No one gives a shit about my servers. They host a few funny sites and services mostly for personal consumption.
But recently I made the mistake of reading the details of the security update offered for my Mac.
So I set off to secure my shit once!
High Level Strategy:
- No more password authentication on my front-facing servers, ssh key auth only from a single control server.
- Design a hardened login scheme for the central control server.
Central Server Login Scheme:
- Create “intendeduser”, my user for personal, everyday activity.
- Add “intendeduser” to sudoers
- Install fail2ban, which mitigates brute force attacks to some extent.
- Disable root login
I made a duplicate of the nobody user, somebody:
$ useradd somebody -d /nonexistent -s /bin/sh
The somebody user would have no privileges, and would simply serve as the first stage in a 2-stage auth scheme. Remotely, you could ssh in as “somebody”, but no other user. A second ssh intendeduser@localhost would be required to complete the login as the intended user.
This was accomplished by adding the following to my /etc/ssh/sshd_config file:
AllowUsers somebody intendeduser@localhost
This allows “somebody” to ssh in from anywhere, but only allows us to ssh in as “intendeduser” locally.
Note: I wonder if localhost doesn’t actually guarantee local access only. I’ll investigate more later.
The “somebody” user still has a significant amount of access. He/she can browse and read the majority of the files on the machine. Guessing the “intendeduser” would be pretty trivial.
In my next post, I’ll discuss a solution using a chroot jail!
Quick list of things that came to mind
- Two-Factor authentication using a PAM (Pluggable authentication module)
- Switch ssh port (I didn’t just for convenience)
- Limited login time before “somebody” user is automatically logged out