In this tutorial you will read about security applications and IT security strategies. Also you'll read about our "try" to create a brand named RT|sec. After the next 5 years, it name will stand for deep- and machine learning supported IT infrastructures . Starting year 2018.
There is no device or service on the internet that is 100% secure. Amazon and other big companies pay a lot of money for penetration testers to find security flaws in their systems. So it is known that any system on earth has a 0-day vulnerability. This concept says that there is an ongoing decrease of security until the zero day has arrived and the system has been hacked.
With this knowledge you can unterstand that keeping your operating systems and applications up to date, is one of the main keys for high security IT environments.
Furthermore this creates a lot of tasks for server administrators. They have to spend a lot of time at reading log files and figuring out what problems exist or if there are any ongoing attacks on servers.
So it makes perfectly sense that an AI, or at least machine learning techniques, would help here a lot.
This sounds like a paradox on the first read. As you may already know, SSH stands for Secure Shell. So shouldn't it be Secure already? Please remember there is no real Secure on the whole internet. So there are always ways for attackers to compromise your service.
client | 192.168.0.1 |
server | 192.168.0.254 |
mailserver | 192.168.0.253 |
Use a terminal like tilix and connect with:
ssh 192.168.0.254
You can save your server information to your local host file
~/.ssh/config
A simple host configuration looks like
Host server | |
Hostname 192.168.0.254 | |
Port 22 | |
User root |
If you save this configuration you can connect to the server with following command...
ssh server
...and you can change things for testing purpose
ssh root@server
You can see that SSH prefers your input and reads the host configuration if it reads something it doesn't know.
So, here are a few configurations you can add to your environment. You always have to think about what strategy is the best for you and if you are aware of any possible security flaw. So if you allow a SSH connection to a remote server from your local subnet and you have an employee who steals your SSH Credentials and connects to it, you have failed. So decide wise!
The main configuration file for SSH on a Debian system is:
/etc/ssh/sshd_config
! Tip: If you are connected to a server and you change something in its ssh configuration, you can restart the server. Even if you change the port. The connection stays on this port because it's already allowed. So if you change your port and stay connected you can try to connect with a second SSH connection. If the port is closed or you simply misconfigured the configuration file, you can change the configuration with the first connection. But work fast! If the existing connection needs a reconnect because of an unknown parameter in the network, you might loose this connection.
You have to restart the server, if you want to activate the changes you have taken.
service ssh restart
The standard Port for SSH is 22. This is known by any script kiddie in the whole universe. So, if you get a lot of Brute Force Attacks and it is possible to change the Port, this is the way you can do it. Change following parameter within the main configuration file:
Port 22
It is possible to login to any SSH server without a password but with a RSA key pair
Create the public/private RSA key pair with following command.
ssh-keygen -t rsa
Just leave anything on the default value and don't use a password.
If you use a password you will always get a password prompt for it.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:nm9VTWqhaFf8yeOmjq0Xt0X74aa574WpkVL5dJvk2c4 test@testpc
The key's randomart image is:
+---[RSA 2048]----+
| . |
| . + .|
| o o =.*.|
| . B * O++|
| .S* o B.oo|
| .o.o . o=.|
| o. + +E+|
| .= .+.+.|
| ++++=* |
+----[SHA256]-----+
In the next step you transfer the public key to a server of you choice
ssh-copy-id -i ~/.ssh/id_rsa.pub -p 22 root@192.168.0.254
You will get prompted for a password. The successful output looks something like this:
ssh-copy-id -i ~/.ssh/id_rsa.pub -p 22 root@192.168.0.254
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/test/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.0.254's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -p '22' 'root@192.168.30.254'"
and check to make sure that only the key(s) you wanted were added.
After you have uploaded your public key to the remote server there is a useful and recommended option to use with SSH.
PermitRootLogin yes
This option has three parameter
So after uploading the public key you can login to the server and change the parameter
PermitRootLogin prohibit-password
Restart the server and try to access it with a different host. If there is no public key on the server, the login prompt forces you to input a password but this never matches. So any attacker has to steal the private key of your user if they want an access to the server. A "guess" is not possible from there on!
It is possible to send an e-mail directly after the login of an user.
Therefore you have to change following file
/etc/ssh/sshrc
Add following script code and install sendemail
ip=`echo $SSH_CONNECTION | cut -d " " -f 1`
# Get the IP Adress of the connected user
logger -t ssh-wrapper $USER login from $ip
# Log to syslog
echo "User $USER just logged in from $ip" | sendemail -q -u "SSH Login" -f "Originator" -t "Login <logins>" -s 192.168.0.253 &
# Send mail