SSH-Harden: Difference between revisions
Created page with "===Description=== During regular system audits, it was dicovered that one of the systems does not meet the organization security baseline. Thereforce this system must be hardened. 200pts ===Question=== Harden the SSH configuration so that it meets the baseline. *Make sure that root login is disabled *Disable password authentication Add this [public key] so that the user: sysadmin is able to log in with their [private key] ===Solution=== To be on the safe side, I initi..." |
No edit summary |
||
| Line 1: | Line 1: | ||
[[File:Ssh-Task.PNG|thumb|SSH Task]] | |||
[[File:Ssh-wget.PNG|thumb|wget]] | |||
[[File:Ssh-copy-id.PNG|thumb|ssh-copy-id]] | |||
[[File:Chmod-and-connection.PNG|thumb|chmod and connecting without password]] | |||
[[File:Sshd config.PNG|thumb|sshd_cofig]] | |||
===Description=== | ===Description=== | ||
During regular system audits, it was dicovered that one of the systems does not meet the organization security baseline. | During regular system audits, it was dicovered that one of the systems does not meet the organization security baseline. | ||
Revision as of 15:17, 13 October 2022
Description
During regular system audits, it was dicovered that one of the systems does not meet the organization security baseline. Thereforce this system must be hardened.
200pts
Question
Harden the SSH configuration so that it meets the baseline.
- Make sure that root login is disabled
- Disable password authentication
Add this [public key] so that the user: sysadmin is able to log in with their [private key]
Solution
To be on the safe side, I initially opened two ssh connections, because especially when you make changes to the ssh server settings, you can accidentally log yourself out of the whole server.
Next, I downloaded both the private key and the public key to the .ssh folder on the local machine. Next, I used ssh-copy-ip -i /root/.ssh/id_rsa.pub -p2224 [email protected]
Before you can connect to the server you need to change the permissions on the private key. chmod 600 id_rsa
Next, you can try connecting to the server without a password with ssh [email protected] -p2224
Once you have connected to the server you can start changing the ssh service settings. The first thing to do is to copy the original configuration file, so that the incorrectly configured settings can be restored if necessary.
The server ssh configuration can be found at/etc/ssh/sshd_config
Next, you can try connecting to the server without a password with ssh [email protected] -p2224
Once you have connected to the server you can start changing the ssh service settings. The first thing to do is to copy the original configuration file, so that the incorrectly configured settings can be restored if necessary.
The server ssh configuration can be found at/etc/ssh/sshd_config
Make a copy of the file, then edit the sshd_config file.
Add the following settings to the file
- PasswordAuthentication no
- UsePAM no
- PermitRootLogin no
Then restart ssh pavelu sudo service ssh restart
You can then submit the task for evaluation.
Tools
- ssh
- nano
- cp
- ssh-copy-id
