Apresentação na Pós-Graduação em Segurança da Informação:
- Sniffer de senhas em plain text;
- Ataque de brute-force no SSH;
- Proteção: Firewall, IPS e/ou TCP Wrappers;
- Segurança básica no sshd_config;
- Chaves RSA/DSA para acesso remoto;
- SSH buscando chaves no LDAP;
- Porque previnir o acesso: Fork Bomb
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
SSH: Seguranca no Acesso Remoto
1. Segurança - Acesso Remoto
Leandro Silva
Leandro Purificacão
David Wallace
Tiago Cruz - http://everlinux.com
Jeferson
Níve: Intermediário
Pre-requisitos: Básico em Inglês, protocolos de
rede e universo Unix.
2. Tópicos
Sniffer de senhas em plain text;
Ataque de brute-force no SSH;
Proteção: Firewall, IPS e/ou TCP Wrappers;
Segurança básica no sshd_config;
Chaves RSA/DSA para acesso remoto;
SSH buscando chaves no LDAP;
Porque previnir o acesso: Fork Bomb
3. Segurança - Acesso Remoto
Telnet não tem criptografia, um atacante pode
pegar a sua senha usando um sniffer
OpenSSH criptografa a comunicação
Presente em todos os Unixes (*BSD, Solaris,
Linux, AIX...) e também nos roteadores
Porém, uma máquina comprometida com um
keylogger pode pegar a senha do
administrador
8. SSH é sempre visado
...
Aug 31 23:21:28 localhost sshd[4560]: Illegal user admin from ::ffff:206.113.121.118
Aug 31 23:21:31 localhost sshd[4562]: Illegal user test from ::ffff:206.113.121.118
Aug 31 23:21:36 localhost sshd[4564]: Illegal user guest from ::ffff:206.113.121.118
Aug 31 23:21:39 localhost sshd[4566]: Illegal user webmaster from ::ffff:206.113.121.118
Aug 31 23:21:44 localhost sshd[4568]: Illegal user mysql from ::ffff:206.113.121.118
Aug 31 23:21:47 localhost sshd[4570]: Illegal user oracle from ::ffff:206.113.121.118
Aug 31 23:21:49 localhost sshd[4572]: Illegal user library from ::ffff:206.113.121.118
Aug 31 23:21:52 localhost sshd[4574]: Illegal user info from ::ffff:206.113.121.118
Aug 31 23:21:55 localhost sshd[4576]: Illegal user shell from ::ffff:206.113.121.118
Aug 31 23:21:59 localhost sshd[4578]: Illegal user linux from ::ffff:206.113.121.118
Aug 31 23:22:01 localhost sshd[4580]: Illegal user unix from ::ffff:206.113.121.118
Aug 31 23:22:05 localhost sshd[4582]: Illegal user webadmin from ::ffff:206.113.121.118
Aug 31 23:22:08 localhost sshd[4584]: Illegal user ftp from ::ffff:206.113.121.118
Aug 31 23:22:12 localhost sshd[4586]: Illegal user test from ::ffff:206.113.121.118
Aug 31 23:22:18 localhost sshd[4590]: Illegal user admin from ::ffff:206.113.121.118
Aug 31 23:22:21 localhost sshd[4592]: Illegal user guest from ::ffff:206.113.121.118
Aug 31 23:22:25 localhost sshd[4594]: Illegal user master from ::ffff:206.113.121.118
Aug 31 23:22:28 localhost sshd[4596]: Illegal user apache from ::ffff:206.113.121.118
Aug 31 23:22:33 localhost sshd[4598]: User root not allowed because not listed in AllowUsers
Aug 31 23:22:37 localhost sshd[4600]: User root not allowed because not listed in AllowUsers
...
12. Básico /etc/ssh/sshd_config
# Grupos com acesso via SSH
AllowGroups sysadmin suporte
AllowUsers tcruz maria
# Logar direto como root é suicídio:
PermitRootLogin no
# Mudar a porta padrão mata alguns script kiddies:
Port 2258
tcruz@tuxkiller:~$ ssh -p 2258 192.168.15.129
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
tcruz@tuxkiller:~$ ssh userteste@192.168.15.129
Permission denied (publickey).
14. Brute Force - Mitigação
- No servidor a ser protegido:
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state
NEW -m recent –set
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state
NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
# iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
- Teste na estação ”atacante”:
$ for i in `seq 1 10` ; do echo 'exit' | nc 192.168.1.1 22 ; done
192.168.15.129 22 ; done
SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
Protocol mismatch.
SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
Protocol mismatch.
SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
Protocol mismatch.
SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
Protocol mismatch.
^C
15. TCP Wrappers
O pacote TCP Wrappers (tcp_wrappers) faz parte da instalação padrão e
oferece controle de de acesso a serviços de rede baseado no host. O
componente mais importante do pacote é a biblioteca /usr/lib/libwrap.a.
$ cat /etc/hosts.deny
sshd: ALL
$ cat /etc/hosts.allow
sshd: 10.10.1.0/255.255.255.0 10.10.2.240/255.255.255.240
$ cat /etc/hosts.allow
sshd: 200.222.222.55 200.222.222.94: ALLOW
17. Chaves de Criptografia
tiago@cliente:~$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/tiago/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tiago/.ssh/id_dsa.
Your public key has been saved in /home/tiago/.ssh/id_dsa.pub.
The key fingerprint is:
46:de:5d:e5:52:2a:8b:03:2d:75:e9:fd:fa:e6:b7:26 tiago@tuxkiller
tiago@cliente:~$ ssh-copy-id -i /home/tiago/.ssh/id_dsa
id_dsa id_dsa.pub
tiago@cliente:~$ ssh-copy-id -i ~/.ssh/id_dsa.pub 192.168.15.129
tiago@192.168.15.129 password:
Now try logging into the machine, with "ssh '192.168.15.129'", and
check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
18. Copiando manualmente
Caso você não tenha o ssh-copy-id:
root@server:~# cat /home/tiago/.ssh/authorized_keys
ssh-dss
AAAAB3NzaC1kc3MAAACBANbDleaS26kY1Wukd0LiKhhzdxfG1dZC0EObXp8hIrK+xsNy
g6dLRFPbbDYtZGJ06M5/SIqPCFoeLqHIMVroIPzZ
1gDMSdOesSbJMYkTgytJQltG2RHBp9OdTd7sp9xldQj93IAvAPTzFoUUtq9RaBzJJZbu
2ZK9Jqg8Spc/lT8JAAAAFQD5kI62O8bqAS1lFqmf1kklnskl
SQAAAIA7Ff28UoKWAoECh0WFE5zqxvUPW+1Qz9sxCXjmXfDIwt2jBgyrGcDrJiyRffqQ
kWEAlgqPZPQ6HQ68sFS052CjYU/5HlLbh2lXaiFBEvYpRqPg
gnqbMgOcI2lBom1LSYwTCsbb61OZBKE9CC2KptGJdzXesaO4eo8ARzzOolnjUgAAAIEA
gBdKmuccKaMtUJPapa3Q7OJxPq5lHnOXNUVRwkavVjLd7MB/
OWJI1FBOcExb9nGuVRVB1DB1VxYjz1QEa9KxNyx8eZQTtvA64McyjUuWJuSS1ld+DqJG
TaeVvYDPICkgPK9HlDOvJUZmFHiUdwbn/BLUWAR/Bg106nkn
5s8WnQg= tiago@tuxkiller
root@server:~# ls -l /home/tiago/.ssh/authorized_keys
-rw------- 1 tiago tiago 605 2009-06-17 15:06 ~/.ssh/authorized_keys
root@server:~# ls -ld /home/tiago/.ssh
drwx------ 2 tiago tiago 4096 2009-06-17 15:06 /home/tiago/.ssh
19. Logs de acesso
# Log Antes:
Jun 17 15:06:15 ubuntu sshd[2938]:
Accepted password for tiago from
192.168.15.1 port 32813 ssh2
# Log Depois:
Jun 17 15:28:26 ubuntu sshd[3184]:
Accepted publickey for tiago from
192.168.15.1 port 60079 ssh2
21. SSH com as chaves
públicas centralizadas em
LDAP
22. SSH buscando chave no LDAP
OpenSSH-LPK
The OpenSSH LDAP Public Key patch provides an easy way of centralizing
strong user authentication by using an LDAP
server for retrieving public keys instead of ~/.ssh/authorized_keys.
=> http://code.google.com/p/openssh-lpk/
No Servidor LDAP - slapd.conf:
include /etc/openldap/schema/openssh-lpk_openldap.schema
Nos clientes - sshd_config:
UseLPK yes
LpkLdapConf /etc/ldap.conf
25. Fork Bomb
Um processo que cria várias cópias dele mesmo recursivamente com o objetivo de
acabar com os recursos do servidor – DOS ou denial of service
A fork bomb using the Microsoft Windows (any version) batch language:
%0|%0
In poetic Perl:
fork while fork
Using Python:
import os
while True:
os.fork()
Or in C or C++:
#include <unistd.h>
int main(void)
{
while(1)
fork();
return 0;
}
26. Fork Bomb
tcruz@ubuntu:~$ ulimit -a | grep proce
max user processes (-u) unlimited
tcruz@ubuntu:~$ ulimit -u 1024
tcruz@ubuntu:~$ ulimit -a | grep proce
max user processes (-u) 1024
tcruz@ubuntu:~$ :(){ :|:& };:
[1] 3755
tcruz@ubuntu:~$ -bash: fork: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
-bash: fork: Resource temporarily unavailable
[1]+ Terminated : | :
Nota: Utilizado nesse teste uma VM com 512 GB de RAM