SSH - OpenSSH Server (sshd)

About

OpenSSH Server is a ssh server

Conf

Default

/etc/default/ssh

Set

The OpenSSH server reads a configuration file when it is started.

# Without arg, the conf file is located at /etc/ssh/sshd_config
sshd
# or with the f arg
sshd -f /path/to/conf/file

Read

sshd -T

Example

The system configuration file is /etc/ssh/sshd_config

It contains configuration data for sshd. The file format and configuration options are described in sshd_config(5).

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
# For ipv4
#AddressFamily inet
# For ipv6
#AddressFamily inet6
# for ipv4 and ipv6 (default)
#AddressFamily any
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
Banner /etc/azsec/banner.txt
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

# CLOUD_IMG: This file was created/modified by the Cloud Image build process
ClientAliveInterval 120
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

where:

Pam

if the config use PAM

UsePAM yes

See /etc/pam.d/ssh

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

AllowUsers

If AllowUsers is present, login is allowed only for user names that match one of the patterns specified.

By default, login is allowed for all users.

Syntax:

AllowUsers [email protected] user2 [email protected] ...

where:

  • [email protected] [email protected] is a list of pattern of the form user[@host]
    • separated by spaces.
    • where ‘*’ and ‘?’ are accepted as wildcards
    • the numerical user ID is not recognized.
    • the host can be an IP (may be CIDR notation) or a hostname

If the pattern takes the form [email protected] then user and host are separately checked, restricting logins to particular users from particular hosts.

The hostname is retrieved via the host file or DNS lookup from the remote client IP.

ping -a remoteClientIp

Management

Start

It is normally started at boot (init dameon dependent)

Example:

  • /etc/init.d/ssh
  • or /etc/init/ssh.conf (on systems using the Upstart init daemon)
/usr/sbin/sshd -D

Pid

/var/run/sshd.pid

Status

/sbin/service sshd status
systemdctl sshd status

Start

/sbin/service sshd start
systemdctl sshd start

Test it

ssh -l user-name host-name

Log

You can see the log configuration in the conf file.

cat /etc/ssh/sshd_config | grep log
# SyslogFacility AUTH
SyslogFacility AUTHPRIV
LogLevel INFO

where: SyslogFacility comes from Log - Syslog

File target for:

Line Format

Line structure of /var/log/secure

Feb 22 08:04:59 hostname sshd[1124]: Failed password for root from 92.222.93.227 port 41068 ssh2

where:

  • Feb 22 08:04:59 is the date
  • hostname is the hostname
  • sshd[1124] is the service
  • Failed password for root description
  • from 92.222.93.227 port 41068 ssh2 - the connection cames from the host 92.222.93.227 and the port 41068 using the ssh2 protocol.

Login Monitoring

Successful

last shows successful logins from the file /var/log/wtmp

The system shows only information in the file was created

Example:

last -10 -w -a

where:

  • -10 - the last 10 login
  • -w with the full IP
  • -a with the IP column at the end

Failure

lastb shows login failures from the file /var/log/btmp

The system shows only information in the file was created

Example:

last -10 -w -a
lastb -10 -w -a

where:

  • -10 - the last 10 login / failures
  • -w with the full IP
  • -a with the IP column at the end

Failed password

From the log

sudo grep "Failed password" /var/log/secure | head -10

Full Connection Detail

See also the system security log:

cat /var/log/audit/audit.log  | grep -i sshd | tail -10

For one IP

cat /var/log/audit/audit.log  | grep -i 49.232.118.194 
type=CRYPTO_SESSION msg=audit(1614025124.706:829100): pid=8677 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-server cipher=aes256-ctr ksize=256 mac=hmac-sha1 [email protected] spid=8678 suid=74 rport=40096 laddr=192.99.55.226 lport=22  exe="/usr/sbin/sshd" hostname=? addr=49.232.118.194 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1614025124.706:829101): pid=8677 uid=0 auid=4294967295 ses=4294967295 msg='op=start direction=from-client cipher=aes256-ctr ksize=256 mac=hmac-sha1 pfs=cur[email protected] spid=8678 suid=74 rport=40096 laddr=192.99.55.226 lport=22  exe="/usr/sbin/sshd" hostname=? addr=49.232.118.194 terminal=? res=success'
type=USER_AUTH msg=audit(1614025125.784:829102): pid=8677 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/sbin/sshd" hostname=49.232.118.194 addr=49.232.118.194 terminal=ssh res=failed'
type=USER_AUTH msg=audit(1614025127.502:829103): pid=8677 uid=0 auid=4294967295 ses=4294967295 msg='op=password acct="root" exe="/usr/sbin/sshd" hostname=? addr=49.232.118.194 terminal=ssh res=failed'
type=CRYPTO_KEY_USER msg=audit(1614025127.748:829105): pid=8677 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=session fp=? direction=both spid=8678 suid=74 rport=40096 laddr=192.99.55.226 lport=22  exe="/usr/sbin/sshd" hostname=? addr=49.232.118.194 terminal=? res=success'
type=USER_LOGIN msg=audit(1614025127.750:829109): pid=8677 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="root" exe="/usr/sbin/sshd" hostname=? addr=49.232.118.194 terminal=ssh res=failed'

Documentation / Reference


Powered by ComboStrap