# SSH and dealing with linux firewalls

## legit

Hey all,

So I'm getting ready to set up an SSH server on my gentoo machine (mainly for tunneling/port forwarding) and had some questions,  first off are there any good articles on how to properly set-up an ssh server on linux/gentoo?  secondly, since ssh will be constantly listening out I figured it would probably be a good idea to have a firewall running,  so what are some good *nix firewalls (free) and are there any good articles on how to properly set these up?

thanks

- legit

btw, I don't know if this matters but the connection is not wireless to my machine, it is only wired.

----------

## 1clue

Oh, dang.

Setting up ssh might already be done.  I don't remember specifically asking for it but it's there, I do remember setting the server up to start automatically.  The package is net-misc/openssh.  Starting automatically would be rc-update add sshd default.

You definitely want to turn off ssh access from outside your lan.  The vast majority of intrusion attempts I've detected over the past 5 years are ssh related, and one of them got through.  There's a firewall built into your kernel, if you turned it on when you compiled.  I recommend looking at the security documentation.  You'll be starting from scratch, so take it as slow as you need, the topic of security is the sole responsibility of a good many people so there's a lot to know.

Start at http://www.gentoo.org/doc/en/list.xml and search on "security" in the page.  Look for something that makes sense to you, and if that doesn't work try the same thing at http://www.tldp.org/guides.html.  Some of these documents show links for further information.

Good luck.

----------

## Jfr0

Lots of people use IPtables for a firewall. Also I agree with 1clue that you should look over the security guide.  It has some specific instructions for using SSH securely.

----------

## 1clue

I hate to say it, you're probably thinking much like any other newbie to security.  You want a nice, concise list of steps to take to make your system secure.

There IS such a list, actually several of them.  The only thing is, the number of steps to take is larger than you might hope for, and in order to be sure of what you're doing, the things you need to understand is fairly large.  The key problem with security is people going through the motions that they don't understand, and then make one tiny mistake that becomes the route through which your network is compromised.

I do not consider myself to be a security expert, or even a gifted amateur.  I've read through some of the stuff and am working my way through more as time goes on.  There is a quick list you can follow that will at least pull the red carpet back in, and that will probably give you time to learn more.

----------

## legit

your right 1clue, i am looking for a quick list, although as a computer science major i am definitaly looking to learn more.  Is the list you mentioned a published list or just a standard sort of thing?  could you link the list if it is published? and could you possibly suggest some good titles to read on the subject?

thanks for the insight

- legit

----------

## 1clue

I think it's called the security howto.  It's on the gentoo documentation page I linked to above, and on the second link as well.

It's in every distribution's best interest to draw attention to security.

They will point out pretty much the same things I mentioned though, which is that just going through the motions might make your system more secure but that without understanding what it is you do you can negate any advances by leaving something open.

----------

## nobspangle

Installing/Securing ssh is easy.

The server is already installed, you just need to start it and add it to the default runlevel as 1clue mentioned above

1. Disable root logins

2. Change the port to something above 10000

3. If possible disable password logins and use keys instead.

4. don't have any stupid accounts (test, guest etc.)

The linux firewall is iptables, there are a few good packages that make the iptables configuration easier I like shorewall (it's in portage).

You don't really need a firewall unless

a) your gentoo box is connected directly to the internet (not via a nat router)

b) you are very paranoid

----------

## 1clue

5.  Don't have any trivial passwords

6.  Require passwords for access using sudo, or just don't have sudo installed.

...

c) You feel comfortable reinstalling your box when you get hacked.

----------

## zimzum

You can set the default system-wide options for your ssh server in the file /etc/ssh/sshd_config

If you're planning on using the machine as a firewall, it is generally advisable to not have remote access to it, or any open ports.  Assuming you want to run sshd no matter what, emerge openssh and then edit the shd_config file.  Be sure to uncomment and enable the lines for:

```

At minimum, you should adjust the following lines:

#Port 22

#ListenAddress 0.0.0.0

#PermitRootLogin yes

#UsePrivilegeSeparation yes

#AllowTcpForwarding yes

```

Remove the '#' from each one.  Set the port to something well out of the way as tcp bruteforcing of ssh has become a rather common attack lately.  Running ssh on the default port is asking for a lot of unwanted attention.  For ssh access over your lan you might make these changes:

```

Port 9099

ListenAddress 192.168.1.14

PermitRootLogin no

UsePrivilegeSeparation yes

AllowTcpForwarding yes

```

Additionally you can set sshd to only allow logins from specific users or groups using 2 different directives in the sshd_config file.  In the example below, we allow the user webadmin and the group shellusers(gid 666):

```

# groupadd -g 666 shellusers #create the group

# usermod -g users -G shellusers someuser # set someuser as a member of shellusers

now we modify the config file as follows:

# echo "AllowGroups shellusers" >> /etc/ssh/sshd_config

# echo "AllowUsers webadmin" >> /etc/ssh/sshd_config

```

the AllowUsers and AllowGroups lines are space delimited lists.  Users can also be designated by user@host if desired.  For more information on setting up the server's config file view the sshd_config manpage.

Once you've completed the config you can simple run rc-update add sshd default and sshd will start at boot using the system-wide server config with your settings.  As for firewalling, if sshd is the only access you're allowing, you might use iptables with stateful packet inspection.  This example requires that you have the STATE and LOG modules available or compiled into your kernel:

```

# iptables -A INPUT -i lo -j ACCEPT

# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# iptables -A INPUT -p tcp -s x.x.x.x -d y.y.y.y --destintation-port zzzzz -m state --state NEW -j ACCEPT

# iptables -P INPUT DROP

# iptables -P FORWARD DROP

```

where -s x.x.x.x only needs to be defined if you want to use iptables to limit where users can connect from.

where -d y.y.y.y is the -d and the listening ip of the ssh server

where --destination-port zzzzz is the port sshd is listening on

the -P directives set the default policy to DROP which will cause traffic without an explicit ACCEPT line to be filtered by the kernel.  At the same time, traffic initiated from the machine itself will be allowed outbound, then it will "get state" established, and be allowed back in syncrhonously.  I will not describe the concept of a state machine here as its beyond the scope of this post.

Optionally, you can log dropped packets and view them live in /var/log/messages by adding the following line as the last entry in your iptables firewall rules:

```

# iptables -A INPUT -j LOG --log-prefix 'IPT dropped:' --log-level 7

```

Obviously there are many more things you can do to improve the security of openssh but limiting connectivity in the first place, is a good place to start.

As for tunneling outbound.  One idea is to setup an ssh server of your own, listening on a port that is reserved for an acceptable protocol on your network, and which is also normally SSL encrypted.  An example might be pop3s (port 995).  When you establish the tunnel, it open a port on the machine you execute the ssh client on.  This port will be "forwarded" over the ssh connection to an IP and port you specify, via the ssh server's outbound traffic.  So the port will go:

client->ssh_tunnel->ssh_server->tunnel_destination

Lets say a firewall restricts most outbound connections, but allows pop3s.  You might ssh into your server and open a tunnel to a vnc session its running on its LAN ip interface, to use your own computer.  The command with openssh's client would be:

```

ssh -2 -l someuser -L8888:192.168.1.14:5900 -p 995 ip.of.ssh.server

```

now port 8888 on the machine the ssh client was run from, will have an encrypted tunnel via port 995 to the vnc session on the ssh server, but listening on its LAN interface.  Once the tunnel is established, the ssh client machine can simply open their favorite vnc client and connect to 127.0.0.1 on port 8888. 

-zim

----------

