Live Free or PI Hard

SSH SECURITY

Cohner Marker, Spencer Johnson, Daryl Andes

Image: http://fosswire.com/post/2008/01/bullet-proof-your-server-2-ssh/

Demonstration

Public-Key Encryption

Image: Lecture: “introcrypt”, Computer Security Week03

Key Length & Unicity

Entropy• Maintains disorder, confusion

Unicity Distance• “Ratio of the number of bits required to

express the key divided by the redundancy of English in bits per character.”

• Natural Redundancy of the English Language = 6.8

“password” vs “P@sS\/\/0rD”

Why does it matter?

Image: http://www.webstepbook.com/

Man-In-The-Middle

Image: http://boomer-musings.blogspot.com/

Brute-Force

Rivest-Shair-Aldeman Key Generation

Image: http://http://www.people.vcu.edu/

1. Choose 2 distinct prime numbers: p and q. 2. Set modulus n equal to p * q. ( n is also the key length)3. Compute φ(n) = φ(p)φ(q) = (p − 1)(q − 1) = n - (p + q -1), where φ is Euler's totient function.4. Choose an integer e such that 1 < e < φ(n) and gcd(e, φ(n)) = 1; i.e., e and φ(n) are coprime.5. Determine d as d ≡ e−1 (mod φ(n)); i.e., d is the multiplicative inverse of e (modulo φ(n)).

1. Compute public key ( n , e ). 2. Compute private key m = c^d

** REFER to RFC 4432 **

RSA Key Creationmkdir ~/.sshchmod 700 ~/.sshssh-keygen –t rsa –b 4096ssh-keygen -t rsassh-copy-id <username>@<host>”.

Source: http://phpseclib.sourceforge.net/rsa/examples.html

Securing SSH

Directories that need to be known

*/etc/ssh/

*/var/log/

The Files in these directories

*sshd_config (Where we make our changes)

*auth.log

Importance of auth.log

*It is extremely helpful to see anyone or anything that is trying to authenticate to your server.

*It will record the Hydras failed attempts

Deny Root Over SSH

Allow or Deny Users

Port Number

Permit Empty Passwords No

Python Log Analyzers

Who needs Pearl

*Just Kidding, We don’t want to fail

*Scripting Languages are great for analyzing log files to email, block, or set firewall rules for certain IPs or attacks

Fail2Ban

*Same concept as Script Log Analyzers

*Easy to install program

http://www.fail2ban.org/wiki/index.php/Main_Page

What To Take Away

*Hydra is cool, but is available to everyone

*You must think like a hacker in order to protect your system. What ways could I get in?

*Make sure your encryption and passwords contain entropy and use RSA keys

*MAKE SURE YOU DENY ROOT SSH ACCESS!