Packt+ | Advance your knowledge in tech

You're reading from Oracle 11g Anti-hacker's Cookbook

Product type Book

Published in Oct 2012

Publisher Packt

ISBN-13 9781849685269

Pages 302 pages

Edition 1st Edition

Languages

SQL

Concepts

Database Administration

Author (1):

Adrian Neagu

Table of Contents (16) Chapters

Oracle 11g Anti-hacker's Cookbook

Credits

Foreword

About the Author

About the Reviewers

www.PacktPub.com

Preface

1. Operating System Security

2. Securing the Network and Data in Transit

3. Securing Data at Rest

4. Authentication and User Security

5. Beyond Privileges: Oracle Virtual Private Database

6. Beyond Privileges: Oracle Label Security

7. Beyond Privileges: Oracle Database Vault

8. Tracking and Analysis: Database Auditing

Index

Securing SSH login

These days ssh login can be considered the de facto method for connecting to remote servers. It is reliable and secure but if it is configured improperly, it can be more of a liability than an asset. In this recipe will change a couple of parameters to secure ssh and we will set up passwordless connections using public keys.

Getting ready

All the steps from this recipe will be performed on nodeorcl1 as the root user. The remote logins will be performed from nodeorcl5.

How to do it...

All parameters that will be modified are located in the /etc/sshd_config configuration file.

Change the default port 22. Most port scanners will identify automatically port 22 with the ssh service. Therefore it will be a good idea to change the default ssh port:
```
Port 13120
```
Disable root logins:
```
PermitRootLogin no
```
ssh will check for proper permissions in the user's home. Use strict mode:
```
StrictModes yes
```
Suppress all host-based authentications. Usually these methods should be avoided as primary authentication:
```
HostbasedAuthentication no
```
This parameter is very effective against DoS type attacks. Limit the maximum number of unauthenticated connections and connection attempts:
```
MaxStartups 10:50:10
```
Allow just users that belong to a defined group to log in:
```
AllowGroups logingrp
```

To make the changes effective, restart the sshd service:

[root@nodeorcl1 ~]# service sshd restart
Stopping sshd:                                            [  OK  ]
Starting sshd:                                            [  OK  ]

After restart, the sshd daemon will listen on port 13120:

[root@nodeorcl1 ~]# lsof -i -n | grep sshd
sshd      14089   root    3u  IPv6  55380       TCP *:13120 (LISTEN)
[root@nodeorcl1 ~]#

Try to connect from nodeorcl5 to nodeorcl1 as root. Direct root log ins will be denied:

[loguser1@nodeorcl5 ~]$ ssh -l root -p 13120 nodeorcl1
root@nodeorcl1's password:
Permission denied, please try again.
Permission denied (publickey,gssapi-with-mic).

How it works...

After any change of configuration parameters, a daemon restart is needed. You can perform the restart in different ways, such as restarting the service or by sending a HUP (kill -1) signal to the sshd daemon process.

There's more...

Using key authentication instead of using passwords is probably one of the securest methods of authentication. This will suppress definitively any brute force attempt using passwords.

Setting up public key authentication

Open the /etc/ssh/sshd_config file and disable password authentication by modifying the following parameter:
```
PasswordAuthentication no
```

Enable key authentication:

RSAAuthentication yes
PubkeyAuthentication yes

On the client machine nodeorcl5 as the user loginuser1, create a passphase protected public/private key:

[loginuser1@nodeorcl5 ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/loginuser1/.ssh/id_rsa):
Created directory '/home/loginuser1/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/loginuser1/.ssh/id_rsa.
Your public key has been saved in /home/loginuser1/.ssh/id_rsa.pub.
The key fingerprint is:
1b:a2:9f:d5:e8:77:08:1c:b5:6a:6a:29:3e:53:46:a5 loginuser1@nodeorcl5
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|        . .      |
|       o . .     |
|      E . .      |
|     ...So       |
|     .o.==       |
|    .o ++...     |
|    +.++  o .    |
|   ..=o .. .     |
+-----------------+

Now deploy the key on nodeorcl1 as follows:

[loginuser1@nodeorcl5 ~]$ ssh-copy-id '–p 13120 -i .ssh/id_rsa.pub loguser1@nodeorcl1'
The authenticity of host 'nodeorcl1 (10.241.132.218)' can't be established.
RSA key fingerprint is 34:39:af:94:9a:2e:4b:f8:37:9c:af:27:67:1c:74:2b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'nodeorcl1,10.241.132.218' (RSA) to the list of known hosts.
loguser1@nodeorcl1's password: 
Now try logging into the machine, with "ssh 'loguser1@nodeorcl1'", and check in:

  .ssh/authorized_keys

To make sure we haven't added extra keys that you weren't expecting.

loguser1@nodeorcl2:~> ssh loguser1@nodeorcl1
Enter passphrase for key '/home/loguser1/.ssh/id_rsa': 
[loguser1@nodeorcl1 ~]$

Restart the sshd service as follows:

[root@nodeorcl1 ~]# service sshd restart
Stopping sshd:                                            [  OK  ]
Starting sshd:                                            [  OK  ]