One of the greatest improvements introduced by the SSH protocol is key-based authentication – meaning your client and SSH server establish validity of your SSH keypair and let you gain remote SSH access without asking for your password.[Read more…] about Deploy Your SSH key To Remote Server
AppArmor is a Linux Kernel security module that implements mandatory access control (MAC) security with per-application profiles in Debian based systems. It's possible to confirm if AppArmor is enabled in your Debian or Ubuntu system and to also find out the mode it's running in.
AppArmor Status with aa-status Command
aa-status command will list the currently loaded AppArmor modules.
For instance, here's how it looks on a system where AppArmor is inactive (Debian 9 in my case):
root@debian9:~# aa-status apparmor module is loaded. apparmor filesystem is not mounted.
And here is how AppArmor status is reported on Debian 10 system where it's activated by default:
root@debian10:~# aa-status apparmor module is loaded. 20 profiles are loaded. 18 profiles are in enforce mode. /usr/bin/evince /usr/bin/evince-previewer /usr/bin/evince-previewer//sanitized_helper /usr/bin/evince-thumbnailer /usr/bin/evince//sanitized_helper /usr/bin/man /usr/lib/telepathy/mission-control-5 /usr/lib/telepathy/telepathy-* /usr/lib/telepathy/telepathy-*//pxgsettings /usr/lib/telepathy/telepathy-*//sanitized_helper /usr/lib/telepathy/telepathy-ofono libreoffice-senddoc libreoffice-soffice//gpg libreoffice-xpdfimport man_filter man_groff nvidia_modprobe nvidia_modprobe//kmod 2 profiles are in complain mode. libreoffice-oopslash libreoffice-soffice 0 processes have profiles defined. 0 processes are in enforce mode. 0 processes are in complain mode. 0 processes are unconfined but have a profile defined.
Cloudflare, possibly the best DNS provider (and so much more) available for free, is hosting CryptoWeek 2019 since Monday. I really like this company and host at least 20 DNS zones for my various domains there.
I'm just catching up on reading and thought the Crypto Week 2019 announcement post is a must read for everyone.
While generally the week is spent announcing various improvers around crypto (as in cryptocurrencies), the announcement post talks about broader set of issues with current Internet and about the most recent efforts to vastly improve it.
If TLS, BGP hijacking or DNSSEC mean anything to you (and even more importantly, if they don't yet!) – please read the Crypto Week 2019 post as you will learn a lot and receive a bunch of great pointers for further reading.
Sometimes you need to tweak your SSH daemon on an important system and you just don't know if particular settings will break connectivity to the server or not. In such cases it's best to test new SSHd config using separate SSH daemon instance and separate SSH port – debug it there and only then apply new configs into your primary SSHd configuration.
Creating New SSHd Config
The easiest is to start by copying /etc/ssh/sshd_config file – you will need sudo/root privileges for that:
greys@s2:~ $ sudo cp /etc/ssh/sshd_config /home/greys
I then just remove everything I don't need from it, leaving bare minimum. These are the parameters I kept (I ended up renaming my config to /home/greys/sshd_config.minimal after edits)
greys@s2:~ $ grep -v ^# /home/greys/sshd_config.minimal | uniq -u Port 2222 HostKey /etc/ssh/ssh_host_rsa_key RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile /var/ssh/%u/authorized_keys PasswordAuthentication no UsePAM yes
I only updated the SSH Port parameter – you can pick any other number instead of 2222.
Starting SSH daemon with custom config file
There's a few rules for testing SSH configuration using separate file:
- you need to have sudo/root privilege (mostly to avoid mess with host SSH keys)
- it's better to increase verbosity level to see what's going on
- it's best to run SSHd in foreground (non-daemon) mode
With these principles in mind, here's the command line to test the config shown above:
greys@s2:~ $ sudo /usr/sbin/sshd -f /home/greys/sshd_config.minimal -ddd -D
debug2: load_server_config: filename /home/greys/sshd_config.minimal
debug2: load_server_config: done config len = 194
debug2: parse_server_config: config /home/greys/sshd_config.minimal len 194
debug3: /home/greys/sshd_config.minimal:1 setting Port 2222
debug3: /home/greys/sshd_config.minimal:10 setting HostKey /home/greys/ssh_host_rsa_key
debug3: /home/greys/sshd_config.minimal:12 setting RSAAuthentication yes
/home/greys/sshd_config.minimal line 12: Deprecated option RSAAuthentication
debug3: /home/greys/sshd_config.minimal:13 setting PubkeyAuthentication yes
debug3: /home/greys/sshd_config.minimal:18 setting AuthorizedKeysFile /var/ssh/%u/authorized_keys
debug3: /home/greys/sshd_config.minimal:20 setting PasswordAuthentication no
debug3: /home/greys/sshd_config.minimal:22 setting UsePAM yes
debug1: sshd version OpenSSH_7.4, OpenSSL 1.0.2k-fips 26 Jan 2017
debug1: private host key #0: ssh-rsa SHA256:g7xhev6zJefXRFc0ClAG4rzpFI1Ts8H7PhQ/h3PTmLM
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 2222 on 0.0.0.0.
Server listening on 0.0.0.0 port 2222.
debug2: fd 4 setting O_NONBLOCK
debug3: sock_set_v6only: set socket 4 IPV6_V6ONLY
debug1: Bind to port 2222 on ::.
Server listening on :: port 2222.
That's it, the configuration is ready to be tested (assuming your firewall on server doesn't block port 2222).
Testing SSH connectivity using Different SSH Port
Here's my login session in a separate window, connecting from my MacBook Pro to the s2 server on SSH port 2222 (I have masked my static IP with aaa.bbb.ccc.ddd and my s2 server's IP with eee.fff.ggg.hhh):
greys@MacBook-Pro:~ $ ssh s2 -p 2222 Warning: untrusted X11 forwarding setup failed: xauth key data not generated Last login: Fri May 24 15:53:59 2019 from aaa.bbb.ccc.ddd debug3: Copy environment: XDG_SESSION_ID=14813 debug3: Copy environment: XDG_RUNTIME_DIR=/run/user/1000 Environment: USER=greys LOGNAME=greys HOME=/home/greys PATH=/usr/local/bin:/usr/bin MAIL=/var/mail/greys SHELL=/bin/bash SSH_CLIENT=aaa.bbb.ccc.ddd 64168 2222 SSH_CONNECTION=aaa.bbb.ccc.ddd 64168 eee.fff.ggg.hhh 2222 SSH_TTY=/dev/pts/14 TERM=xterm-256color XDG_SESSION_ID=14813 XDG_RUNTIME_DIR=/run/user/1000 SSH_AUTH_SOCK=/tmp/ssh-ajOUyvbR6i/agent.20996 greys@s2:~ $ uptime 16:18:08 up 86 days, 17:32, 2 users, load average: 1.00, 1.02, 1.05
Pretty cool, huh?
I'm slowly improving my understanding of the SELinux setup, currently looking into controlling user access. As you know, there may be lots of different users created in your Linux system. For them to be controlled by the SELinux framework, we need to map all users to one of the users in SELinux policy.
Install SELinux Tools
The command we need is called seinfo, and it's not installed by default. We have to install the setools-console package first:
[greys@rhel8 ~]$ sudo yum install setools-console [sudo] password for greys: Updating Subscription Management repositories. Updating Subscription Management repositories. Red Hat Enterprise Linux 8 for x86_64 - AppStream Beta (RPMs) 3.0 kB/s | 4.1 kB 00:01 Red Hat Enterprise Linux 8 for x86_64 - BaseOS Beta (RPMs) 3.0 kB/s | 4.1 kB 00:01 Dependencies resolved. ========================================================================= Package Arch Version Repository Size ========================================================================= Installing: setools-console x86_64 4.1.1-11.el8 rhel-8-for-x86_64-baseos-beta-rpms 28 k Transaction Summary ========================================================================= Install 1 Package Total download size: 28 k Installed size: 109 k Is this ok [y/N]: y Downloading Packages: setools-console-4.1.1-11.el8.x86_64.rpm 15 kB/s | 28 kB 00:01 ------------------------------------------------------------------------------------------------------------------------------- Total 15 kB/s | 28 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Installed: setools-console-4.1.1-11.el8.x86_64 Installing : setools-console-4.1.1-11.el8.x86_64 1/1 Installed: setools-console-4.1.1-11.el8.x86_64 Running scriptlet: setools-console-4.1.1-11.el8.x86_64 1/1 Verifying : setools-console-4.1.1-11.el8.x86_64 1/1 Installed: setools-console-4.1.1-11.el8.x86_64 Complete!
List Available SELinux Users
Now that the package is installed, run the seinfo -u command to show list of SELinux users:
[greys@rhel8 ~]$ seinfo -u Users: 8 guest_u root staff_u sysadm_u system_u unconfined_u user_u xguest_u
While we're at it, let's check the current user's SELinux context: usually you're mapped to the unconfined_u user:
[greys@rhel8 ~]$ id -Z unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
When running a SELinux based setup, it might be useful to know how to quickly inspect files and directories to confirm their current SELinux context.
What is SELinux Context?
Every process and file in SELinux based environment can be labeled with additional information that helps fulfill RBAC (Role-Based Access Control), TE (Type Enforcement) and MLS (Multi-Level Security).
SELinux context is the combination of such additional information:
In the following example we can see that unconfined_u is the SELinux user, object_r is the role, user_home_dir_t is the object type (home user directory) and the SELinux sensitivity (MCS terminology) level is s0:
drwx------. 17 greys greys unconfined_u:object_r:user_home_dir_t:s0 4096 Feb 19 12:14 .
Use ls -Z to show SELinux Context
[greys@rhel8 ~]$ ls -alZ . total 64 drwx------. 17 greys greys unconfined_u:object_r:user_home_dir_t:s0 4096 Feb 19 12:14 . drwxr-xr-x. 3 root root system_u:object_r:home_root_t:s0 19 Jan 15 17:34 .. -rw-------. 1 greys greys unconfined_u:object_r:user_home_t:s0 2035 Feb 19 12:14 .bash_history -rw-r--r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 18 Oct 12 17:56 .bash_logout -rw-r--r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 218 Jan 28 17:42 .bash_profile -rw-r--r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 312 Oct 12 17:56 .bashrc drwx------. 12 greys greys unconfined_u:object_r:cache_home_t:s0 4096 Jan 21 06:41 .cache drwx------. 14 greys greys unconfined_u:object_r:config_home_t:s0 278 Jan 21 06:41 .config drwx------. 3 greys greys unconfined_u:object_r:dbus_home_t:s0 25 Jan 20 18:28 .dbus drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Desktop drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Documents drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Downloads -rw-------. 1 greys greys unconfined_u:object_r:pulseaudio_home_t:s0 16 Jan 15 19:15 .esd_auth -rw-------. 1 greys greys unconfined_u:object_r:iceauth_home_t:s0 1244 Jan 20 18:46 .ICEauthority -rw-------. 1 greys greys unconfined_u:object_r:user_home_t:s0 3434 Jan 22 18:06 id_rsa_4k -rw-r--r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 737 Jan 22 18:06 id_rsa_4k.pub -rw-rw-r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 21 Jan 28 17:53 infile2.txt -rw-------. 1 greys greys unconfined_u:object_r:user_home_t:s0 38 Jan 22 18:05 .lesshst drwxr-xr-x. 3 greys greys unconfined_u:object_r:gconf_home_t:s0 19 Jan 20 18:28 .local drwxr-xr-x. 2 greys greys unconfined_u:object_r:audio_home_t:s0 6 Jan 20 18:28 Music -rw-rw-r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 0 Jan 22 18:01 newkey drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Pictures drwxrw----. 3 greys greys unconfined_u:object_r:home_cert_t:s0 19 Jan 20 18:28 .pki drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Public drwxrwxr-x. 4 greys greys unconfined_u:object_r:user_home_t:s0 165 Jan 16 11:00 screenFetch -rw-------. 1 greys greys unconfined_u:object_r:xauth_home_t:s0 150 Jan 20 18:44 .serverauth.1859 -rw-------. 1 greys greys unconfined_u:object_r:xauth_home_t:s0 50 Jan 20 18:39 .serverauth.1893 drwx------. 2 greys greys unconfined_u:object_r:ssh_home_t:s0 70 Jan 22 18:07 .ssh -rw-rw-r--. 1 greys greys unconfined_u:object_r:user_home_t:s0 0 Jan 21 07:49 system_u:object_r:shell_exec_t:s0 drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Templates drwxr-xr-x. 2 greys greys unconfined_u:object_r:user_home_t:s0 6 Jan 20 18:28 Videos -rw-------. 1 greys greys unconfined_u:object_r:user_home_t:s0 2874 Jan 29 04:40 .viminfo -rw-------. 1 greys greys unconfined_u:object_r:xauth_home_t:s0 260 Feb 19 12:14 .Xauthority
As you can imagine, SSH keypairs – combinations of private and public keys – are vital elements of your digital identity as a sysadmin or a developer. And since they can be used for accessing source code repositories and for deploying changes to production environments, you usually have more than one SSH key. That's why it's important to know how to inspect SSH key fingerprints.
If you don't have any other network services running on your Linux system, you probably don't need portmapper running. Here are the steps to check and to disable portmap.
What portmapper does
Portm apper is a special Unix/Linux service that runs on networked systems that provide RPC (Remote Procedure Call) based services, like NFS.
Port mapper service is called portmapper and always runs on TCP and UDP ports 111.
IMPORTANT: back in 2015 portmapper was confirmed as vulnerable for Distributed Denial of Service attacks (DDoS) – so it's considered a good practice to disable it or at least protect using firewall.
List RPC services
You can use rpcinfo command to list currently active RPC services on your system.
In my example below there's nothing else running RPC, just the portmapper itself:
root@s5:~ # rpcinfo -p program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper
Stop portmapper in CentOS 7
Somewhat confusing, the service providing portmapper functionality is always called rpcbind.
First, let's stop the portmapper service:
root@s5:~ # systemctl stop rpcbind Warning: Stopping rpcbind.service, but it can still be activated by: rpcbind.socket root@s5:~ # systemctl stop rpcbind.socket
Prevent portmapper from restarting upon reboot
Now, let's make sure the service is also disabled:
root@s5:~ # systemctl disable rpcbind Removed symlink /etc/systemd/system/multi-user.target.wants/rpcbind.service.
And just to confirm it's all done correctly, let's run rpcinfo again, it will return an error now:
root@s5:~ # rpcinfo -p rpcinfo: can't contact portmapper: RPC: Remote system error - Connection refused
If you're using RedHat or CentOS Linux distros (or sporting a Fedora Linux desktop), you probably have SElinux enabled by default. But if it's been disabled for some reason and you want it back – here's how you can enable SElinux in your Linux system.
Confirm current SElinux mode
Run the getenforce command to confirm that SElinux is actually disabled:
[root@rhel8 ~]# getenforce Disabled
Check SElinux status with sestatus
sestatus normally shows verbose SElinux status information, but if SElinux is disabled, you'll only get one line of output, like this:
root@rhel8 ~]# sestatus SELinux status: disabled [root@rhel8 ~]#
If sestatus shows that SElinux is disabled, you'll need to enable it via /etc/selinux/config file and reboot the server as shown below.
Permanently Enable SElinux
Do the following two steps to enable SElinux:
- Update /etc/selinux/config file (change SELINUX=disabled to SELINUX=enforcing)
- Reboot your Linux system (shutdown -r now)
Once your server comes back online, run sestatus again to make sure SElinux is enabled now:
[root@rhel8 ~]# sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31
I learned something new today! Apparently, sestatus command can report security contexts of the key system files – really neat for quickly recognising possible security compromise.
Files and processes in /etc/sestatus.conf
The way this works is you must use the /etc/sestatus.conf file which contains list of files and list of processes that are checked for SElinux contexts. These are the most common security attack vectors, so SElinux notes them and helps you to quickly confirm their contexts using sestatus -v command.
VERY IMPORTANT: at this stage sestatus command does NOT highlight or warn you about any non-standard contextual changes. So the only thing is does is show you all the important files you selected and report their current contexts – if some of these have been changed, the task of recognising or fixing this is still on you.
You can add any files and process you like here, but here's the default list in RHEL8:
[greys@rhel8 ~]$ cat /etc/sestatus.conf [files] /etc/passwd /etc/shadow /bin/bash /bin/login /bin/sh /sbin/agetty /sbin/init /sbin/mingetty /usr/sbin/sshd /lib/libc.so.6 /lib/ld-linux.so.2 /lib/ld.so.1 [process] /sbin/mingetty /sbin/agetty /usr/sbin/sshd
Files and processes contexts with sestatus
[greys@rhel8 ~]$ sestatus -v SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 31 Process contexts: Current context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Init context: system_u:system_r:init_t:s0 File contexts: Controlling terminal: unconfined_u:object_r:user_devpts_t:s0 /etc/passwd system_u:object_r:passwd_file_t:s0 /etc/shadow system_u:object_r:shadow_t:s0 /bin/bash system_u:object_r:shell_exec_t:s0 /bin/login system_u:object_r:login_exec_t:s0 /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 /sbin/agetty system_u:object_r:getty_exec_t:s0 /sbin/init system_u:object_r:bin_t:s0 -> system_u:object_r:init_exec_t:s0 /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0