/*install the SSH service on the
Linux box
#yum install openssh-server
/*Start the SSH service.
#service sshd start
/*Set the SSH service to start
automatically on every system reboot
#chkconfig sshd on
/*Verify if port 22 is open.
# netstat -tulpn | grep :22
/*Configure the firewall
settings.
# service iptables stop
//Verify the SSH access from the
client box.
Putty
can be downloaded from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
location.
From the windows box, open the putty software and access the server
box selecting SSH and default port i.e. 22.
 |
Task2
Attack
using Brute Force with dictionary
attacks
In this attack we will demonstrate to carry out a dictionary attack on the username and password from the client machine using ncrack in the metaspoilt framework for Backtrack. We first create many users for the server machine.
We then
run ncrack against the users (/root/users.txt) and password dictionary file
/root/passwd.txt.
/*
command to scan the username and find a matching password from the dictionary
file
# ncrack -U /root/users.txt -P
/root/passwrd.txt 192.168.41.134 -p 22
Task3
Attack
using SSH downgrade attack
1. Scan the Victim box to see if the port for SSH is open.
//Execute the nmap command to
see all the open ports:
#nmap –sS –O –P0 –vv
192.168.41.134
Using the previous brute force attack, gain entry into the server
machine and edit its ssh configuration file.
# vi /etc/ssh/sshd_config
Task4
Counter
measures to defend SSH from attacks
- Apply public key encryption to access SSH.
- Generate pair of keys public and private from the server box.
//Generate required keys
#ssh-keygen –t rsa
* “ssh-keygen” command allows generating and managing the
authentication keys. These keys are public and private RSA or DSA keys generated
on the Linux/Unix box to enhance the security for SSH.
//Verify if keys are generated
at “/home/user1/.ssh” . User1 is the user having a login credential
#cd /root/.ssh
# ls
//copy the public key to place
it in “/home/user1/.ssh” directory and rename it.
#cp id_rsa.pub authorized_keys
b. On the Windows box:
//Open the putty and connect to
the Linux box and navigate to the location where key files are //present.
#cd /root/.ssh
#cat id_rsa
//Copy the content of the key
and save it to a text file on windows box
Quick steps:
-
On windows box, open a notepad file and copy the
contents of key.
-
Save the file say “private.txt”.
//Generate the private key on
the windows box with the help of PuttyGen.exe
Quick steps:
i.
On windows box, open “Puttygen.exe” and on the
menu option click “Conversations -> Import Key”.
ii.
Browse the “private_key.txt” file that was saved
in earlier steps copied from “id_rsa”.
iii.
Type the passphrase when prompted which was
provided during the key generation process and click “OK” button.
iv.
A new key is generated on the new window. Click
“Save private key” button to save the key on the windows box. This file is saved with extension .ppk.
//Close the puttygen and putty
from the windows box.
c. At the Linux machine
//Edit the sshd_config file
#vi /etc/ssh/sshd_config
* “PubkeyAuthentication=yes” parameter will enable the SSH to prompt
for key on every access bu user with SSH. User will be able to login to the
server only if private key is used while SSH access that is validated by the
server with the corresponding public key placed on server that is configured
with “AuthorizedKeysFile” parameter.
* Parameter “PasswordAuthentication=no” will enable the SSH access to
never prompt for the password to the user.
This
countermeasure is essential to provide security to the SSH access which means
users
with only valid key will be able to access the server with SSH otherwise
permission will be
denied for the login.
Countermeasure2: Change the default port of SSH
from 22 to any say 12345.
//Change the port of SSH from default 22 to
say 12345.
#vi /etc/ssh/sshd_config
* add
the parameter to the configuration file and save the setting.
* SSH
will now run on port 12345 instead of default 22.
//restart the service
#service sshd restart
* Now
from the client box open the putty and access the server with SSH using port
12345
instead of 22.
//Execute the nmap command to see all the
open ports:
#nmap –sS –O –P0 –vv 192.168.0.24 //where 192.168.0.24 is the victim box
This
makes it difficult for the attacker to find the new SSH port.
Conclusion
Secure
shell was configured and then attacked using ncrack(Password brute force
attack). And countermeasures were provided by changing the default ssh port
number and by implementing public key based authentication.
