Help me keep the riffraff out of the (SSH) tunnel
November 24, 2008 1:54 PM Subscribe
Please help an idiot lock down SSH access to a Leopard machine.
In simple terms, how would I go about restricting SSH access to a Mac running Leopard so that it will only accept connections from a known location (specifically, a co-worker's house, where she logs in using Timbuktu)? I'm a database guy working outside of my sphere of knowledge here, so simple is good.
In simple terms, how would I go about restricting SSH access to a Mac running Leopard so that it will only accept connections from a known location (specifically, a co-worker's house, where she logs in using Timbuktu)? I'm a database guy working outside of my sphere of knowledge here, so simple is good.
You can follow this guide and edit /etc/sshd_config to allow a specific user to log in, from a specific IP address.
posted by jaimev at 2:14 PM on November 24, 2008
posted by jaimev at 2:14 PM on November 24, 2008
jaimev's answer is probably the right answer; do an in-page find for "AllowUsers". However, OS X's use of launchd has a tendency to complicate things considerably, as I've found when trying to tinker with smbd. So if you don't get the results that you want by modifying /etc/sshd_config, you might want to look at /System/Library/LaunchDaemons/ssh.plist and work from there. (In general, OS X daemon management seems to require a lot more Googling than you would expect.)
You could also accomplish most of what you want at the network level by editing the ipfw firewall rules. Unfortunately, this isn't the same application-based firewall that can be adjusted using the System Preferences UI, but you can edit this firewall's settings using a third-party tool like Waterroof or NoobProof. I admittedly haven't done this myself, but if it's anything like iptables on a Linux system circa 1998, it's not the most difficult thing in the world to figure out.
posted by cobra libre at 2:36 PM on November 24, 2008
You could also accomplish most of what you want at the network level by editing the ipfw firewall rules. Unfortunately, this isn't the same application-based firewall that can be adjusted using the System Preferences UI, but you can edit this firewall's settings using a third-party tool like Waterroof or NoobProof. I admittedly haven't done this myself, but if it's anything like iptables on a Linux system circa 1998, it's not the most difficult thing in the world to figure out.
posted by cobra libre at 2:36 PM on November 24, 2008
you can do this with the built-in firewall too. you'll probably want to use a front-end, like WaterRoof (though there are others) to do the configuration. you don't want to use the interface that's in System Preferences as it doesn't give you much options.
(to be technical, there are really two firewalls in Leopard: an application-level one and a system-level one, and the System Preferences one only manages the former (and doesn't give you a lot of configurability to boot). the system-level one is called "ipfw", and is actually used by other Unixes too - there are tutorials available for using it if you want to get your hands dirty later.)
posted by mrg at 2:40 PM on November 24, 2008
(to be technical, there are really two firewalls in Leopard: an application-level one and a system-level one, and the System Preferences one only manages the former (and doesn't give you a lot of configurability to boot). the system-level one is called "ipfw", and is actually used by other Unixes too - there are tutorials available for using it if you want to get your hands dirty later.)
posted by mrg at 2:40 PM on November 24, 2008
Response by poster: Thanks, guys. I'll be wading into the pool tomorrow, I may be back with follow-up questions as I actually try to implement.
posted by COBRA! at 3:06 PM on November 24, 2008
posted by COBRA! at 3:06 PM on November 24, 2008
The easiest way? Put this line:
sshd: *
in /etc/hosts.deny.
Put this line:
sshd: x.x.x.x
where x.x.x.x is your coworker's IP address, into /etc/hosts.allow.
You don't even need to restart the ssh service.
posted by zsazsa at 3:20 PM on November 24, 2008
sshd: *
in /etc/hosts.deny.
Put this line:
sshd: x.x.x.x
where x.x.x.x is your coworker's IP address, into /etc/hosts.allow.
You don't even need to restart the ssh service.
posted by zsazsa at 3:20 PM on November 24, 2008
I wouldn't lock it down by location, unless that location has a static IP. If co-worker is on a typical consumer cable or DSL line, her IP address is likely to change on the next reboot of the modem, and any IP-based allow rules won't work for her.
Instead, I'd use a preshared key -that's done under the Authentication section of /etc/sshd_config, with an entry of "PubkeyAuthentication yes" jaimev's link shows how to move the keys over.
Changing the port number of sshd will also keep the riffraff out- they're not going around looking for SSH services to beat on anywhere other than port 22. Technically it is "security by obscurity", but if moving a service to a non-standard port reduces my exposure and keeps my logs cleaner with no downside, I'm all for it.
posted by Steve3 at 3:36 PM on November 24, 2008
Instead, I'd use a preshared key -that's done under the Authentication section of /etc/sshd_config, with an entry of "PubkeyAuthentication yes" jaimev's link shows how to move the keys over.
Changing the port number of sshd will also keep the riffraff out- they're not going around looking for SSH services to beat on anywhere other than port 22. Technically it is "security by obscurity", but if moving a service to a non-standard port reduces my exposure and keeps my logs cleaner with no downside, I'm all for it.
posted by Steve3 at 3:36 PM on November 24, 2008
Seconding steve3. Its rare for a home connection to be a static IP. What will happen is that it will work for a couple of days and then it will mysteriously quit. WIth well-know ports like ssh or rdp, I usually just change the port number to something high and random-ish. Something between 40k and 65k. The default settings on many port scanners are not set to go that high.
Sure, its 'security by obscurity' but Im not going to create a vpn for my home network and it does a good job keeping random sniffers out.
posted by damn dirty ape at 3:49 PM on November 24, 2008
Sure, its 'security by obscurity' but Im not going to create a vpn for my home network and it does a good job keeping random sniffers out.
posted by damn dirty ape at 3:49 PM on November 24, 2008
I'm not sure I really see the need. How many of the riff-raff have gotten into an OS X machine via SSH? I haven't heard of any cases. A weird username & a strong password aught to be riff-raff-exclusionary enough. The IP address thing is going to give you trouble, for sure, sooner or later, though if she's on Time Warner cable & never reboots her machine, she might get lucky and be able to keep the same IP address for several months. I had good old 66.68.101.67 for over a year, one time. Best IP address, ever. *snif*
posted by Devils Rancher at 4:06 PM on November 24, 2008
posted by Devils Rancher at 4:06 PM on November 24, 2008
Denyhosts has been ported over to the mac- I use it on some linux boxes; you get three bad login attempts (one on root), and then your IP gets blocked for a month or two. Easy install, easy configuration.
posted by jenkinsEar at 8:04 PM on November 24, 2008
posted by jenkinsEar at 8:04 PM on November 24, 2008
It's not always about getting in- enough false traffic can cause problems. Every time a hacker or bot tries to start an SSH connection, it's using resources on the destination computer.
It was observed and discussed on the OS X Server Admin list last week that there was a sudden surge in the number of failed SSH authentication attempts on servers (as if a botnet was being used), which was causing authentication problems for some OS X.4.11 machines. 10.5.5 was unaffected, but so was any 10.4 server running SSH on a non-standard port.
This wasn't an attack on any specific destination, just machines anywhere in the world that happened to have SSH open.
posted by Steve3 at 8:13 PM on November 24, 2008
It was observed and discussed on the OS X Server Admin list last week that there was a sudden surge in the number of failed SSH authentication attempts on servers (as if a botnet was being used), which was causing authentication problems for some OS X.4.11 machines. 10.5.5 was unaffected, but so was any 10.4 server running SSH on a non-standard port.
This wasn't an attack on any specific destination, just machines anywhere in the world that happened to have SSH open.
posted by Steve3 at 8:13 PM on November 24, 2008
If you're going to use ssh with keys rather than passwords, i recommend this wonderful little program to set it up for you: ssh-installkeys.
posted by CautionToTheWind at 4:33 AM on November 25, 2008
posted by CautionToTheWind at 4:33 AM on November 25, 2008
Response by poster: I'm not sure I really see the need. How many of the riff-raff have gotten into an OS X machine via SSH? I haven't heard of any cases.
At least one riffraffy motherfucker has gotten onto the machine twice now, and while it's not clear to me that it's through SSH, the University IT Security people I'm dealing with want SSH locked down this way (although they won't deign to do it themselves). As mentioned upthread, I'm a database specialist who's stuck dealing with this because, hey, it's all computers, right?
FWIW, the computer in question got hacked into again last night while SSH had been turned off, so I'm now reinstalling Leopard from scratch. I am not a happy man.
posted by COBRA! at 7:06 AM on November 25, 2008
At least one riffraffy motherfucker has gotten onto the machine twice now, and while it's not clear to me that it's through SSH, the University IT Security people I'm dealing with want SSH locked down this way (although they won't deign to do it themselves). As mentioned upthread, I'm a database specialist who's stuck dealing with this because, hey, it's all computers, right?
FWIW, the computer in question got hacked into again last night while SSH had been turned off, so I'm now reinstalling Leopard from scratch. I am not a happy man.
posted by COBRA! at 7:06 AM on November 25, 2008
I'd be genuinely curious to know, if you find out how you were hacked, and in what capacity. What did the hackers gain access to, and what did they do while they had access? There are quite a few of us out here who are probably bumbling along with a false sense of security regarding OSX ("use a strong password & trust the Almighty Built-in Firewall-of-Jobs) that could use the information.
posted by Devils Rancher at 12:02 PM on November 27, 2008
posted by Devils Rancher at 12:02 PM on November 27, 2008
Response by poster: My best guess at this point is that the computer picked up an Office document with a bad macro. All of the initial SSH worry was being fed by IT security guys who, when pressed, admitted they didn't know much about Macs.
posted by COBRA! at 11:24 AM on December 1, 2008
posted by COBRA! at 11:24 AM on December 1, 2008
This thread is closed to new comments.
posted by Political Funny Man at 2:05 PM on November 24, 2008