Lab 03 - Secure Remote Access

Introduction

The secure shell (ssh) has become the de facto standard for remote access to UNIX servers. It can be used to provide: interactive sessions, file transfer, remote command execution, and TCP tunnels. Passwords or cryptographic keys may be use for authentication. Today we will investigate these ssh features.

Prerequisites:

Before you start this lab you must have:

Overview:

You will build this configuration.

Part A: Build the Servers

Here's an other chance to show how much easier our lives are because we have a build server.

Build earth, wind, and fire to these specifications:

You have some choice with respect to how you do this, you may use one of two strategies:

  1. Old, Slow, Strategy

  2. Slick, Fast, Strategy

Note: The 'Slick, Fast' strategy is recommended.

Slick, Fast Strategy steps:

Note: These examples assume winds' Ethernet address is 08:00:27:68:A8:B1 - your's will be different, and they often show only the configuration changes need for wind - you will need to add code blocks for earth and fire where appropriate.

  1. Configure dhcpd to always give wind, earth, and fire the correct IP addresses and hostnames
    1. Add a host block to /etc/dhcp/dhcpd.conf for each node
      2. # 
# host specific block for wind
# (note: ethernet address must match nodes' address
#
host wind {
                option host-name "wind";
                hardware ethernet 08:00:27:68:A8:B1;
                fixed-address 10.1.1.211;
}
    2. Restart the dhcd service

  2. Create new pxe.config files for wind, earth, and fire 
    3. cd /var/lib/tftpboot/pxelinux.cfg

# a pxe config file for lab_03
cp default lab_03

# point earth to the correct config, note: 0A0101D2 is 10.1.1.210 in hex, try gethostip 10.1.1.210 (the gethostip command is in the syslinux package)
ln -s lab_03 0A0101D2

# point wind to the correct config
ln -s lab_03 0A0101D3

# point fire to the correct config
ln -s lab_03 0A0101D4
  3. Customize the new pxelinux config file we just created, lab_03, to point to a new Kickstart file. hint: change default.ks to lab_03.ks so that the default boot option looks like this... 
    4. label linux
  menu label Install system
  menu default
  kernel images/RHEL-8.3/vmlinuz
  append initrd=images/RHEL-8.3/initrd.img ip=dhcp inst.repo=http://10.1.1.100/83 ks=http://10.1.1.100/Kickstart/lab_03.ks inst.kdump_addon=off
  4. Create /var/www/html/Kickstart/lab_03.ks based on /var/www/html/Kickstart/default.ks with consideration to lines like this:
    5. 
# set the firewall to allow only ssh
firewall --enabled --ssh

# add a user named alice
user --name=alice --groups=wheel --password=userpass

# hosts (goes in %post section)
echo "10.1.1.100 yoda" >>/etc/hosts
  5. Build earth, wind, and fire
  6. Use earth, wind, and fire - no additional configuration should be required

Part B: Check Our Work

Let's just have a quick look about to see that everything is as it should be.

Part C: Man in the middle attack

A very common mode of attack is the so called 'man in the middle' attack. In a man in the middle attack the attacker intercepts messages destined for a node and pretends to be that node. In a sophisticated attack intercepted traffic is sent to the impersonated node and responses are relayed back to the caller. If this is done well, neither the impersonated node or the caller may realize an attack occurred. We are going to simulate an attack by having fire pose as earth and intercept an ssh connection from wind to earth. In a real attack, fire would forward the data sent from wind to earth and would send all responses from earth back to wind, after having a little look at the data. The purpose of this exercise is to see how ssh handles this type of attack.

    Make sure that ssh is working

  1. ssh from wind to earth as alice (ssh alice@earth)

    2. fire jumps in the middle

  2. Unplug earth's network cable (VirtualBox:Devices->Network Adapters...
  3. Change fire's IP address to 10.1.1.210
  4. ssh from wind to earth as alice, pay careful attention to any messages you see

    5. Put things back the way you found them

  5. Return fire's IP address to 10.1.1.212
  6. Plug earth's network cable back in

Part D: ssh without passwords - guarding against brute force attacks

One way of attacking ssh is a brute force attack on passwords. Simply put, this amounts to "trying many passwords until one works". Programs such as hydra automate this (we talk about hydra later). One way to avoid password guessing is to avoid passwords, one way to avoid passwords is to use ssh key pairs. Key-pairs for ssh work in a manner similar to ssl certificates. With ssh you keep the private key on your workstation and place the public key in a directory called .ssh in your home directory on the server. This tutorial describes the mechanics of doing this.
For this example, wind will be alice and bob's main workstation and earth will be a server they access regularly. We are going to set it up so that both alice and bob can log into earth from wind without a password. alice will protect her private key with a passphrase and bob will not.

    Make sure ssh is working

  1. ssh from wind to earth as alice and then as bob

    2. Setup access for alice

  2. Log on to wind as alice
  3. Follow the steps in the above tutorial (generate key pair, put the public key in the correct spot on earth, try ssh and scp from wind to earth)
  4. Hint: ssh is picky about the permissions on ~/.ssh and ~/.ssh/authorized_keys - only the owner can have write permission.

    5. Setup access for bob

  5. Log on to wind as bob
  6. Follow the tutorial again

    7. Does ssh still work with passwords?

  7. Log onto fire
  8. ssh to earth as alice

    9. Turn off password based ssh authentication on earth

  9. Edit /etc/ssh/sshd_config on earth so that it contains these lines
    10. PasswordAuthentication no
ChallengeResponseAuthentication no
  10. restart the sshd service

    11. Does ssh still work with passwords?

  11. log onto fire as root
  12. ssh to earth as alice

Part E: Disable remote root access

It is common policy to disallow remote access for root to force administrators to login under their own account and then su to root or to use sudo. This falls under the security axiom of 'allow no shared accounts'

  1. Modify the sshd configuration on earth so that root is not allowed to log on via ssh

    2. Hint: man sshd_config

Part F: ssh and remote commands

In this lab we have used ssh to establish an interactive session and, in its scp form, to copy files. We can also use ssh to run a single command on a remote server, sending the output of that command back to our session. This is very handy to solve simple tasks like determining how full the disk is on a remote server, or who is logged onto a remote server. It can also be used more creatively to do things like remote backup.

You are logged on wind as alice what does each of these commands do?

  1. ssh alice@earth df
  2. ssh alice@earth who
  3. ssh alice@earth 'tar c .' > alice_earth.tar
  4. echo "a" | ssh alice@earth 'cat > f1'

Part G: ssh tunneling

Perhaps the coolest, if not the most used, feature of ssh is the ability to create ssh tunnels. This is also know as port forwarding, which a somewhat more accurate term. In short ssh can encapsulate all the traffic destine for a local TCP port and send it across an ssh session to a port on an other server.
This is very useful for administrators. It allows one to secure traffic that is normally sent in the clear and it allows crafty UNIX administrators to 'work around' certain fire-wall restrictions.
Here's a very nice little tutorial on port forwarding. (an archived version of the page is here)

Consider the following scenario:

Solution:

Build an ssh tunnel from wind to earth. The tunnel will forward wind:8080 (port 8080 on wind) to earth:80 via an ssh connection. This will allow a local HTTP client on wind to access the Apache server running on earth, even though earth's firewall does not allow http through.

This Diagram of our tunnel might help you visualize what we are building.

Steps:

    Setup Apache on earth

  1. Install Apache on earth (hint: yum install httpd)
  2. Create a simple web page on earth called hello.html
  3. Test that httpd is up and running by fetching hello.html locally on earth (from earth to earth) with curl
    4. curl http://localhost/hello.html

    Demonstrate that earth:80 is closed to outsiders

  4. Log on to wind
  5. Try to download hello.html from earth
    6. curl http://yoda/hello.html

    Build a tunnel from wind to earth

  6. Log on to wind
  7. Invoke ssh with -L 
    8. ssh -L 8080:earth:80 -N alice@earth
  8. In an other window (on wind) run curl through the tunnel
    9. curl http://localhost:8080/hello.html

    Prove that the traffic was flowing through the tunnel

  9. Tear down the tunnel by typing -c in the window where the tunnel is running
  10. Try step 8 again (it should fail now)
  11. Reestablish the tunnel
  12. Try step 8 again (it should work now)

    13. Use wind as a gateway from your workstation to yoda

  13. Open port 8081 on wind's firewall (hint: check your admin notes for firewallcmd)
  14. Build a tunnel from wind:8081 to earth:80
    15. # on wind
ssh -L wind:8081:earth:80 -N alice@earth
  15. Point your desktop web browser to wind:8081/hello.html

    16. Note: You will need to add earth and wind to the hosts file on your workstation.

Questions:

Complete the quiz in Canvas for this lab. Here is a partial preview of the questions.

  1. You are logged on wind as alice what does each of these commands do?
    1. ssh alice@yoda who
    2. ssh alice@yoda 'tar c .' > alice_yoda.tar
    3. echo "a" | ssh alice@yoda 'cat > f1'

  2. How does ssh guard against man in the middle attacks? do?
  3. Explain what each argument in this command does:
    4. ssh -L 10.1.1.11:8081:yoda:80 -N alice@yoda