Securing SSH:
I think the common things i've seen so far are -
PasswordLess access i.e. Public/Private Keys
Timeouts
Disallow root logon
Harden Firewall
White-list IP's that can access.That is a good quick list, but we can add use vpn and/bastion host for access to that list.
-
@IRJ said in Securing SSH:
You would store your key in an encrypted drive like druva or one drive
Umm WUT.
You don't store your key anywhere. Because that makes it useless.
Are you reusing the same key on different user devices?
-
@scottalanmiller said in Securing SSH:
@Dashrender said in Securing SSH:
Is it normal to use the same key over many servers at a user level? or a different key for each server for each person?
Yes, that is standard.
More clearly, each user generates a keypair on their device and then the pub part of that pair is copied to each server.
I have a laptop and a desktop. I have generated a keypair on each device and have those public keys copied to the servers I connect to.
-
@stacksofplates said in Securing SSH:
Here's some ideas for you. https://mangolassi.it/topic/10391/fairly-hardened-jump-box
And this one
https://www.mangolassi.it/topic/19858/ssh-hardening -
@JaredBusch said in Securing SSH:
@IRJ said in Securing SSH:
You would store your key in an encrypted drive like druva or one drive
Umm WUT.
You don't store your key anywhere. Because that makes it useless.
Are you reusing the same key on different user devices?
Little lost here.
If I use putty on windows to create my key pair and I put my public key on my linux machine (authorized_keys file).
So what do you do with the private key from the key pair?
-
@pmoncho said in Securing SSH:
@JaredBusch said in Securing SSH:
@IRJ said in Securing SSH:
You would store your key in an encrypted drive like druva or one drive
Umm WUT.
You don't store your key anywhere. Because that makes it useless.
Are you reusing the same key on different user devices?
Little lost here.
If I use putty on windows to create my key pair and I put my public key on my linux machine (authorized_keys file).
So what do you do with the private key from the key pair?
Nothing. it is only ever on your one machine.
Also WTF with putty? SSH is native to even Windows now.
-
@JaredBusch said in Securing SSH:
@pmoncho said in Securing SSH:
@JaredBusch said in Securing SSH:
@IRJ said in Securing SSH:
You would store your key in an encrypted drive like druva or one drive
Umm WUT.
You don't store your key anywhere. Because that makes it useless.
Are you reusing the same key on different user devices?
Little lost here.
If I use putty on windows to create my key pair and I put my public key on my linux machine (authorized_keys file).
So what do you do with the private key from the key pair?
Nothing. it is only ever on your one machine.
Ok. Got it.
Now if I have my work machine and home laptop (used for remote work), should I create multiple keys, one for each machine or just copy and use the same private key?
Also WTF with putty? SSH is native to even Windows now.
It is what I initially used so it was the first thing that popped in my head.
-
Open a terminal session and run
ssh-keygento properly generate a valid keypair.
I use the ed25519 algorithm because it creates a short public key and the comments are usefulssh-keygen -o -a 100 -t ed25519 -C "my@email.com Desktop"
