{"id":135,"date":"2021-05-26T11:55:00","date_gmt":"2021-05-26T11:55:00","guid":{"rendered":"https:\/\/dillonfletcher.co.uk\/?p=135"},"modified":"2021-05-26T11:55:00","modified_gmt":"2021-05-26T11:55:00","slug":"hardening-your-network","status":"publish","type":"post","link":"https:\/\/dillonfletcher.co.uk\/?p=135","title":{"rendered":"Hardening your network"},"content":{"rendered":"\n

Recently, I’ve been looking into how to improve my networks security. I have come up with 3 simple ways to easily improve your networks security:<\/p>\n\n\n\n

1. Setting up an SSH jumpbox<\/h2>\n\n\n\n
\"\"
Diagram of how SSH connections will work<\/figcaption><\/figure>\n\n\n\n

One of the only points into my network is via SSH into my web server, this server kind of acts as a jump box already, as I can SSH into my other Linux hosts via password auth, but this isn’t very secure. After some research, I found it was common to have a dedicated Linux host whos only purpose is to “jump” to other machines.<\/p>\n\n\n\n

So I started by spinning up a virtual machine, with 1 core, 4GB of RAM and 16GB of storage, running Ubuntu Server 20.04.2LTS, plenty of power for this purpose.<\/p>\n\n\n\n

From there, I assigned a static IP and SSH’d in on my computer on the same network.<\/p>\n\n\n\n

Now I’m going to go through some important setup.<\/p>\n\n\n\n

First, on your local machine, run:<\/p>\n\n\n\n

$ ssh-keygen<\/code><\/pre>\n\n\n\n
This will create 2 files in “~\/.ssh\/”, these are your public and private keys. Do not let your private key leave this computer.<\/strong> With this key, people will be able to access your jump box, think of it as a long, fancy password.<\/p>\n\n\n\n
Now on your jump box, we need to add your public key, make sure you are not logged in as root, and preferably make a user without sudo for security. (However, you will need root\/sudo for this setup, im assuming you have two separate, non-root users, one with sudo, and one without.)<\/p>\n\n\n\n
Now you need to paste the contents of “~\/.ssh\/id_rsa.pub” from your local computer to “~\/.ssh\/authorized_keys” on your jump box.<\/p>\n\n\n\n
First, on your local computer, run:<\/p>\n\n\n\n
$ cat ~\/.ssh\/id_rsa.pub<\/code><\/pre>\n\n\n\n
Copy the output of this, and on your jump box run:<\/p>\n\n\n\n
$ vim ~\/.ssh\/authorized_keys<\/code><\/pre>\n\n\n\n
This will open a file in vim, you can paste keys on each line, and each key will let you into the server, so I will be repeating the above steps for both my laptop, desktop, and phone (Termbot<\/a> SSH client).<\/p>\n\n\n\n
Once you are done, save the file and then on the jump box, run:<\/p>\n\n\n\n
$ sudo vim \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n
In this file, make these edits:<\/p>\n\n\n\n
# Change
#PermitRootLogin prohibit-password
# to
PermitRootLogin no
# and change
#PasswordAuthentication yes
# to
PasswordAuthentication no
\ufeff<\/code><\/pre>\n\n\n\n
This prevents the root user logging in via SSH, and makes it so that we can only login using the keys we added earlier.<\/p>\n\n\n\n
Now run:<\/p>\n\n\n\n
$ sudo systemctl restart sshd<\/code><\/pre>\n\n\n\n
This restarts SSH, enabling the changes we just made.<\/p>\n\n\n\n
If you want, you can also install fail2ban, this “bans” IPs from accessing SSH after 3 failed attempts. This isn’t as neccesary with pubkey authentication, but we are trying to make everything as secure as possible, so, you can do this by running:<\/p>\n\n\n\n
$ sudo apt update
$ sudo apt install fail2ban
$ sudo systemctl start fail2ban<\/code><\/pre>\n\n\n\n
Now that everything is secured on the actual authentication side of things, we can forward our SSH port to the internet. Depending on your router\/firewall, this process can differ, but it usually consists of finding a page called “port forwarding,” and forwarding port 22 to the IP address of your server, i’m running OPNsense, and the process is as follows:<\/p>\n\n\n\n
Copy the output of this, and on your jump box run:<\/p>\n\n\n\n
$ vim ~\/.ssh\/authorized_keys<\/code><\/pre>\n\n\n\n
This will open a file in vim, you can paste keys on each line, and each key will let you into the server, so I will be repeating the above steps for both my laptop, desktop, and phone (Termbot<\/a> SSH client). <\/p>\n\n\n\n
Once you are done, save the file and then on the jump box, run:<\/p>\n\n\n\n
$ sudo vim \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n
In this file, make these edits:<\/p>\n\n\n\n
# Change\n#PermitRootLogin prohibit-password\n# to\nPermitRootLogin no\n# and change\n#PasswordAuthentication yes\n# to\nPasswordAuthentication no\n<\/code><\/pre>\n\n\n\n
This prevents the root user logging in via SSH, and makes it so that we can only login using the keys we added earlier.<\/p>\n\n\n\n
Now run:<\/p>\n\n\n\n
$ sudo systemctl restart sshd<\/code><\/pre>\n\n\n\n
This restarts SSH, enabling the changes we just made.<\/p>\n\n\n\n
If you want, you can also install fail2ban, this “bans” IPs from accessing SSH after 3 failed attempts. This isn’t as neccesary with pubkey authentication, but we are trying to make everything as secure as possible, so, you can do this by running:<\/p>\n\n\n\n
$ sudo apt update\n$ sudo apt install fail2ban\n$ sudo systemctl start fail2ban\n$ sudo systemctl enable fail2ban<\/code><\/pre>\n\n\n\n
Now that everything is secured on the actual authentication side of things, we can forward our SSH port to the internet. Depending on your router\/firewall, this process can differ, but it usually consists of finding a page called “port forwarding,” and forwarding port 22 to the IP address of your server, i’m running OPNsense, and the process is as follows:<\/p>\n\n\n\n
  1. Login to your router\/firewalls web interface. This is usually the same format as your computers local IP, but with a “1” on the end, my subnet is “192.168.55.0\/24” so my web interface is located at “https:\/\/192.168.55.1”. Now login, and find the port forwarding page <\/li>
  2. Add a rule\/port forward. Press the add button and fill in the correct info for your port forward, mine is as follows:<\/li><\/ol>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Now save the rule, and you should now able to access your jump box from outside of your network.<\/p>\n\n\n\n
    Now we need to actually harden the jump box itself. I’m going to start by upgrading all packages:<\/p>\n\n\n\n
    $ sudo apt update\n$ sudo apt upgrade\n# Reboot for good measure\n$ sudo reboot<\/code><\/pre>\n\n\n\n
    When the system comes back up, reconnect, and we need to start adding SSH keys to the servers you want to jump to.<\/p>\n\n\n\n
    So, for example, on my webhost server, I open the authorized_keys file:<\/p>\n\n\n\n
    $ sudo vim ~\/.ssh\/authorized_keys<\/code><\/pre>\n\n\n\n
    In this file, I paste the contents of ~\/.ssh\/id_rsa.pub from the jump server, effictively what we are trying to do is restrict ALL SSH traffic to the jump server. The jump server acts as a CNC (“command and control”) server for all other servers and computers running SSH.<\/p>\n\n\n\n
    Now we edit the SSH config, the same way as before, disabling password and root login.<\/p>\n\n\n\n
    After that, you should restrict SSH connections to the jumpbox. So open the file “\/etc\/hosts.deny”:<\/p>\n\n\n\n
    $ sudo vim \/etc\/hosts.deny<\/code><\/pre>\n\n\n\n
    Add the following:<\/p>\n\n\n\n
    # \/etc\/hosts.deny\nsshd: ALL<\/code><\/pre>\n\n\n\n
    And now we allow just the jump server:<\/p>\n\n\n\n
    $ sudo vim \/etc\/hosts.allow<\/code><\/pre>\n\n\n\n
    # \/etc\/hosts.allow\nsshd: 192.168.55.250\/24\n# Your subnet and IP may differ<\/code><\/pre>\n\n\n\n
    Now only your jump server can connect, and only with the private key that is on the jump server. Repeat this process for as many servers as you please.<\/p>\n\n\n\n
    I’m now going to add a few firewall rules, which stop the jump server from connecting to the internet entirely, and again restricts SSH connections to only the jump server. I’m not going to show this as it differs from firewall to firewall and would take up too much space in this article!<\/p>\n\n\n\n
    And thats it for this step! A few notes:<\/p>\n\n\n\n