Securing sftp/scp - by PerS

Introduction

This how-to will show you how to create a public 1) chrooted environment for sftp/scp. It will also show you how to protect you ssh server from brute-force attacks

Prerequisite

  • You'll need Debian and some some *nix experience
  • Install the compilers:
apt-get install gcc
apt-get install make
apt-get install flex bison
apt-get install g++

IMPORTANT: If the next step fails (./configure below) then install build-essential and python:

 apt-get install build-essential
 apt-get install python
  • If you haven't installed ssh, you have to that:
apt-get install ssh

Installation

Jailkit

Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier using these utilities.
Jailkit is for example used on CVS servers (in a chroot and limited to cvs), sftp/scp servers (both in a chroot and limited to sftp/scp as well as not in a chroot but only limited to sftp/scp), and also on general servers with accounts where the shell accounts are in a chroot. Jailkit is furthermore used to jail daemon processes, for example apache servers, bzflag servers, squid proxy servers, http tunnel daemons, etc

Log in to your root account and download jailkit

wget http://olivier.sessink.nl/jailkit/jailkit-2.3.tar.gz

Extract jailkit

tar zxvf jailkit-2.3.tar.gz

cd to jailkit-2.3 and build jailkit

cd jailkit-2.3
./configure
make
make install

Copy the startup script to your init directory

cp extra/jailkit /etc/init.d/jailkit
chmod a+x /etc/init.d/jailkit
update-rc.d jailkit defaults
/etc/init.d/jailkit restart

scponly

scponly is an alternative 'shell' (of sorts) for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution privileges. Functionally, it is best described as a wrapper to the tried and true ssh suite of applications.
A typical usage of scponly is in creating a semi-public account not unlike the concept of anonymous login for ftp. This allows an administrator to share files in the same way an anon ftp setup would, only employing all the protection that ssh provides. This is especially significant if you consider that ftp authentications traverse public networks in a plain text format.
apt-get install scponly

Configuration

I will create the chrooted environment in /home/jail. The file area will be /home/jail/pub. Only users in group pub will have access

mkdir /home/jail
mkdir /home/jail/pub
addgroup pub
chown root:pub /home/jail/pub
chmod 2755 /home/jail/pub

jailkit

Copy the necessary files and libraries to the jail

jk_init -v /home/jail sftp scp

scponly

Copy scponlyc to the jail

mkdir /home/jail/usr/sbin
cp /usr/sbin/scponlyc /home/jail/usr/sbin/scponlyc

Adding users

I've created an add user script. It will prompt you for username, generate a password and add the user.

Download the script

cd /root
wget http://www.soderlind.no/download/addpub.txt
mv addpub.txt addpub.sh
chmod 700 addpub.sh

You'll also need the change password perl script

cd /root
wget http://www.soderlind.no/download/chpasswd.txt
mv chpasswd.txt chpasswd.pl
chmod 700 chpasswd.pl

Create your first test user

cd /root
./addpub.sh

Check if you can access the account using a sftp enabled ftp client or scp 2).

Also check that you can't login in using ssh and the test user

ssh testuser@localhost

Block SSH brute-force attacks

I'd love to use fail2ban to prevent the script kiddies from attacking my sftp site, but since there's no iptables support in the kernel I decided to use DenyHosts

DenyHosts will monitor your /var/log/auth.log, and ban hosts that breaks the rules 3) by adding them to /etc/hosts.deny

Install DenyHosts

apt-get install denyhosts
update-rc.d denyhosts defaults
/etc/init.d/denyhosts restart
You can check if somebody has tried to attack your site by running the following command:
grep sshd /var/log/auth.log | grep Invalid

You can check if someone has been banned by viewing /etc/hosts.deny

cat /etc/hosts.deny

If your get any problems with DenyHosts, check the FAQ

1) By public I mean a common login area for all users, mimicking a public ftp site. I you'd like to create a per user chrooted environment, you should take a closer look at sftp/scp how-to at Jailkit.
2) For windows, WinCP is a good choice
3) DenyHosts rules are in /etc/denyhosts.conf

Navigation

Personal Tools