Help me keep the riffraff out of the (SSH) tunnel
November 24, 2008 1:54 PM   Subscribe

Please help an idiot lock down SSH access to a Leopard machine.

In simple terms, how would I go about restricting SSH access to a Mac running Leopard so that it will only accept connections from a known location (specifically, a co-worker's house, where she logs in using Timbuktu)? I'm a database guy working outside of my sphere of knowledge here, so simple is good.
posted by COBRA! to Computers & Internet (15 answers total) 3 users marked this as a favorite
 
Someone else may have a better idea, but I don't think the built-in firewall will do what you want. A possibility is the 3rd Party Little Snitch which can block the applications on your system from contacting the outside (firewalls do the reverse).
posted by Political Funny Man at 2:05 PM on November 24, 2008


You can follow this guide and edit /etc/sshd_config to allow a specific user to log in, from a specific IP address.
posted by jaimev at 2:14 PM on November 24, 2008


jaimev's answer is probably the right answer; do an in-page find for "AllowUsers". However, OS X's use of launchd has a tendency to complicate things considerably, as I've found when trying to tinker with smbd. So if you don't get the results that you want by modifying /etc/sshd_config, you might want to look at /System/Library/LaunchDaemons/ssh.plist and work from there. (In general, OS X daemon management seems to require a lot more Googling than you would expect.)

You could also accomplish most of what you want at the network level by editing the ipfw firewall rules. Unfortunately, this isn't the same application-based firewall that can be adjusted using the System Preferences UI, but you can edit this firewall's settings using a third-party tool like Waterroof or NoobProof. I admittedly haven't done this myself, but if it's anything like iptables on a Linux system circa 1998, it's not the most difficult thing in the world to figure out.
posted by cobra libre at 2:36 PM on November 24, 2008


you can do this with the built-in firewall too. you'll probably want to use a front-end, like WaterRoof (though there are others) to do the configuration. you don't want to use the interface that's in System Preferences as it doesn't give you much options.

(to be technical, there are really two firewalls in Leopard: an application-level one and a system-level one, and the System Preferences one only manages the former (and doesn't give you a lot of configurability to boot). the system-level one is called "ipfw", and is actually used by other Unixes too - there are tutorials available for using it if you want to get your hands dirty later.)
posted by mrg at 2:40 PM on November 24, 2008


Response by poster: Thanks, guys. I'll be wading into the pool tomorrow, I may be back with follow-up questions as I actually try to implement.
posted by COBRA! at 3:06 PM on November 24, 2008


The easiest way? Put this line:

sshd: *

in /etc/hosts.deny.

Put this line:

sshd: x.x.x.x

where x.x.x.x is your coworker's IP address, into /etc/hosts.allow.

You don't even need to restart the ssh service.
posted by zsazsa at 3:20 PM on November 24, 2008


I wouldn't lock it down by location, unless that location has a static IP. If co-worker is on a typical consumer cable or DSL line, her IP address is likely to change on the next reboot of the modem, and any IP-based allow rules won't work for her.

Instead, I'd use a preshared key -that's done under the Authentication section of /etc/sshd_config, with an entry of "PubkeyAuthentication yes" jaimev's link shows how to move the keys over.

Changing the port number of sshd will also keep the riffraff out- they're not going around looking for SSH services to beat on anywhere other than port 22. Technically it is "security by obscurity", but if moving a service to a non-standard port reduces my exposure and keeps my logs cleaner with no downside, I'm all for it.
posted by Steve3 at 3:36 PM on November 24, 2008


Seconding steve3. Its rare for a home connection to be a static IP. What will happen is that it will work for a couple of days and then it will mysteriously quit. WIth well-know ports like ssh or rdp, I usually just change the port number to something high and random-ish. Something between 40k and 65k. The default settings on many port scanners are not set to go that high.

Sure, its 'security by obscurity' but Im not going to create a vpn for my home network and it does a good job keeping random sniffers out.
posted by damn dirty ape at 3:49 PM on November 24, 2008


I'm not sure I really see the need. How many of the riff-raff have gotten into an OS X machine via SSH? I haven't heard of any cases. A weird username & a strong password aught to be riff-raff-exclusionary enough. The IP address thing is going to give you trouble, for sure, sooner or later, though if she's on Time Warner cable & never reboots her machine, she might get lucky and be able to keep the same IP address for several months. I had good old 66.68.101.67 for over a year, one time. Best IP address, ever. *snif*
posted by Devils Rancher at 4:06 PM on November 24, 2008


Denyhosts has been ported over to the mac- I use it on some linux boxes; you get three bad login attempts (one on root), and then your IP gets blocked for a month or two. Easy install, easy configuration.
posted by jenkinsEar at 8:04 PM on November 24, 2008


It's not always about getting in- enough false traffic can cause problems. Every time a hacker or bot tries to start an SSH connection, it's using resources on the destination computer.
It was observed and discussed on the OS X Server Admin list last week that there was a sudden surge in the number of failed SSH authentication attempts on servers (as if a botnet was being used), which was causing authentication problems for some OS X.4.11 machines. 10.5.5 was unaffected, but so was any 10.4 server running SSH on a non-standard port.

This wasn't an attack on any specific destination, just machines anywhere in the world that happened to have SSH open.
posted by Steve3 at 8:13 PM on November 24, 2008


If you're going to use ssh with keys rather than passwords, i recommend this wonderful little program to set it up for you: ssh-installkeys.
posted by CautionToTheWind at 4:33 AM on November 25, 2008


Response by poster: I'm not sure I really see the need. How many of the riff-raff have gotten into an OS X machine via SSH? I haven't heard of any cases.

At least one riffraffy motherfucker has gotten onto the machine twice now, and while it's not clear to me that it's through SSH, the University IT Security people I'm dealing with want SSH locked down this way (although they won't deign to do it themselves). As mentioned upthread, I'm a database specialist who's stuck dealing with this because, hey, it's all computers, right?

FWIW, the computer in question got hacked into again last night while SSH had been turned off, so I'm now reinstalling Leopard from scratch. I am not a happy man.
posted by COBRA! at 7:06 AM on November 25, 2008


I'd be genuinely curious to know, if you find out how you were hacked, and in what capacity. What did the hackers gain access to, and what did they do while they had access? There are quite a few of us out here who are probably bumbling along with a false sense of security regarding OSX ("use a strong password & trust the Almighty Built-in Firewall-of-Jobs) that could use the information.
posted by Devils Rancher at 12:02 PM on November 27, 2008


Response by poster: My best guess at this point is that the computer picked up an Office document with a bad macro. All of the initial SSH worry was being fed by IT security guys who, when pressed, admitted they didn't know much about Macs.
posted by COBRA! at 11:24 AM on December 1, 2008


« Older Fundamental Theorem What?   |   What is the best Credit Card gimmick offer right... Newer »
This thread is closed to new comments.