====== Securing sftp/scp - by PerS ====== ===== Introduction ===== This how-to will show you how to create a public ((By public I mean a common login area for all users, mimicking a public ftp site. I you'd like to create a per user chrooted environment, you should take a closer look at [[http://olivier.sessink.nl/jailkit/howtos_sftp_scp_only.html|sftp/scp how-to at Jailkit]].)) chrooted environment for sftp/scp. It will also show you how to protect you ssh server from brute-force attacks ===== Prerequisite ===== * You'll need [[howto:chroot_debian|Debian]] and some some *nix experience * Install the compilers: apt-get install gcc apt-get install make apt-get install flex bison apt-get install g++ IMPORTANT: If the next step fails (./configure below) then install build-essential and python: apt-get install build-essential apt-get install python * If you haven't installed ssh, you have to that: apt-get install ssh ===== Installation ===== ==== Jailkit ==== >Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier using these utilities. >Jailkit is for example used on CVS servers (in a chroot and limited to cvs), sftp/scp servers (both in a chroot and limited to sftp/scp as well as not in a chroot but only limited to sftp/scp), and also on general servers with accounts where the shell accounts are in a chroot. Jailkit is furthermore used to jail daemon processes, for example apache servers, bzflag servers, squid proxy servers, http tunnel daemons, etc Log in to your root account and download jailkit wget http://olivier.sessink.nl/jailkit/jailkit-2.3.tar.gz Extract jailkit tar zxvf jailkit-2.3.tar.gz cd to jailkit-2.3 and build jailkit cd jailkit-2.3 ./configure make make install Copy the startup script to your init directory cp extra/jailkit /etc/init.d/jailkit chmod a+x /etc/init.d/jailkit update-rc.d jailkit defaults /etc/init.d/jailkit restart ==== scponly ==== >scponly is an alternative 'shell' (of sorts) for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution privileges. Functionally, it is best described as a wrapper to the tried and true ssh suite of applications. >A typical usage of scponly is in creating a semi-public account not unlike the concept of anonymous login for ftp. This allows an administrator to share files in the same way an anon ftp setup would, only employing all the protection that ssh provides. This is especially significant if you consider that ftp authentications traverse public networks in a plain text format. apt-get install scponly ===== Configuration ===== I will create the chrooted environment in /home/jail. The file area will be /home/jail/pub. Only users in group **pub** will have access mkdir /home/jail mkdir /home/jail/pub addgroup pub chown root:pub /home/jail/pub chmod 2755 /home/jail/pub ==== jailkit ==== Copy the necessary files and libraries to the jail jk_init -v /home/jail sftp scp ==== scponly ==== Copy scponlyc to the jail mkdir /home/jail/usr/sbin cp /usr/sbin/scponlyc /home/jail/usr/sbin/scponlyc ===== Adding users ===== I've created an add user script. It will prompt you for username, generate a password and add the user. Download the script cd /root wget http://www.soderlind.no/download/addpub.txt mv addpub.txt addpub.sh chmod 700 addpub.sh You'll also need the change password perl script cd /root wget http://www.soderlind.no/download/chpasswd.txt mv chpasswd.txt chpasswd.pl chmod 700 chpasswd.pl Create your first test user cd /root ./addpub.sh Check if you can access the account using a sftp enabled ftp client or scp ((For windows, [[http://winscp.net/|WinCP]] is a good choice)). Also check that you **can't** login in using ssh and the test user ssh testuser@localhost ===== Block SSH brute-force attacks ===== I'd love to use [[http://www.fail2ban.org/|fail2ban]] to prevent the script kiddies from attacking my sftp site, but since there's no iptables support in the kernel I decided to use DenyHosts [[http://denyhosts.sourceforge.net/|DenyHosts]] will monitor your /var/log/auth.log, and ban hosts that breaks the rules ((DenyHosts rules are in /etc/denyhosts.conf)) by adding them to /etc/hosts.deny ==== Install DenyHosts ==== apt-get install denyhosts update-rc.d denyhosts defaults /etc/init.d/denyhosts restart You can check if somebody has tried to attack your site by running the following command: grep sshd /var/log/auth.log | grep Invalid You can check if someone has been banned by viewing /etc/hosts.deny cat /etc/hosts.deny If your get any problems with DenyHosts, check the [[http://denyhosts.sourceforge.net/faq.html|FAQ]]