Koozali.org: home of the SME Server

Possible security enhancement for securing SSH

Offline sektor

  • *
  • 23
  • +0/-0
Possible security enhancement for securing SSH
« on: November 23, 2014, 01:05:35 AM »
Hey guys I came across this from another forum and I thought it might be a really good idea for possibly as a patch or part of the future release and was wondering how easy would it be to implement on SME server.  Please forgive me if I am not allowed to post links to other sites.

http://pbxinaflash.com/community/index.php?threads/secure-your-linux-desktop-and-ssh-login-using-two-factor-google-authenticator.15735/

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Possible security enhancement for securing SSH
« Reply #1 on: November 23, 2014, 01:31:41 AM »
Interesting idea in this application, and shouldn't be too hard to implement.  I'd think, though, that public key authentication for SSH would be better yet (and the post you link to suggests the same).  I guess if you couldn't guarantee that you'd always have access to a trusted device to ssh in, though...
......

Offline sektor

  • *
  • 23
  • +0/-0
Re: Possible security enhancement for securing SSH
« Reply #2 on: November 23, 2014, 02:04:03 AM »
Well it's not using public key you can still have a password and just add the additional authentication option where if you don't have access to the revolving password app or the predetermined keys you are not going to get in.  I have 2 factor setup for both my facebook and gmail accounts and alot of companies are implementing something similar for vpn access, but hey anyway to increase security right?  I think I was going to try it on my sme 9 virtual machine that I play around with and hey it would be cool if it could be factored in for the web portal as well.

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Possible security enhancement for securing SSH
« Reply #3 on: November 23, 2014, 07:44:18 PM »
Certainly security is a good thing.  It looks like it's even possible to do public key auth with SSH or, if the public key isn't presented, require the authenticator token (see http://serverfault.com/questions/594938/public-key-or-password-google-authenticator-for-ssh-login).  I'm still not sure how likely it is to be in a situation where you won't have access to a trusted device for ssh (my iPhone has a free ssh client with public key authentication), but this would give you both options, and be more secure than passwords alone.  I tend to think of ssh public key authentication as more secure, but that doesn't seem to be universally accepted from what google search results are showing.

When I set up Joomla! a few weeks ago, it has an option for two-factor authentication, and I thought about suggesting to add it to the server-manager login at the time.  Keep in mind, though, that the server-manager is only accessible from the LAN.  SME Server generally assumes that the LAN can be trusted.
......

Offline sektor

  • *
  • 23
  • +0/-0
Re: Possible security enhancement for securing SSH
« Reply #4 on: November 23, 2014, 08:42:03 PM »
Actually mine I kind of have it on the outside as well just in case, but I may even try to setup vpn with that 2 factor authentication as well.  See how far I can take it I'm not much of a developer but pretty good at figuring things out.  I just have to figure out what handles server manager authentication to see if it can be tweaked and I'm sure for SSH a custom template can be created.

I know it's a no no, but from work I can't use ssh tunneling on a non standard port and if I leave ssh on port 22 I pretty much get a knock on my door from all over the world mainly the middle east, but I have blocked a bunch of those ip ranges in iptables. as well as ssh blocks them after a failed attempt.
« Last Edit: November 23, 2014, 08:52:45 PM by sektor »

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Possible security enhancement for securing SSH
« Reply #5 on: November 23, 2014, 09:45:19 PM »
I installed fail2ban (http://wiki.contribs.org/Fail2ban) a few weeks ago, and it's been pretty active in shutting down attacks against a number of sources, mostly ssh.  Since I disabled password logins on ssh the other day, though, the ssh blocks have virtually disappeared--I expect because they don't even get that far.

If you've exposed the server manager on your installation to the internet, you're definitely more vulnerable than a stock system.  Adding two-factor authentication would make that more secure, but using a VPN to access the server manager remotely would be more secure yet.

I don't know if it's possible to add two-factor auth to the built-in PPTP VPN.  You might consider instead using OpenVPN (http://wiki.contribs.org/OpenVPN_Bridge), which uses public key authentication (optionally with a username and password as well) and is much more secure.
......

Offline janet

  • ****
  • 4,812
  • +0/-0
Re: Possible security enhancement for securing SSH
« Reply #6 on: November 23, 2014, 09:47:36 PM »
sektor

Having password access enabled for SSH access to your server is a bad security model. You are asking to be hacked & probably in time you might get hacked.
Even using a non standard port (ie something other than 22) does not enhance security at all, it might stop many junior hackers who do not bother to try other ports, but serious hackers can easily scan for other open ports eg SSH on port 221 or whatever & start their attacks.

While multiple layers of authentication may be an answer, SME server does not have that, & changing templates may introduce other security holes.

At present the use of public/private keys to access SSH is very secure (with password access disabled), without the key it is impossible (in real world practical terms) to access SSH. Maybe with a Cray computer you might hack the key after a few years, but most people do not have that resource available to them or the time, energy & dedication to keep up such a sustained attack on a personal or small business server.

As DanB35 says, & I use it also, you can configure key access on most smartphones using good quality free or at cost SSH apps.
Once you have secure SSH access established you can then use the text based server manager if you really need access to that, or create a SSH tunnel to then allow web browser GUI server manager access via http://localhost/server-manager

If your work LAN access blocks some of those, then try tethering your smartphone via USB & use the 3G/4G Internet connection to access your home server.

Also re your comments about using VPN, well that is no longer secure. There was comment in these forums some months ago about that, & you can google for upstream advisories.
I think there is a suggestion to remove the current VPN from SME server & replace it with a secure version (refer one of the current contribs).

The only secure SSH connection method is public/private keys. There is a very good Howto (see link at top of forums) & it is fairly straightforward to implement. You can export the key to your smartphone app & carry the key with you on a USB memory stick, & even have the Putty exe on the USB, to use wherever you are in the world.

Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: Possible security enhancement for securing SSH
« Reply #7 on: November 23, 2014, 10:12:56 PM »
Also re your comments about using VPN, well that is no longer secure.
The PPTP VPN protocol, which is what SME ships with, is not secure (see http://en.wikipedia.org/wiki/Point-to-Point_Tunneling_Protocol#Security for one review of security issues), and has been known to be insecure for at least a couple of years.  VPN technology in general is not insecure, though--it depends on the protocol and implementation in question.  The problem is that the secure VPN implementations like OpenVPN require some kind of public key infrastructure, which significantly complicates the configuration.  Either you need to learn openssl from the command line to some degree of proficiency, or you need to install some sort of web or GUI PKI manager.

There's always tension between security and convenience.  PPTP is convenient, in that it requires only a username and password.  The implementation of OpenVPN currently available for SME is much less convenient, but much more secure.  I think it could be better, but it would take some coding to integrate PHPki and the OpenVPN server-manager panel.
......

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Possible security enhancement for securing SSH
« Reply #8 on: November 23, 2014, 11:21:08 PM »
PPTP - Hence a couple of bugs open on this already :

http://bugs.contribs.org/show_bug.cgi?id=8677
http://bugs.contribs.org/show_bug.cgi?id=8667

Always good to have a look in the bug tracker as that is where new things tend to appear. Yes we are looking seriously at a PPTP replacement - however, we do appreciate that pure certificate based methods aren't always satisfactory for some so are considering alternatives.

Add yourselves to the bugs to see progress.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline sektor

  • *
  • 23
  • +0/-0
Re: Possible security enhancement for securing SSH
« Reply #9 on: November 24, 2014, 01:22:42 AM »
Actually there is a web based pki manager for sme server that is local lan only I just haven't had time to play with it and I agree with your findings and if my server does eventually get hacked it's only a home based server, but now that I am on short term disability due to back surgery I do have some more time on my hands I will look into your suggestions.  In regards to messing with templates I was only going to do on a test environment just to see how it would work out and maybe it can be eventually submitted as a possible future security enhancement and in actuality I was thinking about locking down server manager to only a couple of ip subnets that I normally access it from I just have to figure those out, my server is merely for me to toy around with and obviously I wouldn't open any holes in a major production server.  Thank you for your input and suggestions though.

guest22

Re: Possible security enhancement for securing SSH
« Reply #10 on: November 24, 2014, 09:15:51 AM »
Google Authenticator, is that talking with any Google service in any way?

If so, NO GO area. US Patriot Act is in effect. Massive security risk by itself.

guest
 

Offline sektor

  • *
  • 23
  • +0/-0
Re: Possible security enhancement for securing SSH
« Reply #11 on: November 24, 2014, 10:29:13 AM »
Interesting that I will have to do more research on, but thank you for your input.  Like I said it was just something I encountered out there is all.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: Possible security enhancement for securing SSH
« Reply #12 on: November 24, 2014, 11:09:41 AM »
Not sure some would like this due to privacy concerns amongst other things.

Personally I would never run it.

However, there is nothing to stop you building a contrib for those who may be interested.

B. Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

guest22

Re: Possible security enhancement for securing SSH
« Reply #13 on: November 24, 2014, 11:25:44 AM »
Not sure some would like this due to privacy concerns amongst other things.

Personally I would never run it.

However, there is nothing to stop you building a contrib for those who may be interested.

B. Rgds
John


I agree, it's a free world. But next to privacy concerns, corporate policies (the company you work for) may prevent the usage of external "gateways".


I would never use it.

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: Possible security enhancement for securing SSH
« Reply #14 on: November 24, 2014, 11:34:48 AM »
IMVHO, ssh with keys is secure enough..

we should really work to replace pptp vpn with openvpn as the default vpn in SME