[Bio-Linux] OpenSSH bug and SSH security in general

[Tim Booth]

Hi All,

A recently reported weakness in SSH can increase the vulnerability of
Linux systems to brute-force password guessing attacks:

http://www.itworld.com/article/2951494/bug-exposes-openssh-servers-to-bruteforce-password-guessing-attacks.html

The good news is that the default configuration on Bio-Linux 8 does not
allow this specific issue to be exploited, but it seems timely to
remind/inform you of some security considerations regarding SSH.  Having
an intruder or bot on your system is very bad news indeed and a few
minutes to consider security now could save you days of grief later.

This does not really apply if you have Bio-Linux on a VM (VirtualBox),
which is not externally accessible, but if you have the system fully
installed please read on...

1) SSH server is enabled in Bio-Linux to allow remote login, file
copying (SCP) and x2go functionality.  Most people will need at least
one of these, but if you don't you can choose to block SSH entirely.
The simplest option is to go to Firewall Configuration under System
Settings, then delete the pair of rules that start with the number 22.
You can add these rules back at any time and SSH will be accessible
again.

You could also modify the rules to limit access by specific IP address.

If you installed Bio-Linux on top of Ubuntu using the upgrade8.sh script
you may not have a local firewall at all.  You should consider enabling
it by adding the "gufw" package, then turning it on under System
Settings.  Configuration with GUFW is very straightforward.

2) Check which users on your system have access via SSH.  To do this you
can run:

getent group ssh

If you see accounts listed which don't need remote SSH access you should
disable them (eg. to disable ssh for user fred):

sudo gpasswd -d fred ssh

3) Use secure passwords for all accounts, or even better disable
password-based login via SSH and use cryptographic keys instead.  There
is a nicely written HOWTO here:

https://kimmo.suominen.com/docs/ssh/

Note that if your client system is Windows, the PuTTYGen tool can do the
job of ssh-keygen.

If you have keys working, you can edit /etc/ssh/sshd_conf and set
"PasswordAuthentication no" to go key-only.

4) If you have Bio-Linux on a laptop, remember that when you travel
outside your home or office network you will not be protected by
corporate firewalls etc., so this is a particular reason to consider how
secure your system is.  Consider using the internal firewall to block
SSH when you are on the move and using public WiFi.

5) Some people recommend tools like fail2ban that try to detect and
block intruders.  I personally think these provide very limited
protection and prone to locking you out of your own machine.  Only
consider this if key-based authentication and host whitelisting via the
firewall settings are impractical for you.

I hope this info is useful.

Cheers,

TIM

-- 
Tim Booth <tbooth at ceh.ac.uk>

Centre for Ecology and Hydrology
Maclean Bldg, Benson Lane
Crowmarsh Gifford
Wallingford, England
OX10 8BB 

http://environmentalomics.org/bio-linux
+44 1491 69 2297