Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:
-
Upload
noel-terry -
Category
Documents
-
view
215 -
download
0
Transcript of Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:
![Page 1: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/1.jpg)
Live Free or PI Hard
SSH SECURITY
Cohner Marker, Spencer Johnson, Daryl Andes
Image: http://fosswire.com/post/2008/01/bullet-proof-your-server-2-ssh/
![Page 2: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/2.jpg)
Demonstration
![Page 3: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/3.jpg)
Public-Key Encryption
Image: Lecture: “introcrypt”, Computer Security Week03
![Page 4: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/4.jpg)
Key Length & Unicity
Entropy• Maintains disorder, confusion
Unicity Distance• “Ratio of the number of bits required to
express the key divided by the redundancy of English in bits per character.”
• Natural Redundancy of the English Language = 6.8
“password” vs “P@sS\/\/0rD”
![Page 5: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/5.jpg)
Why does it matter?
Image: http://www.webstepbook.com/
Man-In-The-Middle
Image: http://boomer-musings.blogspot.com/
Brute-Force
![Page 6: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/6.jpg)
Rivest-Shair-Aldeman Key Generation
Image: http://http://www.people.vcu.edu/
1. Choose 2 distinct prime numbers: p and q. 2. Set modulus n equal to p * q. ( n is also the key length)3. Compute φ(n) = φ(p)φ(q) = (p − 1)(q − 1) = n - (p + q -1), where φ is Euler's totient function.4. Choose an integer e such that 1 < e < φ(n) and gcd(e, φ(n)) = 1; i.e., e and φ(n) are coprime.5. Determine d as d ≡ e−1 (mod φ(n)); i.e., d is the multiplicative inverse of e (modulo φ(n)).
1. Compute public key ( n , e ). 2. Compute private key m = c^d
** REFER to RFC 4432 **
![Page 7: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/7.jpg)
RSA Key Creationmkdir ~/.sshchmod 700 ~/.sshssh-keygen –t rsa –b 4096ssh-keygen -t rsassh-copy-id <username>@<host>”.
Source: http://phpseclib.sourceforge.net/rsa/examples.html
![Page 8: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/8.jpg)
Securing SSH
Directories that need to be known
*/etc/ssh/
*/var/log/
The Files in these directories
*sshd_config (Where we make our changes)
*auth.log
![Page 9: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/9.jpg)
Importance of auth.log
*It is extremely helpful to see anyone or anything that is trying to authenticate to your server.
*It will record the Hydras failed attempts
![Page 10: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/10.jpg)
Deny Root Over SSH
![Page 11: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/11.jpg)
Allow or Deny Users
![Page 12: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/12.jpg)
Port Number
![Page 13: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/13.jpg)
Permit Empty Passwords No
![Page 14: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/14.jpg)
Python Log Analyzers
Who needs Pearl
*Just Kidding, We don’t want to fail
*Scripting Languages are great for analyzing log files to email, block, or set firewall rules for certain IPs or attacks
![Page 15: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/15.jpg)
Fail2Ban
*Same concept as Script Log Analyzers
*Easy to install program
http://www.fail2ban.org/wiki/index.php/Main_Page
![Page 16: Live Free or PI Hard Cohner Marker, Spencer Johnson, Daryl Andes Image:](https://reader036.fdocuments.us/reader036/viewer/2022070403/56649f285503460f94c41837/html5/thumbnails/16.jpg)
What To Take Away
*Hydra is cool, but is available to everyone
*You must think like a hacker in order to protect your system. What ways could I get in?
*Make sure your encryption and passwords contain entropy and use RSA keys
*MAKE SURE YOU DENY ROOT SSH ACCESS!