Saturday, July 19, 2008

[Howto]: Five Minute Guide to Securing SSH

IMG00045

If you are like most administrators (and you installed SSH with the default settings), you will quickly see a steady stream of script-based attacks hitting port 22, in your firewall, system, or auth logs.  The vast majority of these system break-ins attempts (through ssh) are accomplished through simple brute-force attack scripts.

Fear not, there are some very simple ways to configure your SSH daemon to radically cut your exposure to script kiddie attacks and slow down brute force attacks against your system.

There are three preferred ways to secure the SSH daemon: 1) strengthening the default configuration, 2) use port knocking, and 3) disabling password-based authentication entirely, forcing the use of RSA/DSA keys instead.  This article will discuss making simple changes to the default configuration file (/etc/ssh/sshd_config).  

Depending on your distribution, the ssh server config file can reside in different places so you will need to determine the location for yourself. However, the default seems to be that it would reside in /etc/ssh and would be called sshd_config.

Here are the basic steps:

  1. Running SSH daemon on a different port.
  2. Denying root logins over SSH
  3. Allowing only users running protocol 2 to connect to the server
  4. Permitting a limited number of authorization retries.
  5. Allowing only certain specified users to log in.

Change the port.  One of the simplest and most effective ways to cut down brute force attacks, is the most simple -- change the default port.  Change the port and 99% of attacks go away.  In sshd_config there will be a line like "Port 22" it may be commented out as port 22 is the default. You need to uncomment that line if needed and change the port number to something else.   

# Port 22
Port 2222

Disable root login.  You should never allow unfettered access to the root account over ssh.  This is done be setting the line "PermitRootLogin" to "no". 

#PermitRootLogin yes
PermitRootLogin no

Disable insecure Protocol 1.  Disable Protocol 1 and only allow Protocol 2.

#Protocol 1,2
Protocol 2

Set MaxStartups. MaxStartups parameter limits the number of concurrent unauthenticated connections, therefore attacker won't be able to run more than a certain parallel attempts at logging in. 

#MaxStartups 10
MaxStartups 3:50:10

The example above  tells the ssh server to, "allow 3 users to attempt logging in at the same time (concurrently), and to randomly and increasingly drop connection attempts between 3 and the maximum of 10." 

Set MaxAuthTries.  If you server becomes the target of a dictionary attack, the attacker will repeatedly try various usernames and passwords.  MaxAuthTries is a parameter which tells the daemon how many bad attempts to allow before disconnecting.  

#MaxAuthTries
MaxAuthTries 3

Only Allow Specific Users to Login.  By default, all valid users on the system are allowed to log in.  A more secure policy is to explicitly specify the accounts which are allowed to login.  You can do this by specifying the user accounts after "Allow Users": 

AllowUsers joe john

Labels:

Posted by Joe Turner at 12:47 PM | | Comments

Wednesday, November 21, 2007

Red Hat WS 4 + Virtual PC 2007 = error (13)

Yesterday, I installed Vista Ultimate Business on a laptop, followed by Visual Studio 2008 and Virtual PC.  Next, I installed Red Hat WS.

However, when I booted the Red Hat WS 4 image, I received the following error: "An internal virtual machine error (13) has occurred.  The virtual machine will reset now."  Nice.

virtualpcerror13_dialog

To resolve this error, first boot in single user mode:

  1. In GRUB menu select Red Hat Linux with the version of the kernel that you wish to boot and type e for edit. You will be presented with a list of items in the configuration file for the title you just selected.
  2. Select the line that starts with kernel and type e to edit the line.
  3. Go to the end of the line and type single as a separate word. Press enter to exit edit mode.
  4. Back at the GRUB screen, type b to boot into single user mode.

Next, edit /etc/X11/xorg.conf and replace set the Driver to "vesa".  Also, set the DefaultDepth to 16 from 24.  The implementation of the S3 hardware doesn't support a colordepth of 24 and will cause the error 13.

Labels: ,

Posted by Joe Turner at 10:47 AM | | Comments

Friday, September 14, 2007

Installation of Xilinx ISE/EDK for Redhat 4.0

Prerequisites

 

You will need to build the USB drivers for the Xilinx Platform Cable USB device, hence, you must have the kernel headers/sources for your system available.

 

Note: Red Hat 4 does not come with a kernel sources rpm.  You can install the kernel headers with the kernel-devel-2.6.9-34.EL rpm.

 

Install ISE

 

Mount up the CD and run the installer to install ISE.

 

# mount /dev/cdrom /mnt/cdrom

# cd /mntrom

# ./setup

 

Select /opt/xilinx for the destination directory.

 

If you don't work with Red Hat Enterprise 3.0, Kernel 2.4, you better deselect Platform Cable USB Driver and Parallel Cable Drivers.

 

Install EDK

 

# mount /dev/cdrom /mnt/cddrom

# cd /mnt/cdrom

# ./setup

 

Select /opt/edk for the destination directory.

 

Apply ISE patch

 

# unzip 8_1_03i_lin.zip

# ./setup

 

Apply EDK patch

 

# unzip EDK_8_1_02i_lin.zip

# ./setup

 

Apply Final ISE patch

 

# cp ise_81i_ip_update1.zip /opt/Xilinx

# cd /opt/Xilinx

# unzip ise_81i_ip_update.zip

 

Create Script/Setup Files

 

Next, we need to create a script or two.  Don’t forget to chmod +x these scripts.

 

start_ise.sh

 

Creat a start_ise.sh script.    This script will initialize the variables and create a personal .xilinx directory for you.

 

#!/bin/bash
XILINX_DIR=/opt/xilinx
XILINX_USER_DIR=~/.xilinx

if [ ! -d ${XILINX_USER_DIR} ]; then
mkdir ${XILINX_USER_DIR}
fi
cd ${XILINX_USER_DIR}

. ${XILINX_DIR}/settings.sh

${XILINX_DIR}/bin/lin/ise

 

start_edk.sh

 

Create a start_edk.sh script.  This script will initialize the variables and create a personal .xilinx directory for you.

 

#!/bin/bash

# start_edk.sh

#


XILINX_DIR=/opt/xilinx
EDK_DIR=/opt/edk
XILINX_USER_DIR=~/.xilinx

if [ ! -d ${XILINX_USER_DIR} ]; then
mkdir ${XILINX_USER_DIR}
fi
cd ${XILINX_USER_DIR}

. ${XILINX_DIR}/settings.sh
. ${EDK_DIR}/setup.sh

${EDK_DIR}/bin/lin/xps

 

setup.sh

 

Create a file in /opt/edk named setup.sh and place the following text in it:

 

          # /opt/edk/setup.sh

export XILINX_EDK=/opt/edk
export LD_LIBRARY_PATH=${XILINX_EDK}/bin/lin:${LD_LIBRARY_PATH}
export PATH=${XILINX_EDK}/bin/lin:${XILINX_EDK}/gnu/microblaze/lin/bin:\
${XILINX_EDK}/gnu/powerpc-eabi/lin/bin:${PATH}

 

 

Install WinDriver and Xilinx driver

 

Download the WinDriver package from Xilinx:

 

ftp://ftp.xilinx.com/pub/utilities/M1_workstation/linuxdrivers.2.6.tar.gz

 

Fedora 6 Note:  You will have to create a /usr/src/linux link to your kernel source.  In my case it was:

 

# ln –s /usr/src/linux /usr/src/kernels/2.6.18-1.2798.fc6-i586


# tar zxvf linuxdrivers.2.6.tar.gz
# cd linuxdrivers.2.6
# cd windrvr
# ./configure
# make
# make install
# dmesg

If you see the following line, then you have installed the driver correctly:

 

[...]
WinDriver v7.00 Jungo (c) 1997 - 2005 Build Date: Apr 26 2005 X86 loaded

 

To load the driver:

 

# modprobe windrvr6

 

Next, build the xpc4drvr driver:

 

# cd ..

# cd xpc4drvr

# ./configure

# make

# make install

 

You will receive the following error:

 

Loading /lib/modules/2.6.16/kernel/drivers/misc/xpc4drvr.ko
ERROR: Module xpc4drvr does not exist in /proc/modules

 

# depmod


Register the drivers with USB hotplug system

 

# cd path_to_ise_installation/bin/lin/
# touch /etc/hotplug/usb.usermap
# sh setup_pcusb

 

Troubleshooting

 

If you are having problems connecting and downloading, follow the next steps:


1. Login with root permission and open a terminal.
2. Verify that the "windrvr6" module is loaded and running.

cat /proc/modules

If it is installed, the "windrvr6" module will appear in the generated list. If the module is not loaded, refer to (Xilinx Answer 22648) for instructions on how to install and load the module.

3. Change the current directory to "<InstallDir>/bin/lin", where "<InstallDir>" is the location of the previously installed Xilinx design tools:

cd <InstallDir>/bin/lin

4. Download the "xusbdfwu.hex" firmware file from the following link to this directory:
ftp://ftp.xilinx.com/pub/utilities/fpga/xusbdfwu-1025.zip
5. Disconnect the USB cable from the PC.
6. Enter the following command to run the installation script:

source ./setup_pcusb

7. Reconnect the USB cable.

 

Finished

 

Reboot.  All of the software is installed and configured.  

 

# ~/start_driver.sh

# ~/start_edk

 

The Xilinx JTAG box should now have an amber light on (or green if the board is attached and powered).

Labels: , ,

Posted by Joe Turner at 2:35 PM | | Comments

Thursday, September 13, 2007

MontaVista Vision 2007 DevCon

MontaVista is the first and largest vendors of embedded linux development tools.  They have created a devcon, named "Vision 2007."  I decided to go and check it out. 
 
Touted speakers and events include:
  • Andrew Morton, lead maintainer of the Linux kernel, on "The relationship between kernel.org development and the use of Linux for embedded applications"
  • Christopher Hallinan, author of Embedded Linux Primer, the number one-selling book on embedded Linux, on "Debugging embedded Linux: tools and strategies"
  • Jonathan Corbet, editor of LWN.net, on "The state of the kernel"
  • Dirk Hondel, CTO of Intel's Open Source Technology Center, on "Developing in open source for embedded devices"
  • Joe Rigazio, Texas Instruments general manager of DSP catalog and EEE digital signal processors, on "Driving the future of digital video"
  • Open source licensing authority Jason Wacha on "Open Source licensing review"
  • Mobilinux expert Kevin Hillman on "Dynamic power management for mobile devices"
  • A dinner performance by technical comedian Don McMillan
  • A multiplayer interactive gaming tournament powered by six Sun Ultra 20 workstations
  • A display of the 250-horsepower Intel Chopper, built by Intel and Orange County Choppers to showcase Intel embedded technology. Features "a digital dashboard, GPS navigation, wireless connectivity, fingerprint recognition for security, and digital cameras that replace rear-view mirrors," MontaVista says
Details and registration forms can be found here.
 

Labels: , ,

Posted by Joe Turner at 6:04 PM | | Comments