Zabezpieczenie serwera OpenSSH - ciekawostki...

[adasiek_j]

Ten artykuł powstał dla tych wszystkich, którzy boją się, że ich serwer jest narażony bardziej na ataki niż inne serwery.

Witam.
Ostatnio przeskanowałem sobie Debiana nmapem i w wynikach otrzymałem między innymi coś takiego:

Kod: Zaznacz cały

7532/tcp open  ssh     OpenSSH 5.1p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 1024 58:30:41:09:93:cd:a0:54:a4:xx:xx:xx:xx:xx:xx:xx (DSA)
|_2048 34:d0:f1:02:99:17:1b:47:51:xx:xx:xx:xx:xx:xx:xx (RSA)

1. Zastanawiam się, czy przypadkiem mój Debian nie chwali się zbyt dużą ilością informacji?
2. Dodatkowo mam pytanie czy te informację mogą w jakiś sposób ułatwić robotę potencjalnemu hakerowi?
3. No i na koniec jak ograniczyć/wyłączyć wyświetlanie tych informacji? Jak się zabezpieczyć?

Tutaj poniżej pokażę Ci prosty przykład, jak może wyglądać połączenie ssh do serwera:

1. Połączenie podstawowe, jakie wiele osób wykonuje:
   

   Kod: Zaznacz cały

   adasiek@sea-star:~$ ssh -l root -C 192.168.6.254

   Kod: Zaznacz cały

   Last login: Fri May 20 09:04:17 2011 from 192.168.6.164
   Have a lot of fun...
   serek-hurt:~ #
   

2. Teraz drobna zmiana polecenia:

   Kod: Zaznacz cały

   adasiek@sea-star:~$ ssh -l root -C 192.168.6.254 -v

   Kod: Zaznacz cały

   OpenSSH_5.5p1 Debian-4ubuntu5, OpenSSL 0.9.8o 01 Jun 2010
   debug1: Reading configuration data /home/adasiek/.ssh/config
   debug1: Applying options for *
   debug1: Reading configuration data /etc/ssh/ssh_config
   debug1: Applying options for *
   debug1: Connecting to 192.168.6.254 [192.168.6.254] port 22.
   debug1: Connection established.
   debug1: identity file /home/adasiek/.ssh/id_rsa type 1
   debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
   debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
   debug1: identity file /home/adasiek/.ssh/id_rsa-cert type -1
   debug1: identity file /home/adasiek/.ssh/id_dsa type -1
   debug1: identity file /home/adasiek/.ssh/id_dsa-cert type -1
   debug1: Remote protocol version 1.99, remote software version OpenSSH_4.1
   debug1: match: OpenSSH_4.1 pat OpenSSH_4*
   debug1: Enabling compatibility mode for protocol 2.0
   debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5
   debug1: SSH2_MSG_KEXINIT sent
   debug1: SSH2_MSG_KEXINIT received
   debug1: kex: server->client aes128-ctr hmac-md5 zlib
   debug1: kex: client->server aes128-ctr hmac-md5 zlib
   debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
   debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
   debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
   debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
   debug1: Host '192.168.6.254' is known and matches the RSA host key.
   debug1: Found key in /home/adasiek/.ssh/known_hosts:75
   debug1: ssh_rsa_verify: signature correct
   debug1: Enabling compression at level 6.
   debug1: SSH2_MSG_NEWKEYS sent
   debug1: expecting SSH2_MSG_NEWKEYS
   debug1: SSH2_MSG_NEWKEYS received
   debug1: Roaming not allowed by server
   debug1: SSH2_MSG_SERVICE_REQUEST sent
   debug1: SSH2_MSG_SERVICE_ACCEPT received
   debug1: Authentications that can continue: publickey,keyboard-interactive
   debug1: Next authentication method: publickey
   debug1: Offering public key: /home/adasiek/.ssh/id_rsa
   debug1: Server accepts key: pkalg ssh-rsa blen 149
   debug1: read PEM private key done: type RSA
   debug1: Authentication succeeded (publickey).
   debug1: channel 0: new [client-session]
   debug1: Entering interactive session.
   debug1: Sending environment.
   debug1: Sending env LANG = pl_PL.utf8
   Last login: Fri May 20 09:04:26 2011 from 192.168.6.164
   Have a lot of fun...
   serek-hurt:~ # 
   
   serek-hurt:~ # logout
   debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
   debug1: channel 0: free: client-session, nchannels 1
   Connection to 192.168.6.254 closed.
   Transferred: sent 1912, received 1960 bytes, in 61.9 seconds
   Bytes per second: sent 30.9, received 31.7
   debug1: Exit status 1
   debug1: compress outgoing: raw data 1067, compressed 659, factor 0.62
   debug1: compress incoming: raw data 492, compressed 421, factor 0.86
   adasiek@sea-star:~$
   

3. I jeszcze kolejna modyfikacja polecenia:

   Kod: Zaznacz cały

   adasiek@sea-star:~$ ssh -l root -C 192.168.6.254 -vv

   Kod: Zaznacz cały

   OpenSSH_5.5p1 Debian-4ubuntu5, OpenSSL 0.9.8o 01 Jun 2010
   debug1: Reading configuration data /home/adasiek/.ssh/config
   debug1: Applying options for *
   debug1: Reading configuration data /etc/ssh/ssh_config
   debug1: Applying options for *
   debug2: ssh_connect: needpriv 0
   debug1: Connecting to 192.168.6.254 [192.168.6.254] port 22.
   debug1: Connection established.
   debug2: key_type_from_name: unknown key type '-----BEGIN'
   debug2: key_type_from_name: unknown key type '-----END'
   debug1: identity file /home/adasiek/.ssh/id_rsa type 1
   debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
   debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
   debug1: identity file /home/adasiek/.ssh/id_rsa-cert type -1
   debug1: identity file /home/adasiek/.ssh/id_dsa type -1
   debug1: identity file /home/adasiek/.ssh/id_dsa-cert type -1
   debug1: Remote protocol version 1.99, remote software version OpenSSH_4.1
   debug1: match: OpenSSH_4.1 pat OpenSSH_4*
   debug1: Enabling compatibility mode for protocol 2.0
   debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu5
   debug2: fd 3 setting O_NONBLOCK
   debug1: SSH2_MSG_KEXINIT sent
   debug1: SSH2_MSG_KEXINIT received
   debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
   debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
   debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
   debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
   debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
   debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
   debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
   debug2: kex_parse_kexinit: zlib@openssh.com,zlib,none
   debug2: kex_parse_kexinit: 
   debug2: kex_parse_kexinit: 
   debug2: kex_parse_kexinit: first_kex_follows 0 
   debug2: kex_parse_kexinit: reserved 0 
   debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
   debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
   debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
   debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
   debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
   debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
   debug2: kex_parse_kexinit: none,zlib
   debug2: kex_parse_kexinit: none,zlib
   debug2: kex_parse_kexinit: 
   debug2: kex_parse_kexinit: 
   debug2: kex_parse_kexinit: first_kex_follows 0 
   debug2: kex_parse_kexinit: reserved 0 
   debug2: mac_setup: found hmac-md5
   debug1: kex: server->client aes128-ctr hmac-md5 zlib
   debug2: mac_setup: found hmac-md5
   debug1: kex: client->server aes128-ctr hmac-md5 zlib
   debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
   debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
   debug2: dh_gen_key: priv key bits set: 123/256
   debug2: bits set: 504/1024
   debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
   debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
   debug1: Host '192.168.6.254' is known and matches the RSA host key.
   debug1: Found key in /home/adasiek/.ssh/known_hosts:75
   debug2: bits set: 540/1024
   debug1: ssh_rsa_verify: signature correct
   debug2: kex_derive_keys
   debug2: set_newkeys: mode 1
   debug1: Enabling compression at level 6.
   debug1: SSH2_MSG_NEWKEYS sent
   debug1: expecting SSH2_MSG_NEWKEYS
   debug2: set_newkeys: mode 0
   debug1: SSH2_MSG_NEWKEYS received
   debug1: Roaming not allowed by server
   debug1: SSH2_MSG_SERVICE_REQUEST sent
   debug2: service_accept: ssh-userauth
   debug1: SSH2_MSG_SERVICE_ACCEPT received
   debug2: key: /home/adasiek/.ssh/id_rsa (0x7f2eed3ad0f0)
   debug2: key: /home/adasiek/.ssh/id_dsa ((nil))
   debug1: Authentications that can continue: publickey,keyboard-interactive
   debug1: Next authentication method: publickey
   debug1: Offering public key: /home/adasiek/.ssh/id_rsa
   debug2: we sent a publickey packet, wait for reply
   debug1: Server accepts key: pkalg ssh-rsa blen 149
   debug2: input_userauth_pk_ok: fp 07:f1:73:35:27:b4:3e:c4:a8:cb:f1:9b:bc:f5:10:a1
   debug1: read PEM private key done: type RSA
   debug1: Authentication succeeded (publickey).
   debug1: channel 0: new [client-session]
   debug2: channel 0: send open
   debug1: Entering interactive session.
   debug2: callback start
   debug2: client_session2_setup: id 0
   debug2: channel 0: request pty-req confirm 1
   debug1: Sending environment.
   debug1: Sending env LANG = pl_PL.utf8
   debug2: channel 0: request env confirm 0
   debug2: channel 0: request shell confirm 1
   debug2: fd 3 setting TCP_NODELAY
   debug2: callback done
   debug2: channel 0: open confirm rwindow 0 rmax 32768
   debug2: channel_input_status_confirm: type 99 id 0
   debug2: PTY allocation request accepted on channel 0
   debug2: channel 0: rcvd adjust 131072
   debug2: channel_input_status_confirm: type 99 id 0
   debug2: shell request accepted on channel 0
   Last login: Fri May 20 09:06:10 2011 from 192.168.6.164
   Have a lot of fun...
   serek-hurt:~ # logout
   debug2: channel 0: rcvd eof
   debug2: channel 0: output open -> drain
   debug2: channel 0: obuf empty
   debug2: channel 0: close_write
   debug2: channel 0: output drain -> closed
   debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
   debug2: channel 0: rcvd close
   debug2: channel 0: close_read
   debug2: channel 0: input open -> closed
   debug2: channel 0: almost dead
   debug2: channel 0: gc: notify user
   debug2: channel 0: gc: user detached
   debug2: channel 0: send close
   debug2: channel 0: is dead
   debug2: channel 0: garbage collecting
   debug1: channel 0: free: client-session, nchannels 1
   Connection to 192.168.6.254 closed.
   Transferred: sent 1848, received 1848 bytes, in 1.7 seconds
   Bytes per second: sent 1095.0, received 1095.0
   debug1: Exit status 0
   debug1: compress outgoing: raw data 1033, compressed 640, factor 0.62
   debug1: compress incoming: raw data 420, compressed 388, factor 0.92
   adasiek@sea-star:~$
   

Teraz pomyśl, te wszystkie informacje to tylko część tego, co w ogóle komputery wymieniają pomiędzy sobą. Jeśli chcesz, możesz odłączyć zasilanie serwera, ale jeśli chcesz, aby działał, to po prostu utrzymuj aktualne wersje oprogramowania, ewentualnie polecam pakiety w stylu http://www.fail2ban.org/wiki/index.php/Main_Page

Pozdrawiam,
Adam

[Yampress]

to jeszcze sobie zrób -vvv i wklej bo przeklejać umiesz temat nie wnosi niczego . powinien być skasowany.