If you control your VM access via SSH keys, you will need to add the keys to the following path on Centos/Ubuntu/Rhel
~/.ssh/authorized_keys
The key should start with ssh-rsa and continue in a single line with the value of the public key.
Tag: ssh
SNMP V3 on Ubuntu
We will be installing 3 packages to get SNMP up and running on Linux.
apt install snmpd snmp libsnmp-dev
OR
yum -y install net-snmp net-snmp-utils (if you are running yum)
Copy the default snmpd config file for backup purposes ( if you want to )
cp /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.bak
Empty the file out by doing the below
cat /dev/null > /etc/snmp/snmpd.conf
Stop the running service of snmpd by issuing the command
systemctl stop snmpd
Create your read only user account for SNMP V3. Replace “SUPERPASSWORD” and “USERNAME” with your required information
net-snmp-create-v3-user -ro -A SUPERPASSWORD -a SHA -X SUPERPASSWORD -x AES USERNAME
Now make the service start on bootup
systemctl enable snmpd
Start the service!
systemctl start snmpd
SSH Security on Linux
I have installed a service called “Fail2Ban” which I have found greatly useful as this dynamically updates your IP Tables on your machine by blocking IP’s which have had to many failures/attempts to login via SSH. You can configure with the commands below –
- Install the application
apt-get install fail2ban
2) Familiarise yourself with the sample config file /etc/fail2ban/jail.conf
3) Make a new “jail.local” file in the above directory with your favourite text editor. I use nano in my case.
nano /etc/fail2ban/jail.local
4) Add the options you wish to use from the service, I’ve added the below to control my SSH –
[DEFAULT]
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 3600
With the above options we have chosen to ban after 5 incorrect attempts with a total ban time of 3600 seconds. What’s good to note about the “jail.local” is that Fail2Ban keeps it’s configuration in /etc/fail2ban/jail.conf, however it can also load configuration from jail.local. So it’s best if we leave the default config file as is, since this might be changed in a version upgrade by the authors!
After the above is done, you will want to activate some basic IP Tables rules. Such as the below to allow SSH connections in the first place to the machine. I have also included port 80 and 443, as mine is a web server.
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
sudo iptables -A INPUT -j DROP
You will now want to make these rules persistent, so that they do not disappear after a reboot.
sudo dpkg-reconfigure iptables-persistent
That’s it, we now have a setup ready to function and block/ban potentially malicious traffic attempts. Let’s restart the service and be done with it! ( I prefer stopping and starting services, just so I feel in control of what’s going on )
sudo service fail2ban stop
sudo service fail2ban start
One final step is to check whether the newly implemented rules are indeed working. Attempt to SSH into the server incorrectly the amount of times you chose above and once you cannot SSH into the machine with a response anymore, you should see a new IP Table rule created in your list.
You may check that by issuing
sudo iptables -S
You should see a rule similar to the below
-A fail2ban-ssh -s X.X.X.X/32 -j REJECT --reject-with icmp-port-unreachable