====== Securing sftp/scp - by PerS ======

===== Introduction =====

This how-to will show you how to create a public ((By public I mean a common login area for all users, mimicking a public ftp site.
I you'd like to create a per user chrooted environment, you should  take a closer look at [[http://olivier.sessink.nl/jailkit/howtos_sftp_scp_only.html|sftp/scp how-to at Jailkit]].)) chrooted environment for sftp/scp.
It will also show you how to protect you ssh server from brute-force attacks



===== Prerequisite =====
  * You'll need [[howto:chroot_debian|Debian]] and some some *nix experience
  * Install the compilers:

  apt-get install gcc
  apt-get install make
  apt-get install flex bison
  apt-get install g++

IMPORTANT: If the next step fails (./configure below) then install build-essential and python:

   apt-get install build-essential
   apt-get install python

  * If you haven't installed ssh, you have to that:

  apt-get install ssh

===== Installation =====

==== Jailkit ====

>Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier using these utilities.
>Jailkit is for example used on CVS servers (in a chroot and limited to cvs), sftp/scp servers (both in a chroot and limited to sftp/scp as well as not in a chroot but only limited to sftp/scp), and also on general servers with accounts where the shell accounts are in a chroot. Jailkit is furthermore used to jail daemon processes, for example apache servers, bzflag servers, squid proxy servers, http tunnel daemons, etc

Log in to your root account and download jailkit
  wget http://olivier.sessink.nl/jailkit/jailkit-2.3.tar.gz
Extract jailkit
  tar zxvf jailkit-2.3.tar.gz
cd to jailkit-2.3 and build jailkit
  cd jailkit-2.3
  ./configure
  make
  make install
Copy the startup script to your init directory
  cp extra/jailkit /etc/init.d/jailkit
  chmod a+x /etc/init.d/jailkit
  update-rc.d jailkit defaults
  /etc/init.d/jailkit restart

==== scponly ====

>scponly is an alternative 'shell' (of sorts) for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution privileges. Functionally, it is best described as a wrapper to the tried and true ssh suite of applications.
>A typical usage of scponly is in creating a semi-public account not unlike the concept of anonymous login for ftp. This allows an administrator to share files in the same way an anon ftp setup would, only employing all the protection that ssh provides. This is especially significant if you consider that ftp authentications traverse public networks in a plain text format.

  apt-get install scponly

===== Configuration =====

I will create the chrooted environment in /home/jail.
The file area will be /home/jail/pub. Only users in group **pub** will have access
  mkdir /home/jail
  mkdir /home/jail/pub
  addgroup pub
  chown root:pub /home/jail/pub
  chmod 2755 /home/jail/pub

==== jailkit ====
Copy the necessary files and libraries to the jail
  jk_init -v /home/jail sftp scp

==== scponly ====
Copy scponlyc to the jail
  mkdir /home/jail/usr/sbin
  cp /usr/sbin/scponlyc /home/jail/usr/sbin/scponlyc



===== Adding users =====

I've created an add user script. It will prompt you for username, generate a password and add the user.

Download the script
  cd /root
  wget http://www.soderlind.no/download/addpub.txt
  mv addpub.txt addpub.sh
  chmod 700 addpub.sh
You'll also need the change password perl script
  cd /root
  wget http://www.soderlind.no/download/chpasswd.txt
  mv chpasswd.txt chpasswd.pl
  chmod 700 chpasswd.pl

Create your first test user
  cd /root
  ./addpub.sh

Check if you can access the account using a sftp enabled ftp client or scp ((For windows, [[http://winscp.net/|WinCP]] is a good choice)).

Also check that you **can't** login in using ssh and the test user
  ssh testuser@localhost

=====  Block SSH brute-force attacks =====
I'd love to use [[http://www.fail2ban.org/|fail2ban]] to prevent the script kiddies from attacking my sftp site, but since there's no iptables support in the kernel I decided to use DenyHosts

[[http://denyhosts.sourceforge.net/|DenyHosts]] will monitor your /var/log/auth.log, and ban hosts that breaks the rules ((DenyHosts rules are in /etc/denyhosts.conf)) by adding them to /etc/hosts.deny

==== Install DenyHosts ====
  apt-get install denyhosts
  update-rc.d denyhosts defaults
  /etc/init.d/denyhosts restart

You can check if somebody has tried to attack your site by running the following command:
  grep sshd /var/log/auth.log | grep Invalid

You can check if someone has been banned by viewing /etc/hosts.deny
  cat /etc/hosts.deny

If your get any problems with DenyHosts, check the [[http://denyhosts.sourceforge.net/faq.html|FAQ]]