Saturday, 7 May 2011

SSH Service: How to set it up in Backtrack without getting pwned

SSH provides shell access and as such it is one of the services that must be secured as well as it is possible.

Step 0a - Change the default password
IMPORTANT!: The first thing to do with Backtrack is to change the default password: To start the SSH service having the default password enabled is a secure way to get hacked!.

Note for the less experienced: Just type passwd + Enter and choose a loooong strong password!

Step 0b - Update Backtrack
It is better be patched than sorry!, just follow this quick guide to get up to date before starting the SSH service.

Step 1 - Generate SSH keys
The first time before you start the SSH service you need to create the SSH keys, this will generate your private and public key:

# sshd-generate

Step 2 (Optional) - Obfuscate SSH version
By default, when anybody SSHs to you, they will see a bit of information about your system, including the exact OpenSSH version used:

# telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1

Some people argue you should not change the banner because it is used by SSH client programs, etc. So I would suggest to just change the part in bold above: leave the "SSH-2.0-" part and then with hexedit search for OpenSSH_5.1p1..... and replace it by something random like "This server runs with redbull".

To change the SSH banner, you cannot really just change the configuration, you have to edit the SSH binary with hexedit, which you can do like this:

# hexedit /usr/sbin/sshd

Step 3 (Recommended, if possible) - Restrict IP connections via iptables
If you are in a position where you can restrict who can connect to you, then it is best if you only allow connection from that IP address(es). I wrote about how to do that here. Basically, if you only want to connect from a specific IP address you just should not allow the rest of the planet to connect to you, as this unnecessarily increases your exposure substantially.

Step 4 - Start the SSH service
On top of all of the above, if possible, I would recommend to run the SSH service on a non-standard port, this adds a degree of obscurity on top of the proper security measures (been up to date and restricting connections).
Sometimes you might need to run it on a non-standard port to bypass blocking anyway ..

This runs the SSH service on the standard port (22):

# /usr/sbin/sshd

To run on another port just do this (Example for port 443):
# /usr/sbin/sshd -p 443

SSH might complain that a folder is missing, when this happens you will get an error like this:
Missing privilege separation directory: /var/run/sshd

if this happens to you just create the folder:
# mkdir /var/run/sshd

To check if the SSH service is running correctly (and who might be connected to you!) just do:

# netstat -evantupo|grep ssh
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 0 87888 14251/sshd off (0.00/0/0)
tcp6 0 0 :::443 :::* LISTEN 0 87886 14251/sshd off (0.00/0/0)