Securities Software (Network Services) 1 CHAPTER 1 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 194 - Leave out ssh-agent1 compatibility. - Install ssh-signer without suid bit. - Disable port forwarding support. - Disable X11 forwarding support. - Enable TCP_NODELAY socket option. - Compile in libwrap (tcp_wrappers) support. [root@deep ssh-2.0.13]# make clean [root@deep ssh-2.0.13]# make [root@deep ssh-2.0.13]# make install [root@deep ssh-2.0.13]# rm -f /usr/bin/ssh-askpass The "make clean", command erase all previous traces of a compilation so as to avoid any mistakes, the “make” command compiles all source files into executable binaries, and finally, the “make install” command installs the binaries and any supporting files into the appropriate locations. Cleanup after work [root@deep /]# cd /var/tmp [root@deep tmp]# rm -rf ssh-version/ ssh-version.tar.gz The “rm” command as used above will remove all the source files we have used to compile and install SSH2. It will also remove the SSH2 compressed archive from the “/var/tmp” directory. Configurations All software we describe in this book has a specific directory and subdirectory in a tar compressed archive named “floppy.tgz” containing file configurations for specific programs. If you get this archive file, you won’t be obliged to reproduce the different configuration files below, manually, or cut and paste them to create your configuration files. Whether you decide to copy manually or get the files made for your convenience from the archive compressed files, it will be to your responsibility to modify, adjust for your needs and place the files related to SSH2 software in their appropriate places on your server, as shown below. The server configuration files archive to download is located at the following Internet address: http://www.openna.com/books/floppy.tgz • To run the SSH2 Client/Server, the following files are required, and must be created or copied to the appropriate directories on your server. Copy the sshd2_config file to the “/etc/ssh2/” directory. Copy the ssh2_config file to the “/etc/ssh2/” directory. Copy the ssh file to the “/etc/pam.d/” directory. You can obtain the configuration files listed below on our floppy.tgz archive. Copy the following files from the decompressed floppy.tgz archive to the appropriate places, or copy them directly from this book to the concerned file. Configure the “/etc/ssh2/ssh2_config” file The configuration file for ssh2 “/etc/ssh2/ssh2_config” allows you to set options that modify the operation of the client programs. The files contain keyword-value pairs, one per line, with keywords being case insensitive. Here are the more important keywords; a complete listing is available in the man page for ssh2 (1). Edit the ssh2_config file (vi /etc/ssh2/ssh2_config) and add or change, if necessary: Securities Software (Network Services) 1 CHAPTER 1 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 195 # ssh2_config # SSH 2.0 Client Configuration File *: Port 22 Ciphers blowfish Compression yes IdentityFile identification AuthorizationFile authorization RandomSeedFile random_seed VerboseMode no ForwardAgent no ForwardX11 no PasswordPrompt "%U's password: " Ssh1Compatibility no Ssh1AgentCompatibility none NoDelay yes KeepAlive yes QuietMode no This tells ssh2_config file to set itself up for this particular configuration setup with: Port 22 The option “Port” specifies on which port number ssh connects to on the remote host. The default port is 22. Ciphers blowfish The option “Ciphers” specifies what cipher should be used for encrypting sessions. The blowfish uses 64-bit blocks and keys of up to 448 bits. Compression yes The option “Compression” specifies whether to use compression during sessions. Compression will improve communication speed and files transfers. IdentityFile identification The option “IdentityFile” specifies an alternate name for the user's identification file. AuthorizationFile authorization The option “AuthorizationFile” specifies an alternate name for the user's authorization file. RandomSeedFile random_seed The option “RandomSeedFile” specifies an alternate name for the user's random seed file. VerboseMode no The option “VerboseMode” instructs ssh2 to print debugging messages about its progress. This option is helpful in debugging connection, authentication, and configuration problems. ForwardAgent no The option “ForwardAgent” specifies which connection authentication agent (if any) should be forwarded to the remote machine. ForwardX11 no The option “ForwardX11” is for people that use the Xwindow GUI and want to automatically redirect X11 sessions to the remote machine. Since we’ve set up a server and do not have a GUI installed on it, we can safely turn this option off. Securities Software (Network Services) 1 CHAPTER 1 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 196 PasswordPrompt "%U's password: " The option “PasswordPrompt” specifies the password prompt that will be displayed for the user when connecting to a host. Variables '%U' and '%H' give the user's login name and host, respectively. Ssh1Compatibility no The option “Ssh1Compatibility” specifies whether or not to use SSH1 compatibility code with SSH2 for ssh1 users. Ssh1AgentCompatibility none The option “Ssh1AgentCompatibility” specifies whether or not to also forward SSH1 agent connections with SSH2 for ssh1 users. NoDelay yes The option “NoDelay” specifies if the socket option TCP_NODELAY should be enabled. It is recommended that you set this option to “yes” to improve network performance. KeepAlive yes The option “KeepAlive” specifies whether the system should send keep alive messages to the remote server. If set to “yes” then the death of the connection or crash of remote machines will be properly noticed. QuietMode no The option “QuietMode” specifies whether the system runs in quiet mode. This option must be set to “no” because in quiet mode, nothing is logged in the system log except for fatal errors. Since we want to have information about users sessions it is preferable to disable this option. Configure the “/etc/ssh2/sshd2_config” file The configuration file for sshd2 “/etc/ssh2/sshd2_config” allows you to set options that modify the operation of the daemon. The files contain keyword-value pairs, one per line, with keywords being case insensitive. Here are the more important keywords; a complete listing is available in the man page for sshd2 (8). Edit the sshd2_config file (vi /etc/ssh2/sshs2_config) and add or change, if necessary: # sshd2_config # SSH 2.0 Server Configuration File *: Port 22 ListenAddress 192.168.1.1 Ciphers blowfish IdentityFile identification AuthorizationFile authorization HostKeyFile hostkey PublicHostKeyFile hostkey.pub RandomSeedFile random_seed ForwardAgent no ForwardX11 no PasswordGuesses 3 MaxConnections 5 PermitRootLogin no AllowedAuthentications publickey,password RequiredAuthentications publickey,password VerboseMode no PrintMotd yes CheckMail yes Securities Software (Network Services) 1 CHAPTER 1 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 197 UserConfigDirectory "%D/.ssh2" SyslogFacility DAEMON Ssh1Compatibility no NoDelay yes KeepAlive yes UserKnownHosts yes AllowHosts 192.168.1.4 DenyHosts * QuietMode no # subsystem definitions subsystem-sftp sftp-server This tells sshd2_config file to set itself up for this particular configuration setup with: Port 22 The option “Port” specifies which port number the ssh2 daemon listens to for ssh incoming connection. The default port is 22. ListenAddress 192.168.1.1 The option “ListenAddress” specifies the IP address of the interface network on which the ssh2 daemon server socket is bound. The default is “0.0.0.0”; to improve security you may specify only the required ones to limit possible addresses. Ciphers blowfish The option “Ciphers” specifies what cipher should be used for encrypting sessions. The blowfish uses 64-bit blocks and keys of up to 448 bits. IdentityFile identification The option “IdentityFile” specifies an alternate name for the user's identification file. AuthorizationFile authorization The option “AuthorizationFile” specifies an alternate name for the user's authorization file. HostKeyFile hostkey The option “HostKeyFile” specifies an alternate file containing the private host key. The default is “/etc/ssh2/hostkey”. PublicHostKeyFile hostkey.pub The option “PublicHostKeyFile” specifies an alternate file containing the public host key. The default is “/etc/ssh2/hostkey.pub”. RandomSeedFile random_seed The option “RandomSeedFile” specifies an alternate name for the user's random seed file. ForwardAgent no The option “ForwardAgent” specifies which connection authentication agent (if any) should be forwarded to the remote machine. ForwardX11 no The option “ForwardX11” is for people that use the Xwindow GUI and want to automatically redirect X11 sessions to the remote machine. Since we set up a server and don’t have a GUI installed on it, we can safely turn this option off. Securities Software (Network Services) 1 CHAPTER 1 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 198 PasswordGuesses 3 The option “PasswordGuesses” specifies how many tries the user has when using password authentication. MaxConnections 5 The option “MaxConnections” specifies what the maximum number of connections that ssh2 daemon will handle simultaneously is. PermitRootLogin no The option “PermitRootLogin” specifies whether root can log in using ssh. Never say, “yes” to this option. AllowedAuthentications publickey,password The option “AllowedAuthentications” specifies which authentication methods are allowed to be used. With this option the administrator can force users to complete several authentications before they are considered authenticated. RequiredAuthentications publickey,password The option “RequiredAuthentications” related to “AllowedAuthentications”, specifies which authentication methods the users must complete before continuing. This parameter must be the same as for the “AllowedAuthentications” option or the server will denies connection every time. VerboseMode no The option “VerboseMode” instructs the ssh2 daemon to print debugging messages about its progress. This option is helpful in debugging connection, authentication, and configuration problems. PrintMotd yes The option “PrintMotd” specifies whether the ssh2 daemon should print the content of the “/etc/motd” file when a user logs in interactively. The “/etc/motd” file is also know as “the message of the day”. CheckMail yes The option “CheckMail” specifies whether the ssh2 daemon should print information about new mail you may have. UserConfigDirectory "%D/.ssh2" The option “UserConfigDirectory” specifies the default location for user-specific configuration data. SyslogFacility DAEMON The option “SyslogFacility” specifies the facility code used when logging messages from the ssh2 daemon. The facility specifies the subsystem that produced the message, in our case DAEMON. Ssh1Compatibility no The option “Ssh1Compatibility” specifies whether or not to use SSH1 compatibility code with SSH2 for ssh1 users. NoDelay yes The option “NoDelay” specifies if the socket option TCP_NODELAY should be enabled. It is recommended that you set this option to “yes” to improve network performance. KeepAlive yes The option “KeepAlive” specifies whether the system should send keep alive messages to the remote server. If set to “yes” then the death of the connection or crash of remote machines will be properly noticed. Securities Software (Network Services) 1 CHAPTER 1 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 199 UserKnownHosts yes The option “UserKnownHosts” specifies whether the default user's home directory “$HOME/.ssh2/knownhosts/” can be used to get hosts public keys when using "hostbased"- authentication. AllowHosts 192.168.1.4 The option “AllowHosts” specifies and control which hosts can access ssh2 services. Multiple hosts can be specified separated by spaces. DenyHosts * The option “DenyHosts” specifies and controls which hosts cannot access ssh2 services. Multiple hosts can be specified separated by spaces. The default pattern “*” mean all hosts. QuietMode no The option “QuietMode” specifies whether the system runs in quiet mode. This option must be set to “no”, because in quiet mode nothing is logged in the system log except for fatal errors. Since we want to have information about user sessions it is preferable to disable this option. Configure sshd2 to use tcp-wrappers inetd super server Tcp-wrappers shoud be enabled to start and stop the sshd2 server. Upon execution, inetd reads its configuration information from a configuration file which, by default, is “/etc/inetd.conf”. There must be an entry for each field of the configuration file, with entries for each field separated by a tab or a space. Step 1 Edit the inetd.conf file (vi /etc/inetd.conf) and add the line: ssh stream tcp nowait root /usr/sbin/tcpd sshd -i NOTE: The “-i” parameter is important since is specifies that sshd is being run from inetd. Also, update your “inetd.conf” file by sending a SIGHUP signal (killall -HUP inetd) after adding the above line into the file. • To update your “inetd.conf” file, use the following command: [root@deep /]# killall -HUP inetd Step 2 Edit the hosts.allow file (vi /etc/hosts.allow) and add the line: sshd: 192.168.1.4 win.openna.com Which means client “192.168.1.4” with host name “win.openna.com” is allowed to ssh on the server. These "daemon" strings (for tcp-wrappers) are in use by sshd2: sshd, sshd2 (The name sshd2 was called with (usually "sshd")). sshdfwd-X11 (if you want to allow/deny X11-forwarding). sshdfwd-<port-number> (for tcp-forwarding). sshdfwd-<port-name> (port-name defined in /etc/services. Used in tcp-forwarding). NOTE: If you do decide to switch to using ssh, make sure you install and use it on all your servers. Having ten secure servers and one insecure is a waste of time. Securities Software (Network Services) 1 CHAPTER 1 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 200 Configuration of the “/etc/pam.d/ssh” file For better security of your ssh2 server, you can configure it to use pam authentication. Do to that, you must create the “/etc/pam.d/ssh” file. Create the ssh file (touch /etc/pam.d/ssh) and add or change, if necessary: #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so use_authtok nullok md5 shadow session required /lib/security/pam_pwdb.so Further documentation For more details, there are several man pages you can read: $ man ssh-add2 (1) - adds identities for the authentication agent $ man ssh-agent2 (1) - authentication agent $ man ssh-keygen2 (1) - authentication key pair generation $ man ssh2 (1) - secure shell client (remote login program) $ man sshd2 (8) - secure shell daemon Ssh2 Per-User Configuration Step 1 Create your private & public keys of local, by executing: [root@deep /]# su admin [admin@deep /]$ ssh-keygen2 Generating 1024-bit dsa key pair 6 Oo oOo.oOo. Key generated. 1024-bit dsa, admin@deep.openna.com, Sun Feb 13 2000 05:33:38 -0500 Passphrase : Again : Private key saved to /home/admin/.ssh2/id_dsa_1024_a Public key saved to /home/admin/.ssh2/id_dsa_1024_a.pub Step 2 Create an “identification” file in your “~/.ssh2” home directory on local: [admin@deep]$ cd ~/.ssh2 [admin@deep .ssh2]$ echo “IdKey id_dsa_1024_a” > identification NOTE: It’s optional to create an identification file on Remote. The identification file contains the name of the private key that is to be used in authentication. Step 3 Copy your public key of Local (id_dsa_1024_a.pub) to “~/.ssh2” home directory of remote under the name, say, “Local.pub”. Step 4 Create an “authorization” file in your “~/.ssh2” home directory on remote: Securities Software (Network Services) 1 CHAPTER 1 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 201 [admin@remote .ssh2]$ touch authorization NOTE: The “~/” mean the user home directory. Step 5 Add the following one line to the “authorization” file on the remote host: [admin@remote .ssh2]$ vi authorization key Local.pub SSH2 Users Tools The commands listed belows are some that we use often in our regular use, but many more exist, and you should check the man page and documentation for more details. ssh2 Ssh2 (Secure Shell) provides secure encrypted communications between two untrusted hosts over an insecure network. It is a program for logging securely into a remote machine and executing commands from there. It is a suitable replacement for insecure program like telnet, rlogin, rcp, rdist, and rsh. • To login to a remote machine, use the command: [root@deep /]# ssh2 -l <login_name> <hostname> For example: [root@deep /]# ssh2 -l admin www.openna.com Passphrase for key "/home/admin/.ssh2/id_dsa_1024_a" with comment "1024-bit dsa, admin@deep.openna.com, Tue Oct 19 1999 14:31:40 -0400": admin's password: Last login: Tue Oct 19 1999 18:13:00 -0400 from deep.openna.com No mail. [admin@www admin]$ Where <login_name> is the name you use to connect to the ssh2 remote server and <hostname> is the address of your ssh2 remote server. sftp2 The sftp2 (Secure File Transfer) utility is an ftp-like client that provides file transfers over the network. You must already be connected with ssh2 before using the sftp2 utility. • To ftp over ssh2, use the following command: [admin@deep /]$ sftp2 <hostname> For example: [admin@deep /]$ sftp2 www.openna.com local path : /home/admin Passphrase for key "/home/admin/.ssh2/id_dsa_1024_a" with comment "1024-bit dsa, admin@deep.openna.com, Tue Oct 19 1999 14:31:40 -0400": admin's password: admin's password: remote path : /home/admin sftp> Where <hostname> is the name of the remote server you want to sftp. Securities Software (Network Services) 1 CHAPTER 1 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 202 Installed files > /etc/pam.d/ssh > /etc/ssh2 > /etc/ssh2/hostkey > /etc/ssh2/hostkey.pub > /etc/ssh2/sshd2_config > /etc/ssh2/ssh2_config > /root/.ssh2 > /root/.ssh2/random_seed > /root/ssh2 > /usr/man/man1/ssh2.1 > /usr/man/man1/ssh-keygen2.1 > /usr/man/man1/ssh-add2.1 > /usr/man/man1/ssh-agent2.1 > /usr/man/man1/scp2.1 > /usr/man/man1/sftp2.1 > /usr/man/man1/ssh.1 > /usr/man/man1/ssh-add.1 > /usr/man/man1/ssh-agent.1 > /usr/man/man1/ssh-keygen.1 > /usr/man/man1/scp.1 > /usr/man/man1/sftp.1 > /usr/man/man8/sshd2.8 > /usr/man/man8/sshd.8 > /usr/bin/ssh2 > /usr/bin/scp2 > /usr/bin/sftp2 > /usr/bin/sftp-server2 > /usr/bin/ssh-agent2 > /usr/bin/ssh-keygen2 > /usr/bin/ssh-signer2 > /usr/bin/ssh-add2 > /usr/bin/ssh > /usr/bin/ssh-agent > /usr/bin/ssh-add > /usr/bin/ssh-askpass > /usr/bin/ssh-keygen > /usr/bin/scp > /usr/bin/sftp > /usr/bin/sftp-server > /usr/bin/ssh-signer > /usr/sbin/sshd2 > /usr/sbin/sshd Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 203 Chapter 12 Securities Software (System Integrity) In this Chapter Linux Tripwire 2.2.1 Configurations Securing Tripwire for Linux Commands Linux Tripwire ASR 1.3.1 Configurations Securing Tripwire Commands [...]... assumption NOTE: Encrypt and decrypt After installing, importing, signing and configuring everything in the way that we want, we can start on encrypting and decrypting our work • To encrypt and sign data for the user RedHat that we have added on our keyring above, use the following command: [root@deep /]# gpg -sear RedHat As an example: [root@deep /]# gpg -sear RedHat message-to -RedHat. txt You need... Architecture ® and OpenDocs Publishing 222 Chapter 13 Securities Software (Management & Limitation) In this Chapter Linux GnuPG Commands Set Quota on your Linux system Modify the “/etc/fstab” file Build a kernel with Quota support Creation of the "quota.user" and "quota.group" files Assigning Quota for Users and Groups Commands Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs... chmod 50 0 /usr/sbin/tripwire [root@deep tw_ASR_1.3.1_src]# chmod 50 0 /usr/sbin/siggen [root@deep tw_ASR_1.3.1_src]# rm -f /usr/sbin/tw.config The above commands “make” and “make install” will configure the software to ensure your system has the necessary functionality and libraries to successfully compile the package, compile all source files into executable binaries, and then install the binaries and. .. The “chmod” command will change the default mode of “tripwire” directory to be 700 (drwx ) only readable, writable, and executable by the super-user “root” It will make the binary “/usr/sbin/tripwire” only readable, and executable by the super-user “root” (-r-x ) and finally make the “siggen” program under “/usr/sbin” directory only executable and readable by “root” The “rm” command as used above... > /usr/man/man5 > /usr/man/man5/twfiles .5 > /usr/man/man8 > /usr/man/man8/siggen.8 > /usr/man/man8/tripwire.8 > /usr/man/man8/twadmin.8 > /usr/man/man8/twintro.8 > /usr/man/man8/twprint.8 > /usr/README > /usr/Release_Notes > /usr/License.txt Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 2 15 Securities Software (System Integrity) 1 CHAPTER 2 Linux Tripwire... not up to date and it is recommended to install the latest release available to fit our server and CPU architecture According to the official GnuPG README file: GnuPG is GNU's tool for secure communication and data storage It can be used to encrypt data and to create digital signatures It includes an advanced key management facility and is compliant with the proposed OpenPGP Internet standard as described... The “rm” command as used above will remove all the source files we have used to compile and install GnuPG It will also remove the GnuPG compressed archive from the “/var/tmp” directory Commands The commands listed below are some that we use often, but many more exist Check the man page for more details and information Creating a key First of all, we must create a new key-pair (public and private) if... install.cfg install.sh pkg/ Tripwire_version_for _Linux_ x86_tar.gz The “rm” command as used above will remove all related files and directories we have used to install Tripwire for Linux It will also remove the Tripwire for Linux compressed archive from the “/var/tmp” directory Configurations All software we describe in this book has a specific directory and subdirectory in a tar compressed archive named... Tripwire - a file integrity checker for UNIX systems - Tripwire administrative and utility tool - Tripwire configuration file reference - overview of files used by Tripwire and file backup process - introduction to Tripwire software - Tripwire policy file reference - Tripwire database and report printer Commands The commands listed below are some that we use often in our regular use, but many more... /etc/tw.config) and add in this file all files and directories that you want monitored The format of the configuration file is described in its header and in the man page tw.config (5) : # Gerhard Mourani: gmourani@videotron.ca # last updated: 1999/11/12 # First, root's "home" /root !/root/.bash_history / R # OS itself /boot/vmlinuz R # critical boot resources /boot R R # Critical directories and files /chroot . Architecture ® and OpenDocs Publishing 203 Chapter 12 Securities Software (System Integrity) In this Chapter Linux Tripwire 2.2.1 Configurations Securing Tripwire for Linux Commands Linux. Tripwire_version_for _Linux_ x86_tar.gz The “rm” command as used above will remove all related files and directories we have used to install Tripwire for Linux. It will also remove the Tripwire for Linux. The default is “/etc/ssh2/hostkey.pub”. RandomSeedFile random_seed The option “RandomSeedFile” specifies an alternate name for the user's random seed file. ForwardAgent no The option