ssh: seguranca no acesso remoto
DESCRIPTION
Apresentação na Pós-Graduação em Segurança da Informação:- Sniffer de senhas em plain text;- Ataque de brute-force no SSH;- Proteção: Firewall, IPS e/ou TCP Wrappers;- Segurança básica no sshd_config;- Chaves RSA/DSA para acesso remoto;- SSH buscando chaves no LDAP;- Porque previnir o acesso: Fork BombTRANSCRIPT
Segurança - Acesso Remoto
Leandro Silva Leandro Purificacão David Wallace Tiago Cruz - http://everlinux.com Jeferson
Níve: Intermediário Pre-requisitos: Básico em Inglês, protocolos de
rede e universo Unix.
Tópicos
Sniffer de senhas em plain text; Ataque de brute-force no SSH; Proteção: Firewall, IPS e/ou TCP Wrappers; Segurança básica no sshd_config; Chaves RSA/DSA para acesso remoto; SSH buscando chaves no LDAP; Porque previnir o acesso: Fork Bomb
Segurança - Acesso Remoto
Telnet não tem criptografia, um atacante pode pegar a sua senha usando um sniffer
OpenSSH criptografa a comunicação Presente em todos os Unixes (*BSD, Solaris,
Linux, AIX...) e também nos roteadores Porém, uma máquina comprometida com um
keylogger pode pegar a senha do administrador
Capturando senhas sem criptografia (ex: telnet e
FTP)
”Snifando” senhas: dsniff
Capturando senhas: ettercap
Ataques de força-bruta contra o SSH
SSH é sempre visado...Aug 31 23:21:28 localhost sshd[4560]: Illegal user admin from ::ffff:206.113.121.118Aug 31 23:21:31 localhost sshd[4562]: Illegal user test from ::ffff:206.113.121.118Aug 31 23:21:36 localhost sshd[4564]: Illegal user guest from ::ffff:206.113.121.118Aug 31 23:21:39 localhost sshd[4566]: Illegal user webmaster from ::ffff:206.113.121.118Aug 31 23:21:44 localhost sshd[4568]: Illegal user mysql from ::ffff:206.113.121.118Aug 31 23:21:47 localhost sshd[4570]: Illegal user oracle from ::ffff:206.113.121.118Aug 31 23:21:49 localhost sshd[4572]: Illegal user library from ::ffff:206.113.121.118Aug 31 23:21:52 localhost sshd[4574]: Illegal user info from ::ffff:206.113.121.118Aug 31 23:21:55 localhost sshd[4576]: Illegal user shell from ::ffff:206.113.121.118Aug 31 23:21:59 localhost sshd[4578]: Illegal user linux from ::ffff:206.113.121.118Aug 31 23:22:01 localhost sshd[4580]: Illegal user unix from ::ffff:206.113.121.118Aug 31 23:22:05 localhost sshd[4582]: Illegal user webadmin from ::ffff:206.113.121.118Aug 31 23:22:08 localhost sshd[4584]: Illegal user ftp from ::ffff:206.113.121.118Aug 31 23:22:12 localhost sshd[4586]: Illegal user test from ::ffff:206.113.121.118Aug 31 23:22:18 localhost sshd[4590]: Illegal user admin from ::ffff:206.113.121.118Aug 31 23:22:21 localhost sshd[4592]: Illegal user guest from ::ffff:206.113.121.118Aug 31 23:22:25 localhost sshd[4594]: Illegal user master from ::ffff:206.113.121.118Aug 31 23:22:28 localhost sshd[4596]: Illegal user apache from ::ffff:206.113.121.118Aug 31 23:22:33 localhost sshd[4598]: User root not allowed because not listed in AllowUsersAug 31 23:22:37 localhost sshd[4600]: User root not allowed because not listed in AllowUsers...
ssh-brute force caseiro
Gerando senhas aleatórias
$ john -stdout -incremental 1952sammystarkstartstackstacestevesteensteetsamers
$ dd if=/dev/random ibs=6 count=1 2> /dev/null | mimencodeHKxWMgRD
$ pwgen xaif7Nah lie1Ieth gook1aiD ur1Ahthi Noo3eo5M Baz4aeBu ohMeek9a chiex7Iu Sipe0Eiv iDaighu7 Quuz3una AhB0echi go0Um7yu azo6Tiel Thee5aWe Xo8jaim5 caif0ieN HuaWie9n
Proteções contra ataques de força-bruta
Básico /etc/ssh/sshd_config
# Grupos com acesso via SSHAllowGroups sysadmin suporteAllowUsers tcruz maria
# Logar direto como root é suicídio:PermitRootLogin no
# Mudar a porta padrão mata alguns script kiddies:Port 2258
tcruz@tuxkiller:~$ ssh -p 2258 192.168.15.129
# Change to no to disable tunnelled clear text passwordsPasswordAuthentication no
tcruz@tuxkiller:~$ ssh [email protected] denied (publickey).
IDS/IPS - OSSEC
Brute Force - Mitigação
- No servidor a ser protegido:
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state \NEW -m recent –set
# iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state \NEW -m recent --update --seconds 60 --hitcount 4 -j DROP
# iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT
- Teste na estação ”atacante”:
$ for i in `seq 1 10` ; do echo 'exit' | nc 192.168.1.1 22 ; done 192.168.15.129 22 ; doneSSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1Protocol mismatch.SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1Protocol mismatch.SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1Protocol mismatch.SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1Protocol mismatch.^C
TCP Wrappers
O pacote TCP Wrappers (tcp_wrappers) faz parte da instalação padrão e oferece controle de de acesso a serviços de rede baseado no host. O componente mais importante do pacote é a biblioteca /usr/lib/libwrap.a.
$ cat /etc/hosts.deny sshd: ALL
$ cat /etc/hosts.allow sshd: 10.10.1.0/255.255.255.0 10.10.2.240/255.255.255.240
$ cat /etc/hosts.allowsshd: 200.222.222.55 200.222.222.94: ALLOW
Sem senha: chaves públicas e privadas no
acesso SSH
Chaves de Criptografia
tiago@cliente:~$ ssh-keygen -t dsaGenerating public/private dsa key pair.Enter file in which to save the key (/home/tiago/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/tiago/.ssh/id_dsa.Your public key has been saved in /home/tiago/.ssh/id_dsa.pub.The key fingerprint is:46:de:5d:e5:52:2a:8b:03:2d:75:e9:fd:fa:e6:b7:26 tiago@tuxkiller
tiago@cliente:~$ ssh-copy-id -i /home/tiago/.ssh/id_dsaid_dsa id_dsa.pub
tiago@cliente:~$ ssh-copy-id -i ~/.ssh/id_dsa.pub [email protected] password: Now try logging into the machine, with "ssh '192.168.15.129'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
Copiando manualmente
Caso você não tenha o ssh-copy-id:
root@server:~# cat /home/tiago/.ssh/authorized_keys ssh-dss AAAAB3NzaC1kc3MAAACBANbDleaS26kY1Wukd0LiKhhzdxfG1dZC0EObXp8hIrK+xsNyg6dLRFPbbDYtZGJ06M5/SIqPCFoeLqHIMVroIPzZ1gDMSdOesSbJMYkTgytJQltG2RHBp9OdTd7sp9xldQj93IAvAPTzFoUUtq9RaBzJJZbu2ZK9Jqg8Spc/lT8JAAAAFQD5kI62O8bqAS1lFqmf1kklnsklSQAAAIA7Ff28UoKWAoECh0WFE5zqxvUPW+1Qz9sxCXjmXfDIwt2jBgyrGcDrJiyRffqQkWEAlgqPZPQ6HQ68sFS052CjYU/5HlLbh2lXaiFBEvYpRqPggnqbMgOcI2lBom1LSYwTCsbb61OZBKE9CC2KptGJdzXesaO4eo8ARzzOolnjUgAAAIEAgBdKmuccKaMtUJPapa3Q7OJxPq5lHnOXNUVRwkavVjLd7MB/OWJI1FBOcExb9nGuVRVB1DB1VxYjz1QEa9KxNyx8eZQTtvA64McyjUuWJuSS1ld+DqJGTaeVvYDPICkgPK9HlDOvJUZmFHiUdwbn/BLUWAR/Bg106nkn5s8WnQg= tiago@tuxkiller
root@server:~# ls -l /home/tiago/.ssh/authorized_keys -rw------- 1 tiago tiago 605 2009-06-17 15:06 ~/.ssh/authorized_keys
root@server:~# ls -ld /home/tiago/.sshdrwx------ 2 tiago tiago 4096 2009-06-17 15:06 /home/tiago/.ssh
Logs de acesso
# Log Antes: Jun 17 15:06:15 ubuntu sshd[2938]: Accepted password for tiago from 192.168.15.1 port 32813 ssh2
# Log Depois: Jun 17 15:28:26 ubuntu sshd[3184]: Accepted publickey for tiago from 192.168.15.1 port 60079 ssh2
Acessando sem senha
SSH com as chaves públicas centralizadas em
LDAP
SSH buscando chave no LDAP
OpenSSH-LPK
The OpenSSH LDAP Public Key patch provides an easy way of centralizing strong user authentication by using an LDAPserver for retrieving public keys instead of ~/.ssh/authorized_keys.
=> http://code.google.com/p/openssh-lpk/
No Servidor LDAP - slapd.conf:
include /etc/openldap/schema/openssh-lpk_openldap.schema
Nos clientes - sshd_config:
UseLPK yesLpkLdapConf /etc/ldap.conf
Busca no LDAP de exemplo
[root@testmachine ~]# ldapsearch -x uid=tcruz# tcruz, People, empresa.com.brdn: uid=tcruz,ou=People,dc=empresa,dc=com,dc=brgecos: Tiago CruzloginShell: /bin/bashobjectClass: accountobjectClass: posixAccountobjectClass: topobjectClass: shadowAccountobjectClass: ldapPublicKeyuid: tcruzuidNumber: 1002cn: tcruzhomeDirectory: /home/tcruzSshPublicKey:: ssh-dss c3NoLWRzcyBBQUFBQjNOemFDMWtjM01BQUFDQkFPTDF0alppRmdXdEdtMkJ2UWx 9DOHJKNVYwaE90R3J3QUFBSUJIZVlzWnJGR2xITG4xblVGUTBTSXB6bzlnNG90RmFjegidNumber: 1010shadowLastChange: 14196
# search resultsearch: 2result: 0 Success
Um bom motivo para deixar o atacante longe da shell
Fork Bomb
Um processo que cria várias cópias dele mesmo recursivamente com o objetivo deacabar com os recursos do servidor – DOS ou denial of service
A fork bomb using the Microsoft Windows (any version) batch language:%0|%0
In poetic Perl:fork while fork
Using Python:import oswhile True: os.fork()
Or in C or C++:#include <unistd.h>
int main(void){ while(1) fork(); return 0;}
Fork Bombtcruz@ubuntu:~$ ulimit -a | grep procemax user processes (-u) unlimited
tcruz@ubuntu:~$ ulimit -u 1024tcruz@ubuntu:~$ ulimit -a | grep procemax user processes (-u) 1024
tcruz@ubuntu:~$ :(){ :|:& };: [1] 3755
tcruz@ubuntu:~$ -bash: fork: Resource temporarily unavailable-bash: fork: Resource temporarily unavailable-bash: fork: Resource temporarily unavailable-bash: fork: Resource temporarily unavailable-bash: fork: Resource temporarily unavailable-bash: fork: Resource temporarily unavailable
[1]+ Terminated : | :
Nota: Utilizado nesse teste uma VM com 512 GB de RAM
Referências
http://everlinux.com/blog http://www.linux.com/archive/feature/61061 http://code.google.com/p/openssh-lpk/ http://en.wikipedia.org/wiki/Fork_bomb http://www.redhat.com/docs/manuals/enterprise/RHEL-5-manual/pt-BR/Deployment_Guide/