This is an old revision of the document!
Securing sftp/scp - by PerS
Introduction
This how-to will show you how to create a public 1) chrooted environment for sftp/scp. It will also show you how to protect you ssh server from brute-force attacks
Prerequisite
- You'll need Debian and some some *nix experience
- Install the compilers:
apt-get install gcc apt-get install make apt-get install flex bison apt-get install g++
IMPORTANT: If the next step fails (./configure below) then install build-essential:
apt-get install build-essential
- If you haven't installed ssh, you have to that:
apt-get install ssh
Installation
Jailkit
Jailkit is a set of utilities to limit user accounts to specific files using chroot() and or specific commands. Setting up a chroot shell, a shell limited to some specific command, or a daemon inside a chroot jail is a lot easier using these utilities.
Jailkit is for example used on CVS servers (in a chroot and limited to cvs), sftp/scp servers (both in a chroot and limited to sftp/scp as well as not in a chroot but only limited to sftp/scp), and also on general servers with accounts where the shell accounts are in a chroot. Jailkit is furthermore used to jail daemon processes, for example apache servers, bzflag servers, squid proxy servers, http tunnel daemons, etc
Log in to your root account and download jailkit
wget http://olivier.sessink.nl/jailkit/jailkit-2.3.tar.gz
Extract jailkit
tar zxvf jailkit-2.3.tar.gz
cd to jailkit-2.3 and build jailkit
cd jailkit-2.3 ./configure make make install
Copy the startup script to your init directory
cp extra/jailkit /etc/init.d/jailkit chmod a+x /etc/init.d/jailkit update-rc.d jailkit defaults /etc/init.d/jailkit restart
scponly
scponly is an alternative 'shell' (of sorts) for system administrators who would like to provide access to remote users to both read and write local files without providing any remote execution privileges. Functionally, it is best described as a wrapper to the tried and true ssh suite of applications.
A typical usage of scponly is in creating a semi-public account not unlike the concept of anonymous login for ftp. This allows an administrator to share files in the same way an anon ftp setup would, only employing all the protection that ssh provides. This is especially significant if you consider that ftp authentications traverse public networks in a plain text format.
apt-get install scponly
Configuration
I will create the chrooted environment in /home/jail. The file area will be /home/jail/pub. Only users in group pub will have access
mkdir /home/jail mkdir /home/jail/pub addgroup pub chown root:pub /home/jail/pub chmod 2755 /home/jail/pub
jailkit
Copy the necessary files and libraries to the jail
jk_init -v /home/jail sftp scp
scponly
Copy scponlyc to the jail
mkdir /home/jail/usr/sbin cp /usr/sbin/scponlyc /home/jail/usr/sbin/scponlyc
Adding users
I've created an add user script. It will prompt you for username, generate a password and add the user.
Download the script
cd /root wget http://www.soderlind.no/download/addpub.txt mv addpub.txt addpub.sh chmod 700 addpub.sh
You'll also need the change password perl script
cd /root wget http://www.soderlind.no/download/chpasswd.txt mv chpasswd.txt chpasswd.pl chmod 700 chpasswd.pl
Create your first test user
cd /root ./addpub.sh
Check if you can access the account using a sftp enabled ftp client or scp 2).
Also check that you can't login in using ssh and the test user
ssh testuser@localhost
Block SSH brute-force attacks
I'd love to use fail2ban to prevent the script kiddies from attacking my sftp site, but since there's no iptables support in the kernel I decided to use DenyHosts
DenyHosts will monitor your /var/log/auth.log, and ban hosts that breaks the rules 3) by adding them to /etc/hosts.deny
Install DenyHosts
apt-get install denyhosts update-rc.d denyhosts defaults /etc/init.d/denyhosts restartYou can check if somebody has tried to attack your site by running the following command:
grep sshd /var/log/auth.log | grep Invalid
You can check if someone has been banned by viewing /etc/hosts.deny
cat /etc/hosts.deny
If your get any problems with DenyHosts, check the FAQ