CN8822

Assignment #2

2

Assignment 2 – Secure Remote administration and firewalls ________________________________ 3

Part1 _____________________________________________________________________________ 3

Objective: To Study the concepts of remotely administering a server using ssh.__________________ 3

Public-key authentication should be used for the root user __________________________________ 9

Part II-Objective: To study the concepts of ssh port forwarding._____________________________ 12

Part III -Objective: Firewall using IPTABLES ______________________________________________ 17

References ________________________________________________________________________ 21

CN8822

Assignment #2

3

Assignment 2 – Secure Remote administration and firewalls

Part1

Objective: To Study the concepts of remotely administering a server using ssh.1)You are to secure a Linux server by restricting remote root access by running a separate sshd daemon.Make the necessary changes to have the newly configured sshd daemon comply with following restrictions:

1. Daemon must start on all run levels, i.e. 23452. root should have remote access to this server using new sshd daemon and no others.3. All others should be accessing the server using the existing sshd daemon; again root should not be toaccess this sshd daemon.4. Public-key authentication should be used for the root user5. Feel free to add any configuration directives to further secure the ssh daemon

Explanation:There is one SSH daemon runs by default to provide the ssh service on the default port 22. To have aseparate SSH daemon we need to have separate run level and configuration files, and to isolate bothdaemons to work independently we copied binary file with different name .This was achieved by following these steps.1) Copy sshd binary file with new name sshd_root with the –p option to retain same rights.

2) Copy sshd_config file with new name and make necessary changes to have separate keys forRoot user and normal user, have separate pid file, separate port, separate Login Rules, theseRules are highlighted in the file

CN8822

Assignment #2

4

Also have a separate PID file

CN8822

Assignment #2

5

Here is the changes which have made in the sshd_root config file and we have highlighted them.

CN8822

Assignment #2

6

3) Have separate init scripts for sshd daemon and sshd_root daemon, we have highlighted theChanges in both files .In the ssh script file we have pointed to correct config file

Also changed the pid file name to new pid file all the corresponding functions.

Similar changes were made in the ssh_root init script and we have highlighted them , mostimportant change was to point to new binary sshd_root in the /usr/bin directory.

Next change is point to right config file.

CN8822

Assignment #2

7

3rd change was to have separate pid file as shown

After all these changes we were able to successfully register the ssh_root as a separate daemon atthe specified runlevels which is 2345 by using debian service register toolWe can verify this by checking at the soft links at the rc startup level.

After All these changes we were able to start/stop these two daemon separately and verified thelogin Rules.Here is the screenprint of separate pid files.

CN8822

Assignment #2

8

We restarted the server and two daemons started independently.We tried to login as root on port 22 it failed

Where as normal user login was successful.

Similarly root login was successful at port 2501 and normal user failed on this port.

CN8822

Assignment #2

9

Login as root was successful using port 2501 as shown.

From this we were able to confirm that our two ssh daemon are working as expected in ourAssignment.Public-key authentication should be used for the root userFor the Public Key Authentication we used two machines with IP 192.168.56.101 as Server AAnd 192.168.56.102 as Server B and we were able to login with password.Here is the steps we had followed.1) Create a key for root user

CN8822

Assignment #2

10

2) Copy key to 192.168.56.102 using ssh-copy which copied the key to authorized directoy andLogin to 192.168.56.102, login was successful without prompting for Password.

CN8822

Assignment #2

11

CN8822

Assignment #2

12

Part II-Objective: To study the concepts of ssh port forwarding.

SSH tunnels can be created in several ways using different kinds of port forwardingmechanisms. Ports can be forwarded in three ways.1) Local port forwarding2) Remote port forwarding3) Dynamic port forwardingPort forwarding or port mapping is a name given to the combined technique of1) translating the address and/or port number of a packet to a new destination2) possibly accepting such packet(s) in a packet filter(firewall)3 ) forwarding the packet according to the routing table.

To illustrate Port Forwarding Example we have used Local port Forwarding.We have Two Servers A(192.168.56.101) and B (192.168.56.102) both have Apache runningOne Machine has default Apache test Page which we will treat as Client and Second Machine hasOur Custom Page as shown below.

CN8822

Assignment #2

13

This Machine we will treat as Server with IP 192.168.56.101 and Client one IP is192.168.56.102 and Apache Page is

We will use Local Port Forwarding on Client to Display the server Apache pageTo achieve this we will use SSH Local forwarding.

CN8822

Assignment #2

14

SSH Local forwarding Syntax isssh -L <local-port-to-listen>:<remote-host>:<remote-port> <gateway>In our case we have decided to use Local port 4500 to listen to remote server port 80 using Remoteserver as gateway.ssh –L 4500:192.168.56.101:80 root@192.168.56.101

Once we are logged into to Server 192.168.56.101, we will be listening port 80 traffic of this box to192.168.56.102, 4500 port.We can confirm this by netstat

CN8822

Assignment #2

15

192.168.56.102 port 4500 is opened as local host; we will access this from the box itself

CN8822

Assignment #2

16

This confirms our configuration of Local port forwarding.

CN8822

Assignment #2

17

Part III -Objective: Firewall using IPTABLES

Firewall implementation using iptables. You are to setup theAppropriate iptables rules to accomplish the following:1. Using the same VM running the newly configured sshd daemon From Part I; setup a default-denypolicy to drop all inbound Traffic.2. Only allow inbound traffic to both sshd ports, port 22 for public Access and privileged port forroot access. Note: Privileged Port is something you choose in Part I when new daemon wasConfigured.3. Only allow a trusted network or net-block to access the privileged sshd port.4. Log all other dropped packetsExplanationsFirewalls are used to block unauthorized access to Network. All Linux Flavors provide basicfirewall in the kernel “IPTABLES” which can be used to provide simple IPv4 and IPV6 packetfiltering and Network Address Translation.IP Table provided three set of Rules, knows as chains, which are IPUT CHAIN, Forward Chain andOUT PUT CHAIN.Diagram Below shows high Level IP Packet Filtering in the “ IP Tables”

CN8822

Assignment #2

18

Our Assignment requirement is to Implement Basic IP table Rules at the INPUT chainWe have implemented the Rules by following commands

manglePREROUTING

natPREROUTING

filterINPUT

filterOUTPUT

natPOSTROUTING

filterFORWARD

MangleOUTPUT

route

LocalProcess

Network

Network

CN8822

Assignment #2

19

Since IPTABLE Rules are sequential we have to be careful to have DROP Rule at the End ofThe Rules.We can verify our Rules by following Command.

Checked active ports on server

Using TCP dump to see the traffic on these ports.

CN8822

Assignment #2

20

CN8822

Assignment #2

21

References

http://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/Class Noteswww.uniforum.chi.il.us/slides/iptables_talk2/iptables_talk2.ppthttp://ubuntuforums.org/showthread.php?t=1497376http://fixunix.com/ssh/364505-running-multiple-sshd-instances-one-server.html