SSH, MOSH backdoor access to your server

The SSH port is a very popular target for attack. As soon as an open port is detected, a brute force attack begins. Let's see what can be done to still use SSH for remote administration.

This memo is about fedora25. The main concept remains for other distributions.

SSH access to server connected to internet

We will take several steps to ensure the security of our SSH connection. First of all, we will change the port itself. For this example, I have a multihomed server that connects to the internal LAN with one network adapter and is directly connected to the Internet by another network card.

I then used the ListenAddress directive in /etc/ssh/sshd_config to change the external NIC port to the desired "1234".

# grep Listen /etc/ssh/sshd_config 
ListenAddress 192.168.122.190:22
ListenAddress 172.17.2.231:1234
[root@fc25 ~]# service sshd restart
Redirecting to /bin/systemctl restart  sshd.service
[root@fc25 ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 192.168.122.190:22      0.0.0.0:*               LISTEN      982/sshd

Nothing was added due to enforced selinux. Checking /var/log/messages shows this:

Aug 25 17:03:03 fc25 audit[1129]: AVC avc:  denied  { name_bind } for  pid=1129 comm="sshd" src=1234 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:monopd_port_t:s0 tclass=tcp_socket permissive=0

Install the semanage tool and add a port with it to use by ssh:

[root@fc25 ~]# semanage port -l | grep -w 22
ssh_port_t                     tcp      22
[root@fc25 ~]# semanage port -a -t ssh_port_t -p tcp 1234
ValueError: Port tcp/1234 already defined
[root@fc25 ~]# semanage port -l | grep -w 1234
monopd_port_t                  tcp      1234
[root@fc25 ~]# semanage port -m -t ssh_port_t -p tcp 1234

The port 1234 we selected was already reserved. The last command overwrites the reservation. This is not a good idea, because system updates can restore these definitions by default, so it's easier to choose a different port number.

[root@fc25 ~]# service sshd restart
Redirecting to /bin/systemctl restart  sshd.service
[root@fc25 ~]# netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 172.17.2.231:1234       0.0.0.0:*               LISTEN      1462/sshd           
tcp        0      0 192.168.122.190:22      0.0.0.0:*               LISTEN      1462/sshd

Can you now connect to your server? Surely not, iptables -L -n will show you why. You must open a new port as an allowed from the outside world.

-A INPUT -i EXTIF -p tcp -m state --state NEW -m tcp --dport 1234 -j ACCEPT

The next step in improving security is to exchange SSH keys and to close the root login with a password. This is achieved by using the PermitRootLogin without-password directive in /etc/ssh/sshd_config. Then any password will not work, and the brute force attack will be helpless.

MOSH

Once I try, I can not stop using it. I highly recommend this tool.

[root@fc25 ~]# dnf install mosh

MOSH uses the UDP protocol, which helps it maintain a session even for the changed IP address of the client.

You should open the new port in firewall:

-A INPUT -i EXTIF -p udp --dport 1235 -j ACCEPT

Then the usage will be as:

$ mosh root@myserver --ssh="ssh -p 1234" --server="mosh-server new -p 1235 -s -l LANG=en_US.UTF-8"

Updated on Fri Aug 25 19:09:33 IDT 2017 by Oleg Volkov More documentations here