SSH BRUTEFORCE

SSH BRUTEFORCE ATTACK: How to defend against it effectively?

ssh bruteforce
ssh bruteforce attack

Hackers frequently target Linux servers and try to bruteforce the ssh deamon running on it.  If the root password that you have set is weak , the hackers would quickly gain access to your Linux server and your machines could be part of wider bot network, launching ddos attacks , sniffing, and doing other nefarious activities without the system administrator knowing about it. The best was to defend?

  1. Disable password based authentication and use only Key based authentication which is the most effective method to beat bruteforce attacks.
  2. In case you have to enable password based authentication for some reason, do drop all ssh traffic to your server by default and Allow only the ips that you know would be accessing your server in ssh.
  3. Use the AllowUsers directive in the ssh configuration to only allow certain users or IP’s. In /etc/ssh/sshd_config, you can specify a list of allowed users like this:AllowUsers [email protected]   [email protected] This will allow only the user rick to ssh from the ip 98.122.22.2 and the user root can ssh only from 126.22.10.1
  4. Set super strong password that are more than 10 characters long. Ezeelogin ssh jumphosts password management feature would help you set 30 character long complex passwords.
  5. Frequently reset the passwords once a day. The password management feature in Ezeelogin ssh gateway would do that automatically for you at the click of a button.

SSH DUO Two Factor Authentication

ssh jumpbox with duo two factor authentication
SSH gateway and Jumphost with DUO 2FA o

 

SSH JumpHost and SSH Gateway Ezeelogin supports DUO Security two factor authentication ( 2FA ) which means that anyone having a smartphone these days can easily use it for the second layer of authentication. With DUO, you dont have to type in complex strings or numbers, just tap on the smartphone screen and you are securely authenticated easily. No extra devices like RSA Keys or security token generating devices has to be carried since you already have a smartphone with you to authenticate into your SSH Gateway.

SSH Gateway, SSH Jump Host, SSH Jump Box, SSH Bastion Host, SSH Jump Server- What is it? Why do you need it?

SSH Gateway server would be a fortified central server where all your staff would login in first via ssh before accessing any other servers behind it. The fortified server is also known as Bastion Host or SSH Jump Host or SSH Jump server.

Using an intermediate ssh jump server increases security and ease of managing your Linux  production servers. Ezeelogin is an ssh gateway software that would help you setup your secure ssh box very quickly and comes with lots of security and automation features. The below diagram would give you a better idea of how the ssh jump server works

 

SSH Gateway – SSH Bastion Host – SSH Jump Host – SSH Jump Box – SSH Jump Server

Advantages in using  Ezeelogin ssh gateway ?

  • Built in Identity and Access Management for your staff
  • Intuitive SSH interface to access Linux nodes
  • SSH access to Linux production servers for your staff without sharing the ssh private keys or password
  • Two factor authentication in ssh and for the panel. Yubikey , Google Authenticator, Duo Security 2FA integrated.
  • Record ssh session of your staff in ssh.
  • SSH Key management made easy
  • SSH Password management made easy
  • Parallel Shell integrated
  • Root password management for your Linux server in production
  • Access Control panel like Cpanel/WHM and more in a click
  • PCI DSS, ISO 27001 & HIPPA Compliance requirements can be met quickly
SSH Interface for quickly accessing Linux nodes without sharing the ssh private keys or passwords

 

 

SSH Jump Host with Yubikey ssh two factor authentication

SSH with Yubikey 2FA authentication

SSH Yubikey based two factor  authentication is integrated into ezeelogin ssh jump host for extra security. Even if someone steals your username and password (which is on the increase) they cannot access your jump host without your physical keyThe YubiKey generates an encrypted password that can only be used once. Hackers require physical access of your YubiKey to generate the OTP.

 

 

SSH Gateway with Google two factor authentication for PCI DSS and HIPPA Compliance.

 

To ensure that access to your Linux server in production via the ssh bastion host or ssh jump host or ssh gateway is super secure, we have integrated Google two factor authentication in ssh. A user installs the Google  Authenticator app on a smartphone.  The app displays an additional six-digit one-time password . The user enters it, thus authenticating the user’s identity.

OpenSSH 7.0 disables DSA keys by default


The road ahead was never bright for DSA keys and the writing was clear
on the wall. Ezeelogin SSH gateway will be dropping DSA keys and would 
be using ONLY RSA keys in future releases. 
Starting with the 7.0 release of OpenSSH, support for ssh-dss keys has
been disabled by  default at runtime due to their inherit weakness.If
you rely on these key types,you will have to take corrective action or 
risk being locked out. Your best option is to generate new keys 
using strong algos such as rsa or ecdsa or ed25519.RSA keys will give
you the greatest portability with other clients/servers while ed25519
will get you the best security with OpenSSH.(but requires recent versions of
client & server).

If you are stuck with DSA keys, you can re-enable support locally by updating
 your sshd_config and ~/.ssh/config files with lines like so: 
     PubkeyAcceptedKeyTypes=+ssh-dss

Be aware though that eventually OpenSSH will drop support for DSA keys entirely, 
so this is only a stop gap solution.

More details can be found on 
OpenSSH's website: http://www.openssh.com/legacy.html

Automated root password management on Linux servers

Automatic root password management

 

Boss wants you to enable password based authentication on hundred  Linux server, he wants you to  set 30 plus character strong password on each server, share the root passwords with  developers ,  change the root passwords again once the developers logs out of the servers at the end of the day, also your boss want you to reset the root password on all the Linux server on a daily basis  as he is paranoid  when it comes to security.

Well without eating your boss alive and instead to get a promotion, here is the magic wand, use the Ezeelogin root password management feature and you will  be able to meet all his requirement and if not even better. Being a Linux system administrator you know for fact that Key based authentication are exponentially stronger even if your passwords are 100 characters long but for some unearthly reasons you need to have password based authentication enabled on your hundred Linux servers.

 

root passwo
Automatic root password management

Here are the key issues that Ezeelogin root password management features addresses.

  • Automatically set and reset and strong root passwords up to 32 characters long in a click on hundreds of Linux servers
  • Schedule periodic reset of root password across all your linux servers in a click
  • Reset root passwords on all your Linux server in a click.

 

 

 

 

ssh gateway & jump host security features that helps in PCI DSS , HIPAA Compliance

pci dss ssh gateway

 

If you are a system administrator  and have bunch of Linux server that you need to manage and has to be PCI DSS compliant, then look no further, Ezeelogin SSH Gateway will help you be compliant in minutes.

Here are the PCI DSS requirements that needs to be met while accessing your Linux servers.

  1. SSH User Expiry – This would let you to set an expiry time for an ssh user. It could be a developer or a sysadmin who has to deploy new code and you need to remove the access granted after a period of time. You can now easily set an expiry time after which the user would no longer have access after a preset time.
  2. IAM- Identity and Access Management – This would let you decide which developer / system administrator has access to which Linux production nodes. You can also decide ssh user which  the developer or devops engineer would login into your  Linux Node. You can decide whether the developer should login as non privileged user for example as user ‘dev’ or as ‘root’.
  3. 2FA – Two Factor Authentication in ssh – Easily integrate Yubikey, DUO Security or Google two factor Authentication when your staff accesses your Linux nodes.
  4. SSH Session Recording – Know what your staff does on your Linux nodes. Records ssh session so that you know who does what, when and where.
  5. SSH Key Management – This is usually a headache when you many server and many staff and many keys granting access to the servers. The keys need to be added for a user to grant access or revoked to deny access. The problem has been inherently handled in the ssh jump gateway as all keys are now encrypted and users would have just one key to access the ssh jump gateway which is removed with the users account deletion.
  6. RSA / DSA Key Based Authentication – Support both RSA and DSA key based authentication while we would recommend RSA keys as DSA is considered to be weak and is being deprecated.
  7. Disabling direct root access on target linux server – Direct root access needs to be disabled but then it comes with additional hassle of remembering password and  other overheads.  This is now handled in ingenious way in Ezeelogin
  8. Automated Password resets – Reset the root passwords on your Linux nodes periodically as the password are to be reset. We would recommend disabling direct root access to any Linux nodes.
  9. Centralised  login for Users in  LDAP or Active Directory – Now Authenticate your staff in SSH from your LDAP/ AD.
  10.  Maximum number of failed attempts before the accounts is locked– Repeated failures from your staff trying to access the ssh gateway could be brute force attack. The staff’s account is automatically locked to prevent further bruteforce.
  11. Minimum password length for root password – Easily set root user password  or remote ssh user password up to length of 30 character at a click.
  12. Password reuse  for an SSH Gateway User is limited such that previous 3 password is not allowed to be set again.HAPPY PCI DSS!!

Record SSH Sessions for PCI DSS Compliance

record ssh session
Record SSH Session

To be PCI DSS Complaint, it is mandatory to records ssh session and maintain a log of all ssh activities on your Linux servers.  This is tedious task for any Linux system administrator. The solution needs to record every activity which includes the user input and the output, with time stamps and a provision to search through these logs.

The SSH Session recording feature in the Ezeelogin SSH gateway would help you achieve this very quickly and easily so you know what was done on your server at any point of time.

Imagine that you have 100 Linux server and you have 100 SSH users , having access to these server via SSH.

  • Now how do you keep track of what was done on these servers ?
  • How do you go about with an forensic investigation when somebody does something bad like deleting a file on the server? opening a backdoor?
  • How do you find who is responsible when you have so many of your employees accessing your servers? 

    Think about it..and Ezeelogin SSH jump server comes into the picture.

 

 

 

Bastion host – How to secure and harden the ssh server on it?

  1. Enable a firewall and by default block all  IP access to the SSH Port and enable only your staff ips or dynamic ip ranges that you trust.
  2. Disable direct root login. Its always better to login as a non privileged user first and the switch to the root user. This is the norm if you are looking for PCI DSS Compliance.Edit /etc/sshd/sshd_config
    PermitRootLogin noEzeelogin SSH Gateway has a feature called ‘AUTO SU or SUDO’ which would automatically does the switching part  so you would not waste your time retrieving password of the ‘admin’ user and then entering the root password.
  3. Disable password based authentication and enable only Key based authentication in the  sshd configuration file. I would rate this as the most important of all.

    PasswordAuthentication no

  4. Enable Key based authentication. RSA is know to be more secure than DSA keys.

    RSAAuthentication yes

    PubkeyAuthentication yes

     

  5. Change the sshd default listening port from 22 to something like 22656 since its hard to guess and attackers would have to scan.Use custom SSH Port and Listening IPs.
    Port 22656
    ListenAddress 192.168.5.6.123
  6. Configure a VPN and having your server behind a VPN is good idea. This would really improve the security and harden the server.