SSH Advanced Security Tuning:
----------------------------
1. Root Login tunning:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PermitRootLogin no
or:
PermitRootLogin forced-commands-only
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2. Listening Non-standard port
example: instead of 22 we can user 78
3. Iptables ssh connection rate limiting per Ip...
================================================================
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-level info --log-prefix "Anti SSH-Bruteforce: "
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
================================================================
---------------------------------------------------------------------------------------------------
3 Steps to Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id:
---------------------------------------------------------------------------------------------------
Step1: Create public and private keys using ssh-key-gen on local-host
------
root@web1:/# [Note: You are on local-host here]
root@web1:/# ssh-keygen
--------------------------------------------------------
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
94:e4:cc:4e:7b:0f:db:1c:ea:f0:23:b3:0d:0d:85:d4 root@web1
The key's randomart image is:
+--[ RSA 2048]----+
| o. |
| * oE |
| O . |
| + o |
| S o . |
| + B . |
| o + + |
| o*. |
| .++. |
+---------------------+
---------------------------------------------------------
Step2: Copy the public key to remote-host using ssh-copy-id
-----
root@web1:/# ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.0.16
root@192.168.0.16's password:
Now try logging into the machine, with "ssh '192.168.0.16'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
=============================================================
Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_key.
=============================================================
Step 3: Login to remote-host without entering the password
root@web1:/# ssh 192.168.0.16
Linux web2 2.6.32-5-686 #1 SMP Mon Sep 23 23:00:18 UTC 2013 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Dec 1 14:53:21 2013 from web1.mehedi.com
-----------------------------------------------------------------------------------
Setup Rsync with SSH on UNIX / Linux (rsync without password)
-----------------------------------------------------------------------------------
Step1: To connect through ssh tunnel: first, you'll need to install rsync:--------
root@web1:/# [Note: You are on source machine or local-host here]
root@web1:/# apt-get install rsync
Step2: Now you need to restart the rsync daemon using the following command
--------
root@web1:/# /etc/init.d/rsync restart
------------------------------------------------
It may fire the follwoing error...just ignore it
------------------------------------------------
Restarting rsync daemon: rsyncrsync daemon not running, attempting to start. ... (warning).
missing or empty config file /etc/rsyncd.conf ... failed!
failed!
Step3: Perform rsync over ssh without password
---------
root@web1:/# rsync -avz -e ssh /var/www/ root@192.168.0.16:/var/www/
----------------------------------------------------------------------------
@@@@ Advance rsync options and transactions @@@@@
----------------------------------------------------------------------------
Example 1. Synchronize Two Directories in a Local Server
-------- root@web1:/# rsync -zvr /var/opt/installation/inventory/ /root/temp
In the above rsync example:
-z is to enable compression
-v verbose
-r indicates recursive
Example 2. Preserve timestamps during Sync using rsync -a
---------
Now, executing the same command provided in example 1 (But with the rsync option -a) as shown below:
root@web1:/# rsync -azv /var/opt/installation/inventory/ /root/temp/
Example 3. Synchronize Only One File
---------
To copy only one file, specify the file name to rsync command, as shown below.
root@web1:/# rsync -v /var/lib/rpm/Pubkeys /root/temp/
Example 4. Synchronize Files From Local to Remote
---------
rsync allows you to synchronize files/directories between the local and remote system.
root@web1:/# rsync -avz /root/temp/ root@192.168.0.16:/home/thegeekstuff/temp/
Example 5. Synchronize Files From Remote to Local
----------
When you want to synchronize files from remote to local, specify remote path in source and local path in target as shown below.
root@web1:/# rsync -avz root@192.168.0.16:/var/lib/rpm /root/temp
Example 6. Remote shell for Synchronization
----------
rsync allows you to specify the remote shell which you want to use. You can use rsync ssh to enable the secured remote connection.
Use rsync -e ssh to specify which remote shell to use. In this case, rsync will use ssh.
root@web1:/# rsync -avz -e ssh root@192.168.0.16:/var/lib/rpm /root/temp
Example 7. Do Not Overwrite the Modified Files at the Destination
---------
In a typical sync situation, if a file is modified at the destination, we might not want to overwrite the file with
the old file from the source.
Use rsync -u option to do exactly that. (i.e do not overwrite a file at the destination, if it is modified). In the following example, the file called Basenames is already modified at the destination.
So, it will not be overwritten with rsync -u.
root@web1:/# rsync -avzu root@192.168.0.16:/var/lib/rpm /root/temp
Example 8. Synchronize only the Directory Tree Structure (not the files)
---------
Use rsync -d option to synchronize only directory tree from source to the destination. The below example,
synchronize only directory tree in recursive manner, not the files in the directories.
root@web1:/# rsync -v -d root@192.168.0.16:/var/lib/
Example 9. View the rsync Progress during Transfer
----------
When you use rsync for backup, you might want to know the progress of the backup. i.e how many files are copies, at what rate it is copying the file, etc.
rsync –progress option displays detailed progress of rsync execution as shown below.
root@web1:/# rsync -avz --progress root@192.168.0.16:/var/lib/rpm/ /root/temp/
Example 10. Delete the Files Created at the Target
-----------
If a file is not present at the source, but present at the target, you might want to delete the file at the target during rsync.
In that case, use –delete option as shown below. rsync delete option deletes files that are not there in source directory.
# Source and target are in sync. Now creating new file at the target.
$ > new-file.txt
root@web1:/# rsync -avz --delete root@192.168.0.16:/var/lib/rpm/
Example 11. Include and Exclude Pattern during File Transfer
----------
rsync allows you to give the pattern you want to include and exclude files or directories while doing synchronization.
root@web1:/# rsync -avz --include 'P*' --exclude '*' root@192.168.0.16:/var/lib/rpm/
In the above example, it includes only the files or directories starting with ‘P’ (using rsync include) and excludes all other files. (using rsync exclude ‘*’ )
Example 12. Do Not Transfer Large Files
----------
You can tell rsync not to transfer files that are greater than a specific size using rsync –max-size option.
root@web1:/# rsync -avz --max-size='100K' root@192.168.0.16:/var/lib/rpm/ /root/temp/
max-size=100K makes rsync to transfer only the files that are less than or equal to 100K. You can indicate M for megabytes and G for gigabytes.
Example 15. Transfer the Whole File
----------
One of the main feature of rsync is that it transfers only the changed block to the destination, instead of sending the whole file.
If network bandwidth is not an issue for you (but CPU is), you can transfer the whole file, using rsync -W option. This will speed-up the rsync process,
as it doesn’t have to perform the checksum at the source and destination.
root@web1:/# rsync -avzW root@192.168.0.16:/var/lib/rpm/ /root/temp
===================================
Rsync with a non-standard ssh port:
===================================
root@web1:/# rsync -avz -e "ssh -p $portNumber" root@192.168.0.16:/var/lib/rpm/ /root/temp
-------------------------------------------------------------------------------
@@ Rsync - Sync Files/Directories using daemon not ssh @@
-------------------------------------------------------------------------------
Assume we have two hosts to sync /var/www directory.
host1 - web1.mehedi.com (172.16.0.11) [source host]
host2 - web2.mehedi.com (172.16.0.12) [Destination host]
Step1. First on both machines install rsync by entering the follwoing command:
------
# apt-get install rsync
Step2. Now Configure the Destination Host:
-----
root@web2:/# vim /etc/default/rsync
--------------------------------
# line 8: change
RSYNC_ENABLE=true
--------------------------------
Step3.
-----
root@web2:/# vim /etc/rsyncd.conf
------------------------------------------------
# define any name you like
mehediweb
# Destination Directory
path = /var/www
# Hosts you allow to copy (specify source Host)
hosts allow = 172.16.0.11
hosts deny = *
list = true
uid = root
gid = root
read only = false
------------------------------------------------
Step4. Now Configure the Source Host:
-----
we only declare here the exclude list...nothing else..
root@web1:/# vim /etc/rsync_exclude.lst
--------------------------------------------------------------------
# specify files or directories you'd like to exclude from being copy
index1.html
php.conf
--------------------------------------------------------------------
Final Step: Now its time to execute rsync on source host...
root@web1:/# rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /var/www/
==========================================
Add in cron if you'd like to run reguraly
==========================================
root@web1:/# crontab -e
# run at 2:00 AM every day:
--------------------------
00 02 * * * rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /var/www/ 172.16.0.12::mehediweb
# Run every minute:
------------------
*/1 * * * * rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /var/www/ 172.16.0.12::mehediweb
# Run every Hour:
------------------
0 * * * * rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /var/www/ 172.16.0.12::mehediweb
======================================================
Don't forget the to allow rsync in iptables (FIREWALL)
======================================================
# Allow RSYNC from LAN (TCP Port 873)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
iptables -A INPUT -p tcp -s 172.16.0.0/16 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d 172.16.0.0/16 -p tcp --sport 873 -j ACCEPT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
----------------------------
1. Root Login tunning:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PermitRootLogin no
or:
PermitRootLogin forced-commands-only
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2. Listening Non-standard port
example: instead of 22 we can user 78
3. Iptables ssh connection rate limiting per Ip...
================================================================
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j LOG --log-level info --log-prefix "Anti SSH-Bruteforce: "
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 3 --rttl --name SSH -j DROP
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
================================================================
---------------------------------------------------------------------------------------------------
3 Steps to Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id:
---------------------------------------------------------------------------------------------------
Step1: Create public and private keys using ssh-key-gen on local-host
------
root@web1:/# [Note: You are on local-host here]
root@web1:/# ssh-keygen
--------------------------------------------------------
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
94:e4:cc:4e:7b:0f:db:1c:ea:f0:23:b3:0d:0d:85:d4 root@web1
The key's randomart image is:
+--[ RSA 2048]----+
| o. |
| * oE |
| O . |
| + o |
| S o . |
| + B . |
| o + + |
| o*. |
| .++. |
+---------------------+
---------------------------------------------------------
Step2: Copy the public key to remote-host using ssh-copy-id
-----
root@web1:/# ssh-copy-id -i ~/.ssh/id_rsa.pub 192.168.0.16
root@192.168.0.16's password:
Now try logging into the machine, with "ssh '192.168.0.16'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
=============================================================
Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_key.
=============================================================
Step 3: Login to remote-host without entering the password
root@web1:/# ssh 192.168.0.16
Linux web2 2.6.32-5-686 #1 SMP Mon Sep 23 23:00:18 UTC 2013 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Dec 1 14:53:21 2013 from web1.mehedi.com
-----------------------------------------------------------------------------------
Setup Rsync with SSH on UNIX / Linux (rsync without password)
-----------------------------------------------------------------------------------
Step1: To connect through ssh tunnel: first, you'll need to install rsync:--------
root@web1:/# [Note: You are on source machine or local-host here]
root@web1:/# apt-get install rsync
Step2: Now you need to restart the rsync daemon using the following command
--------
root@web1:/# /etc/init.d/rsync restart
------------------------------------------------
It may fire the follwoing error...just ignore it
------------------------------------------------
Restarting rsync daemon: rsyncrsync daemon not running, attempting to start. ... (warning).
missing or empty config file /etc/rsyncd.conf ... failed!
failed!
Step3: Perform rsync over ssh without password
---------
root@web1:/# rsync -avz -e ssh /var/www/ root@192.168.0.16:/var/www/
----------------------------------------------------------------------------
@@@@ Advance rsync options and transactions @@@@@
----------------------------------------------------------------------------
Example 1. Synchronize Two Directories in a Local Server
-------- root@web1:/# rsync -zvr /var/opt/installation/inventory/ /root/temp
In the above rsync example:
-z is to enable compression
-v verbose
-r indicates recursive
Example 2. Preserve timestamps during Sync using rsync -a
---------
Now, executing the same command provided in example 1 (But with the rsync option -a) as shown below:
root@web1:/# rsync -azv /var/opt/installation/inventory/ /root/temp/
Example 3. Synchronize Only One File
---------
To copy only one file, specify the file name to rsync command, as shown below.
root@web1:/# rsync -v /var/lib/rpm/Pubkeys /root/temp/
Example 4. Synchronize Files From Local to Remote
---------
rsync allows you to synchronize files/directories between the local and remote system.
root@web1:/# rsync -avz /root/temp/ root@192.168.0.16:/home/thegeekstuff/temp/
Example 5. Synchronize Files From Remote to Local
----------
When you want to synchronize files from remote to local, specify remote path in source and local path in target as shown below.
root@web1:/# rsync -avz root@192.168.0.16:/var/lib/rpm /root/temp
Example 6. Remote shell for Synchronization
----------
rsync allows you to specify the remote shell which you want to use. You can use rsync ssh to enable the secured remote connection.
Use rsync -e ssh to specify which remote shell to use. In this case, rsync will use ssh.
root@web1:/# rsync -avz -e ssh root@192.168.0.16:/var/lib/rpm /root/temp
Example 7. Do Not Overwrite the Modified Files at the Destination
---------
In a typical sync situation, if a file is modified at the destination, we might not want to overwrite the file with
the old file from the source.
Use rsync -u option to do exactly that. (i.e do not overwrite a file at the destination, if it is modified). In the following example, the file called Basenames is already modified at the destination.
So, it will not be overwritten with rsync -u.
root@web1:/# rsync -avzu root@192.168.0.16:/var/lib/rpm /root/temp
Example 8. Synchronize only the Directory Tree Structure (not the files)
---------
Use rsync -d option to synchronize only directory tree from source to the destination. The below example,
synchronize only directory tree in recursive manner, not the files in the directories.
root@web1:/# rsync -v -d root@192.168.0.16:/var/lib/
Example 9. View the rsync Progress during Transfer
----------
When you use rsync for backup, you might want to know the progress of the backup. i.e how many files are copies, at what rate it is copying the file, etc.
rsync –progress option displays detailed progress of rsync execution as shown below.
root@web1:/# rsync -avz --progress root@192.168.0.16:/var/lib/rpm/ /root/temp/
Example 10. Delete the Files Created at the Target
-----------
If a file is not present at the source, but present at the target, you might want to delete the file at the target during rsync.
In that case, use –delete option as shown below. rsync delete option deletes files that are not there in source directory.
# Source and target are in sync. Now creating new file at the target.
$ > new-file.txt
root@web1:/# rsync -avz --delete root@192.168.0.16:/var/lib/rpm/
Example 11. Include and Exclude Pattern during File Transfer
----------
rsync allows you to give the pattern you want to include and exclude files or directories while doing synchronization.
root@web1:/# rsync -avz --include 'P*' --exclude '*' root@192.168.0.16:/var/lib/rpm/
In the above example, it includes only the files or directories starting with ‘P’ (using rsync include) and excludes all other files. (using rsync exclude ‘*’ )
Example 12. Do Not Transfer Large Files
----------
You can tell rsync not to transfer files that are greater than a specific size using rsync –max-size option.
root@web1:/# rsync -avz --max-size='100K' root@192.168.0.16:/var/lib/rpm/ /root/temp/
max-size=100K makes rsync to transfer only the files that are less than or equal to 100K. You can indicate M for megabytes and G for gigabytes.
Example 15. Transfer the Whole File
----------
One of the main feature of rsync is that it transfers only the changed block to the destination, instead of sending the whole file.
If network bandwidth is not an issue for you (but CPU is), you can transfer the whole file, using rsync -W option. This will speed-up the rsync process,
as it doesn’t have to perform the checksum at the source and destination.
root@web1:/# rsync -avzW root@192.168.0.16:/var/lib/rpm/ /root/temp
===================================
Rsync with a non-standard ssh port:
===================================
root@web1:/# rsync -avz -e "ssh -p $portNumber" root@192.168.0.16:/var/lib/rpm/ /root/temp
-------------------------------------------------------------------------------
@@ Rsync - Sync Files/Directories using daemon not ssh @@
-------------------------------------------------------------------------------
Assume we have two hosts to sync /var/www directory.
host1 - web1.mehedi.com (172.16.0.11) [source host]
host2 - web2.mehedi.com (172.16.0.12) [Destination host]
Step1. First on both machines install rsync by entering the follwoing command:
------
# apt-get install rsync
Step2. Now Configure the Destination Host:
-----
root@web2:/# vim /etc/default/rsync
--------------------------------
# line 8: change
RSYNC_ENABLE=true
--------------------------------
Step3.
-----
root@web2:/# vim /etc/rsyncd.conf
------------------------------------------------
# define any name you like
mehediweb
# Destination Directory
path = /var/www
# Hosts you allow to copy (specify source Host)
hosts allow = 172.16.0.11
hosts deny = *
list = true
uid = root
gid = root
read only = false
------------------------------------------------
Step4. Now Configure the Source Host:
-----
we only declare here the exclude list...nothing else..
root@web1:/# vim /etc/rsync_exclude.lst
--------------------------------------------------------------------
# specify files or directories you'd like to exclude from being copy
index1.html
php.conf
--------------------------------------------------------------------
Final Step: Now its time to execute rsync on source host...
root@web1:/# rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /var/www/
==========================================
Add in cron if you'd like to run reguraly
==========================================
root@web1:/# crontab -e
# run at 2:00 AM every day:
--------------------------
00 02 * * * rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /var/www/ 172.16.0.12::mehediweb
# Run every minute:
------------------
*/1 * * * * rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /var/www/ 172.16.0.12::mehediweb
# Run every Hour:
------------------
0 * * * * rsync -avz --delete --exclude-from=/etc/rsync_exclude.lst /var/www/ 172.16.0.12::mehediweb
======================================================
Don't forget the to allow rsync in iptables (FIREWALL)
======================================================
# Allow RSYNC from LAN (TCP Port 873)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
iptables -A INPUT -p tcp -s 172.16.0.0/16 --dport 873 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -d 172.16.0.0/16 -p tcp --sport 873 -j ACCEPT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
No comments:
Post a Comment