Archive

Archive for the ‘Linux’ Category

Expand root filesystem using CLI parted & reize2fs

October 29, 2017 Leave a comment

You could login using headless mode (headless mode means that you don’t have a display connect and you login with ssh from any other system) and use these steps to expand your root partition and file system on a Raspberry Pi running Pedora (fedora remix):
– backup your system in case of a misstake!
– use “fdisk /dev/mmcblk0” to view your partitions.
– use “parted” to delete the partition and then recreate it but with a larger size. (don’t worry, the data will remain)
– reboot to activate the partition changes.
– use “resize2fs /dev/mmclk0p2” to enlarge the root file system.
– use e2fsck -f /dev/mmcblk0p2 to perform a file system check.
– use “df -h” to check results.

Before you extend your root partition and filesystem you should know how big your rootfs is and how much space is available:

[root@raspi ~]# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/root       1.6G  1.5G   53M  97% /
/dev/mmcblk0p1   50M   18M   33M  35% /boot
[root@raspi ~]#

Determine the storage devices:

[root@raspi ~]# ll /dev/mm*
brw-rw---- 1 root disk 179, 0 Jun  3 13:22 /dev/mmcblk0
brw-rw---- 1 root disk 179, 1 Jun  3 13:21 /dev/mmcblk0p1
brw-rw---- 1 root disk 179, 2 Jun  3 13:21 /dev/mmcblk0p2
[root@raspi ~] 

Check the partition table:

[root@raspi ~] fdisk /dev/mmcblk0
Welcome to fdisk (util-linux 2.22.1).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): p

Disk /dev/mmcblk0: 16.0 GB, 16012804096 bytes, 31275008 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000622ba

        Device Boot      Start         End      Blocks   Id  System
/dev/mmcblk0p1   *        2048      104447       51200    c  W95 FAT32 (LBA)
/dev/mmcblk0p2          104448     3494304     1694928+  83  Linux

Command (m for help): q

[root@raspi ~]#

So the SD card has 31275008 (16GB) sectors and the last one in use is 3494304 (1.6GB).
Print the partition table with “parted”:

[root@raspi ~]# parted /dev/mmcblk0
GNU Parted 3.1
Using /dev/mmcblk0
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) unit chs                                                         
(parted) print                                                            
Model: SD  (sd/mmc)
Disk /dev/mmcblk0: 1946,198,43
Sector size (logical/physical): 512B/512B
BIOS cylinder,head,sector geometry: 1946,255,63.  Each cylinder is 8225kB.
Partition Table: msdos
Disk Flags: 

Number  Start     End        Type     File system  Flags
 1      0,32,32   6,127,56   primary  fat16        boot, lba
 2      6,127,57  217,130,9  primary  ext4
(parted)

So the disk ends at 1946,198,43 cylinder,head,sector and the current root partition ends at 217,130,9.

Note: “fdisk” displays the partition info in 512 bytes blocks and “parted” displays the cylinder,head,sector geometry. Each cylinder is 8225kB.

Now remove the second partition and recreate it larger.

Note: If you have a third swap or other partition that you don’t need any longer, you can remove that one too and use the disk space to extend you.

Removing the partition will only change the partition table and not the data. Creating a new partition will write a new start and end point in the partition table.

Be careful: If you make a misstake, you lose you root partition data:
(Ignore the warning.)

(parted) rm 2                                                             
Error: Partition(s) 2 on /dev/mmcblk0 have been written, but we have been unable to inform the kernel of the change, probably because it/they are in use.  As a result, the old partition(s) will
remain in use.  You should reboot now before making further changes.
Ignore/Cancel? i                                                          
(parted)

And check whether the partition was removed:

(parted) print                                                            
Model: SD  (sd/mmc)
Disk /dev/mmcblk0: 1946,198,43
Sector size (logical/physical): 512B/512B
BIOS cylinder,head,sector geometry: 1946,255,63.  Each cylinder is 8225kB.
Partition Table: msdos
Disk Flags: 

Number  Start    End       Type     File system  Flags
 1      0,32,32  6,127,56  primary  fat16        boot, lba

(parted) 

Now the second partition is removed. Do not reboot your system before you have created the new partition! Other wise you lose your root file system.

The new partition must start at the same position where the old root partition did start and it ends where you like. It must have at least the same size as current partition and it may not exceed the end of the disk (in my case 1946,198,43).
(Ignore the warning.)

(parted) mkpart primary 6,127,57  1946,198,43
Error: Partition(s) 2 on /dev/mmcblk0 have been written, but we have been unable to inform the kernel of the change, probably because it/they are in use.  As a result, the old partition(s) will
remain in use.  You should reboot now before making further changes.
Ignore/Cancel? i                                                          
(parted)

And check whether the partition was created:

(parted) print                                                            
Model: SD  (sd/mmc)
Disk /dev/mmcblk0: 1946,198,43
Sector size (logical/physical): 512B/512B
BIOS cylinder,head,sector geometry: 1946,255,63.  Each cylinder is 8225kB.
Partition Table: msdos
Disk Flags: 

Number  Start     End          Type     File system  Flags
 1      0,32,32   6,127,56     primary  fat16        boot, lba
 2      6,127,57  1946,198,43  primary  ext4

(parted) quit                                                             
Information: You may need to update /etc/fstab.

[root@raspi ~]# 

Be carefull: The kernel is not aware yet of the new partition size. You must reboot your system before you do any thing else.

[root@raspi ~]# reboot

Check the new partition size after the reboot:

[root@raspi ~]# fdisk /dev/mmcblk0
Welcome to fdisk (util-linux 2.22.1).

Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): p

Disk /dev/mmcblk0: 16.0 GB, 16012804096 bytes, 31275008 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x000622ba

        Device Boot      Start         End      Blocks   Id  System
/dev/mmcblk0p1   *        2048      104447       51200    c  W95 FAT32 (LBA)
/dev/mmcblk0p2          104448    31275007    15585280   83  Linux

Command (m for help): quit
[root@raspi ~]# 

Now the partition is larger, but the root file system has still the old size. Re-size the root filesystem:

[root@raspi ~]# resize2fs /dev/mmcblk0p2 
resize2fs 1.42.3 (14-May-2012)
Filesystem at /dev/mmcblk0p2 is mounted on /; on-line resizing required
old_desc_blocks = 1, new_desc_blocks = 1
The filesystem on /dev/mmcblk0p2 is now 3896320 blocks long.

[root@raspi ~]

The root file system is now extended.
Then check the file system for errors:

[root@raspi ~]# e2fsck -f /dev/mmcblk0p2
e2fsck 1.42.3 (14-May-2012)
/dev/mmcblk0p2 is mounted.  


WARNING!!!  The filesystem is mounted.   If you continue you ***WILL***
cause ***SEVERE*** filesystem damage.


Do you really want to continue<n>? yes
rootfs: recovering journal
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
Free blocks count wrong (3453563, counted=3453559).
Fix<y>? yes

rootfs: ***** FILE SYSTEM WAS MODIFIED *****
rootfs: ***** REBOOT LINUX *****
rootfs: 63775/952000 files (0.1% non-contiguous), 442761/3896320 blocks
[root@raspi ~]# 

The file system is free of errors.
Finaly check the file systems size and the available space:

[root@raspi ~]# df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/root        15G  1.5G   13G  11% /
/dev/mmcblk0p1   50M   18M   33M  35% /boot
[root@raspi ~]#

It has lots of free space available and it is ready to use.

Advertisements
Categories: Linux Tags: ,

RANCID for mass configuration changes

April 21, 2014 Leave a comment

*This script is for RANCID only.

1) mkdir device-lists in rancid homedir.
2) create a file with list of devices (one per line), save the file as syslog-changes.dl into device-lists folder.
3) mkdir change-scripts in rancid homedir.
4) create a file with the changes (as the way you type them in switches), save the file as syslog-changes.cs into change-scripts folder.
5) create a file config-push.sh and save it into etc folder under rancid homedir.
6) copy and paste the following scripts into the file config-push.sh that you had created on step 5.
7) command to test the script, sh config-push.sh

#!/usr/local/bin/bash
#
# The purpose of this script is to automate configuration changes to a
# large number of devices. The script identifies the device list, as well
# as the change script, and then pushes the changes one by one.
#

CLOGINPATH=”/usr/local/rancid/bin/clogin” 
CREDENTIALS=”/usr/local/rancid/.cloginrc” 
DEVICELISTPATH=”/usr/local/rancid/device-lists/” 
CHANGESCRIPTPATH=”/usr/local/rancid/change-scripts/” 
CHANGELOG=”/usr/local/rancid/var/logs/changelog-`date +%m-%d-%Y`.log” 

clear 
echo “=====[ Rancid Config Push Script ]=====” 
echo “” 
echo “Please enter the proposed device list:” 
echo “`ls $DEVICELISTPATH`” 
echo “————————————–” 
echo -n “> ” 
read DEVICELIST 

if [ -f $DEVICELISTPATH$DEVICELIST ] 
then 
echo “” 
echo “Device List = \”./device-lists/$DEVICELIST\” (confirmed)” 
else 
echo “” 
echo “Device list = \”./device-lists/$DEVICELIST\” (does not exist!)” 
echo “Aborting…” 
echo “” 
exit 
fi 

echo “” 
echo “Please enter name of change script:” 
echo “`ls $CHANGESCRIPTPATH | grep -v “.sh” | grep -v “device-lists”`” 
echo “———————————–” 
echo -n “> ” 
read CHANGESCRIPT 

if [ -f $CHANGESCRIPTPATH$CHANGESCRIPT ] 
then 
echo “” 
echo “Change Script = \”./change-scripts/$CHANGESCRIPT\” (confirmed)” 
echo “” 
else 
echo “Device list = \”./change-scripts/$CHANGESCRIPT\” (does not exist!)” 
echo “Aborting…” 
echo “” 
exit 
fi 

echo “– Proposed Changes –” 
echo “`cat $CHANGESCRIPTPATH$CHANGESCRIPT`” 
echo “– Proposed Changes –” 
echo “” 
echo “Are you sure you want to proceed? If so, type \”yes\”:” 
echo -n “> ” 
read AREYOUSURE 

if [ $AREYOUSURE != “yes” ] 
then 
echo “” 
echo “Aborting…” 
echo “” 
exit 
else 
echo “” 
echo “Implementing Changes…” 
echo “” 
fi 

#for i in `cat $DEVICELISTPATH$DEVICELIST` 
# do echo “===[ $i ]===”
# $CLOGINPATH -f $CREDENTIALS -x $CHANGESCRIPTPATH$CHANGESCRIPT $i
#done 

for DEVICE in `cat $DEVICELISTPATH$DEVICELIST` 
do 
echo “===[ $DEVICE ]===” 
echo “” >> $CHANGELOG 
echo “===[ $DEVICE ]===” >> $CHANGELOG 
echo “” >> $CHANGELOG 
OUTPUT=`$CLOGINPATH -f $CREDENTIALS -x $CHANGESCRIPTPATH$CHANGESCRIPT $DEVICE` 
echo “$OUTPUT” >> $CHANGELOG 
done 

Categories: Cisco, Linux, Switch Tags: , ,

CentOS ddclient

January 21, 2014 Leave a comment

Install ddclient:

# yum install ddclient

Configuration /etc/ddclient.conf

daemon=3600
ssl=yes
user=web, web=checkip.dyndns.org/, web=skip='IP Address'
protocol=dyndns2
login=[dyndns username]
password=[dyndns password]
server=members.dyndns.org
myhostname.dyndns.org

Run ddclient as startup service

# chkconfig ddclient on

File location:

Cache file: /var/cache/ddclient/ddclient.cache
PID file: /var/run/ddclient/ddclient.pid
ddclient log file: grep ddclient /var/log/messages

Categories: Linux Tags: ,

CentOS custom 404 page

January 13, 2014 Leave a comment

Edit httpd.conf and enable to command:

ErrorDocument 404 /404.html

Create a 404.html file in /var/www/ then restart httpd service.

Categories: Linux Tags:

Linux Add User To Existing Group

January 8, 2014 Leave a comment

Add existing user tony to existing ftp group.
# usermod -a -G ftp tony

Find out user group identity.
# groups tony

Remove user from a group.
# usermod -G {groupname1 to keep, groupname2 to keep} {username}

Categories: Linux Tags: , ,

OpenSSH Server Best Security Practices

December 19, 2013 Leave a comment

#1: Only Use SSH Protocol 2

SSH protocol version 1 (SSH-1) has man-in-the-middle attacks problems and security vulnerabilities. SSH-1 is obsolete and should be avoided at all cost. Open sshd_config file and make sure the following line exists:

Protocol 2

#2: Limit Users’ SSH Access

By default all systems user can login via SSH using their password or public key. Sometime you create UNIX / Linux user account for ftp or email purpose. However, those user can login to system using ssh. They will have full access to system tools including compilers and scripting languages such as Perl, Python which can open network ports and do many other fancy things. One of my client has really outdated php script and an attacker was able to create a new account on the system via a php script. However, attacker failed to get into box via ssh because it wasn’t in AllowUsers.

Only allow root, vivek and jerry user to use the system via SSH, add the following to sshd_config:

AllowUsers root vivek jerry

Alternatively, you can allow all users to login via SSH but deny only a few users, with the following line:

DenyUsers saroj anjali foo

You can also configure Linux PAM allows or deny login via the sshd server. You can allow list of group name to access or deny access to the ssh.

#3: Configure Idle Log Out Timeout Interval

User can login to server via ssh and you can set an idel timeout interval to avoid unattended ssh session. Open sshd_config and make sure following values are configured:

ClientAliveInterval 300
ClientAliveCountMax 0

You are setting an idle timeout interval in seconds (300 secs = 5 minutes). After this interval has passed, the idle user will be automatically kicked out (read as logged out). See how to automatically log BASH / TCSH / SSH users out after a period of inactivity for more details.

#4: Disable .rhosts Files

Don’t read the user’s ~/.rhosts and ~/.shosts files. Update sshd_config with the following settings:

IgnoreRhosts yes

SSH can emulate the behavior of the obsolete rsh command, just disable insecure access via RSH.

#5: Disable Host-Based Authentication

To disable host-based authentication, update sshd_config with the following option:

HostbasedAuthentication no

#6: Disable root Login via SSH

There is no need to login as root via ssh over a network. Normal users can use su or sudo (recommended) to gain root level access. This also make sure you get full auditing information about who ran privileged commands on the system via sudo. To disable root login via SSH, update sshd_config with the following line:

PermitRootLogin no

However, bob made excellent point:

Saying “don’t login as root” is h******t. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You’d get your password spoofed but not root’s pw. Gimme a break. this is 2005 – We have ssh, used properly it’s secure. used improperly none of this 1989 will make a damn bit of difference. -Bob

#7: Enable a Warning Banner

Set a warning banner by updating sshd_config with the following line:

Banner /etc/issue

Sample /etc/issue file:

----------------------------------------------------------------------------------------------
You are accessing a XYZ Government (XYZG) Information System (IS) that is provided for authorized use only.
By using this IS (which includes any device attached to this IS), you consent to the following conditions:
+ The XYZG routinely intercepts and monitors communications on this IS for purposes including, but not limited to,
penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM),
law enforcement (LE), and counterintelligence (CI) investigations.
+ At any time, the XYZG may inspect and seize data stored on this IS.
+ Communications using, or data stored on, this IS are not private, are subject to routine monitoring,
interception, and search, and may be disclosed or used for any XYZG authorized purpose.
+ This IS includes security measures (e.g., authentication and access controls) to protect XYZG interests--not
for your personal benefit or privacy.
+ Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching
or monitoring of the content of privileged communications, or work product, related to personal representation
or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work
product are private and confidential. See User Agreement for details.
----------------------------------------------------------------------------------------------

Above is standard sample, consult your legal team for exact user agreement and legal notice details.

#8: Firewall SSH Port # 22

You need to firewall ssh port # 22 by updating iptables or pf firewall configurations. Usually, OpenSSH server must only accept connections from your LAN or other remote WAN sites only.

Netfilter (Iptables) Configuration

Update /etc/sysconfig/iptables (Redhat and friends specific file) to accept connection only from 192.168.1.0/24 and 202.54.1.5/29, enter:

-A RH-Firewall-1-INPUT -s 192.168.1.0/24 -m state --state NEW -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -s 202.54.1.5/29 -m state --state NEW -p tcp --dport 22 -j ACCEPT

If you’ve dual stacked sshd with IPv6, edit /etc/sysconfig/ip6tables (Redhat and friends specific file), enter:

 -A RH-Firewall-1-INPUT -s ipv6network::/ipv6mask -m tcp -p tcp --dport 22 -j ACCEPT

Replace ipv6network::/ipv6mask with actual IPv6 ranges.

*BSD PF Firewall Configuration

If you are using PF firewall update /etc/pf.conf as follows:

pass in on $ext_if inet proto tcp from {192.168.1.0/24, 202.54.1.5/29} to $ssh_server_ip port ssh flags S/SA synproxy state

#9: Change SSH Port and Limit IP Binding

By default SSH listen to all available interfaces and IP address on the system. Limit ssh port binding and change ssh port (by default brute forcing scripts only try to connects to port # 22). To bind to 192.168.1.5 and 202.54.1.5 IPs and to port 300, add or correct the following line:

Port 300
ListenAddress 192.168.1.5
ListenAddress 202.54.1.5

A better approach to use proactive approaches scripts such as fail2ban or denyhosts (see below).

#11: Use Public Key Based Authentication

Use public/private key pair with password protection for the private key. See how to use RSAand DSA key based authentication. Never ever use passphrase free key (passphrase key less) login.

#12: Use Keychain Based Authentication

keychain is a special bash script designed to make key-based authentication incredibly convenient and flexible. It offers various security benefits over passphrase-free keys. See how to setup and use keychain software.

#13: Chroot SSHD (Lock Down Users To Their Home Directories)

By default users are allowed to browse the server directories such as /etc/, /bin and so on. You can protect ssh, using os based chroot or use special tools such as rssh. With the release of OpenSSH 4.8p1 or 4.9p1, you no longer have to rely on third-party hacks such as rssh or complicated chroot(1) setups to lock users to their home directories. See this blog post about new ChrootDirectory directive to lock down users to their home directories.

#14: Use TCP Wrappers

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet. OpenSSH does supports TCP wrappers. Just update your /etc/hosts.allow file as follows to allow SSH only from 192.168.1.2 172.16.23.12 :

sshd : 192.168.1.2 172.16.23.12

See this FAQ about setting and using TCP wrappers under Linux / Mac OS X and UNIX like operating systems.

#15: Disable Empty Passwords

You need to explicitly disallow remote login from accounts with empty passwords, update sshd_config with the following line:

PermitEmptyPasswords no

#16: Thwart SSH Crackers (Brute Force Attack)

Brute force is a method of defeating a cryptographic scheme by trying a large number of possibilities using a single or distributed computer network. To prevents brute force attacks against SSH, use the following softwares:

  • DenyHosts is a Python based security tool for SSH servers. It is intended to prevent brute force attacks on SSH servers by monitoring invalid login attempts in the authentication log and blocking the originating IP addresses.
  • Explains how to setup DenyHosts under RHEL / Fedora and CentOS Linux.
  • Fail2ban is a similar program that prevents brute force attacks against SSH.
  • security/sshguard-pf protect hosts from brute force attacks against ssh and other services using pf.
  • security/sshguard-ipfw protect hosts from brute force attacks against ssh and other services using ipfw.
  • security/sshguard-ipfilter protect hosts from brute force attacks against ssh and other services using ipfilter.
  • security/sshblock block abusive SSH login attempts.
  • security/sshit checks for SSH/FTP bruteforce and blocks given IPs.
  • BlockHosts Automatic blocking of abusive IP hosts.
  • Blacklist Get rid of those bruteforce attempts.
  • Brute Force Detection A modular shell script for parsing application logs and checking for authentication failures. It does this using a rules system where application specific options are stored including regular expressions for each unique auth format.
  • IPQ BDB filter May be considered as a fail2ban lite.

#17: Rate-limit Incoming Port # 22 Connections

Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22.

Iptables Example

The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:

#!/bin/bash
inet_if=eth1
ssh_port=22
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --set
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent  --update --seconds 60 --hitcount 5 -j DROP

Call above script from your iptables scripts. Another config option:

$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
$IPT -A INPUT  -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
# another one line example
# $IPT -A INPUT -i ${inet_if} -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 5-j ACCEPT

See iptables man page for more details.

*BSD PF Example

The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.

sshd_server_ip="202.54.1.5"
table <abusive_ips> persist
block in quick from <abusive_ips>
pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload <abusive_ips> flush)

#18: Use Port Knocking

Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A sample port Knocking example for ssh using iptables:

$IPT -N stage1
$IPT -A stage1 -m recent --remove --name knock
$IPT -A stage1 -p tcp --dport 3456 -m recent --set --name knock2

$IPT -N stage2
$IPT -A stage2 -m recent --remove --name knock2
$IPT -A stage2 -p tcp --dport 2345 -m recent --set --name heaven

$IPT -N door
$IPT -A door -m recent --rcheck --seconds 5 --name knock2 -j stage2
$IPT -A door -m recent --rcheck --seconds 5 --name knock -j stage1
$IPT -A door -p tcp --dport 1234 -m recent --set --name knock

$IPT -A INPUT -m --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name heaven -j ACCEPT
$IPT -A INPUT -p tcp --syn -j doo
  • fwknop is an implementation that combines port knocking and passive OS fingerprinting.
  • Multiple-port knocking Netfilter/IPtables only implementation.

#19: Use Log Analyzer

Read your logs using logwatch or logcheck. These tools make your log reading life easier. It will go through your logs for a given period of time and make a report in the areas that you wish with the detail that you wish. Make sure LogLevel is set to INFO or DEBUG in sshd_config:

LogLevel INFO

#20: Patch OpenSSH and Operating Systems

It is recommended that you use tools such as yumapt-getfreebsd-update and others to keep systems up to date with the latest security patches.

Other Options

To hide openssh version, you need to update source code and compile openssh again. Make sure following options are enabled in sshd_config:

#  Turn on privilege separation
UsePrivilegeSeparation yes
# Prevent the use of insecure home directory and key file permissions
StrictModes yes
# Turn on  reverse name checking
VerifyReverseMapping yes
# Do you need port forwarding?
AllowTcpForwarding no
X11Forwarding no
#  Specifies whether password authentication is allowed.  The default is yes.
PasswordAuthentication no

Verify your sshd_config file before restarting / reloading changes:
# /usr/sbin/sshd -t

OR
# sshd -t
Output:

/etc/ssh/sshd_config: line 26: Bad configuration option: PermitRootLogins
/etc/ssh/sshd_config: terminating, 1 bad configuration options

If there is error, it will show on screen. Otherwise it will not display any message:
$ sudo /usr/sbin/sshd -t
$ echo $?

Tighter SSH security with two-factor or three-factor (or more) authentication.

Source

Categories: Linux Tags: , , , , ,

SSH one-liner PermitRootLogin

December 17, 2013 Leave a comment

# sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config

s/regexp/replacement/
Attempt to match regexp against the pattern space. If success- ful, replace that portion matched with replacement. The replacement may contain the special character & to refer to that portion of the pattern space which matched, and the special escapes \1 through \9 to refer to the corresponding matching sub-expressions in the regexp.

Categories: Linux Tags: , , ,