CN8822

Assignment #2
2
Assignment 2 Secure Remote administration and firewalls ________________________________ 3
Part1 _____________________________________________________________________________ 3
Objective: To Study the concepts of remotely administering a server using ssh.__________________ 3
Public-key authentication should be used for the root user __________________________________ 9
Part II-Objective: To study the concepts of ssh port forwarding. _____________________________ 12
Part III -Objective: Firewall using IPTABLES ______________________________________________ 17
References ________________________________________________________________________ 21
CN8822
Assignment #2
3
Assignment 2 Secure Remote administration and firewalls
Part1
Objective: To Study the concepts of remotely administering a server using ssh.
1)You are to secure a Linux server by restricting remote root access by running a separate sshd daemon.
Make the necessary changes to have the newly configured sshd daemon comply with following restrictions:
1. Daemon must start on all run levels, i.e. 2345
2. root should have remote access to this server using new sshd daemon and no others.
3. All others should be accessing the server using the existing sshd daemon; again root should not be to
access this sshd daemon.
4. Public-key authentication should be used for the root user
5. Feel free to add any configuration directives to further secure the ssh daemon
Explanation:
There is one SSH daemon runs by default to provide the ssh service on the default port 22. To have a
separate SSH daemon we need to have separate run level and configuration files, and to isolate both
daemons to work independently we copied binary file with different name .
This was achieved by following these steps.
1) Copy sshd binary file with new name sshd_root with the p option to retain same rights.
2) Copy sshd_config file with new name and make necessary changes to have separate keys for
Root user and normal user, have separate pid file, separate port, separate Login Rules, these
Rules are highlighted in the file
CN8822
Assignment #2
4
Also have a separate PID file
CN8822
Assignment #2
5
Here is the changes which have made in the sshd_root config file and we have highlighted them.
CN8822
Assignment #2
6
3) Have separate init scripts for sshd daemon and sshd_root daemon, we have highlighted the
Changes in both files .
In the ssh script file we have pointed to correct config file
Also changed the pid file name to new pid file all the corresponding functions.
Similar changes were made in the ssh_root init script and we have highlighted them , most
important change was to point to new binary sshd_root in the /usr/bin directory.
Next change is point to right config file.
CN8822
Assignment #2
7
3
rd
change was to have separate pid file as shown
After all these changes we were able to successfully register the ssh_root as a separate daemon at
the specified runlevels which is 2345 by using debian service register tool
We can verify this by checking at the soft links at the rc startup level.
After All these changes we were able to start/stop these two daemon separately and verified the
login Rules.
Here is the screenprint of separate pid files.
CN8822
Assignment #2
8
We restarted the server and two daemons started independently.
We tried to login as root on port 22 it failed
Where as normal user login was successful.
Similarly root login was successful at port 2501 and normal user failed on this port.
CN8822
Assignment #2
9
Login as root was successful using port 2501 as shown.
From this we were able to confirm that our two ssh daemon are working as expected in our
Assignment.
Public-key authentication should be used for the root user
For the Public Key Authentication we used two machines with IP 192.168.56.101 as Server A
And 192.168.56.102 as Server B and we were able to login with password.
Here is the steps we had followed.
1) Create a key for root user
CN8822
Assignment #2
10
2) Copy key to 192.168.56.102 using ssh-copy which copied the key to authorized directoy and
Login to 192.168.56.102, login was successful without prompting for Password.
CN8822
Assignment #2
11
CN8822
Assignment #2
12
Part II-Objective: To study the concepts of ssh port forwarding.
SSH tunnels can be created in several ways using different kinds of port forwarding
mechanisms. Ports can be forwarded in three ways.
1) Local port forwarding
2) Remote port forwarding
3) Dynamic port forwarding
Port forwarding or port mapping is a name given to the combined technique of
1) translating the address and/or port number of a packet to a new destination
2) possibly accepting such packet(s) in a packet filter(firewall)
3 ) forwarding the packet according to the routing table.
To illustrate Port Forwarding Example we have used Local port Forwarding.
We have Two Servers A(192.168.56.101) and B (192.168.56.102) both have Apache running
One Machine has default Apache test Page which we will treat as Client and Second Machine has
Our CustomPage as shown below.
CN8822
Assignment #2
13
This Machine we will treat as Server with IP 192.168.56.101 and Client one IP is
192.168.56.102 and Apache Page is
We will use Local Port Forwarding on Client to Display the server Apache page
To achieve this we will use SSH Local forwarding.
CN8822
Assignment #2
14
SSH Local forwarding Syntax is
ssh -L <local-port-to-listen>:<remote-host>:<remote-port> <gateway>
In our case we have decided to use Local port 4500 to listen to remote server port 80 using Remote
server as gateway.
ssh L 4500:192.168.56.101:80 [email protected]
Once we are logged into to Server 192.168.56.101, we will be listening port 80 traffic of this box to
192.168.56.102, 4500 port.
We can confirm this by netstat
CN8822
Assignment #2
15
192.168.56.102 port 4500 is opened as local host; we will access this from the box itself
CN8822
Assignment #2
16
This confirms our configuration of Local port forwarding.
CN8822
Assignment #2
17
Part III -Objective: Firewall using IPTABLES
Firewall implementation using iptables. You are to setup the
Appropriate iptables rules to accomplish the following:
1. Using the same VM running the newly configured sshd daemon FromPart I; setup a default-deny
policy to drop all inbound Traffic.
2. Only allow inbound traffic to both sshd ports, port 22 for public Access and privileged port for
root access. Note: Privileged Port is something you choose in Part I when new daemon was
Configured.
3. Only allow a trusted network or net-block to access the privileged sshd port.
4. Log all other dropped packets
Explanations
Firewalls are used to block unauthorized access to Network. All Linux Flavors provide basic
firewall in the kernel IPTABLES which can be used to provide simple IPv4 and IPV6 packet
filtering and Network Address Translation.
IP Table provided three set of Rules, knows as chains, which are IPUT CHAIN, Forward Chain and
OUT PUT CHAIN.
Diagram Below shows high Level IP Packet Filtering in the IP Tables
CN8822
Assignment #2
18
Our Assignment requirement is to Implement Basic IP table Rules at the INPUT chain
We have implemented the Rules by following commands
mangle
PREROUTING
nat
PREROUTING
filter
INPUT
filter
OUTPUT
nat
POSTROUTING
filter
FORWARD
Mangle
OUTPUT
route
Local
Process
Network
Network
CN8822
Assignment #2
19
Since IPTABLE Rules are sequential we have to be careful to have DROP Rule at the End of
The Rules.
We can verify our Rules by following Command.
Checked active ports on server
Using TCP dump to see the traffic on these ports.
CN8822
Assignment #2
20
CN8822
Assignment #2
21
References
http://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/
Class Notes
www.uniforum.chi.il.us/slides/iptables_talk2/iptables_talk2.ppt
http://ubuntuforums.org/showthread.php?t=1497376
http://fixunix.com/ssh/364505-running-multiple-sshd-instances-one-server.html