Using-SSH-for-Optimal-Security-Privacy-and-Anonymity

luan@offsce.com

Using SSH for Optimal Security, Privacy, and Anonymity

Privacy, Security

SSH is a powerful and versatile tool for achieving optimal security, privacy, and anonymity. By mastering local, remote, and dynamic port forwarding, along with implementing robust authentication and hardening practices, you can significantly enhance your digital security posture.

Using-SSH-for-Optimal-Security-Privacy-and-Anonymity

SSH: Secure Shell Overview

Introduction to SSH

  1. Definition:
    • SSH (Secure Shell) is an encrypted network protocol that provides a secure channel between a client and a server.
    • It is one of the most versatile tools available on Linux, macOS, and Windows.
  2. Common Uses:
    • Most people think of SSH as a remote login tool for command-line access to servers, but it offers much more functionality.
    • A separate course could be dedicated to the various cool things you can do with SSH.

SSH Availability

  1. Linux Servers:
    • Most Linux servers allow access via TCP port 22 for SSH.
  2. Other Devices:
    • Many devices, such as routers with custom firmware, NAS (Network Attached Storage), and even smart TVs, may have SSH access, especially if they are Linux-based.
  3. Native Support:
PuTTY-for-Windows

SSH Tools

  1. PuTTY for Windows:

Basic SSH Login

  1. Command-Line Login (Linux/macOS):
    • Syntax: ssh -p <port> <user>@<server>
    • Example: ssh -p 22 root@192.168.1.1
    • The p flag specifies the port (default is 22).
    • It is recommended to log in as a standard user rather than root for security reasons.
  2. PuTTY Login (Windows):
    • Enter the hostname or IP address.
    • Specify the port (default is 22).
    • Select SSH as the protocol.
    • Click “Open” and enter the username and password to log in.

SSH Configuration and Security

  1. Authentication Methods:
    • Password Authentication: Simple but less secure.
    • Public Key Authentication: More secure and recommended.
    • Multi-Factor Authentication (MFA): Adds an extra layer of security.
  2. Hardening SSH:
    • Disable root login via SSH.
    • Use strong passwords or keys.
    • Limit SSH access to specific users or groups.
    • Update and patch SSH software regularly.
    • Configure firewall rules to restrict SSH access to trusted IP addresses.

Practical Applications

  1. Secure Remote Access:
    • Use SSH for secure remote administration of servers and devices.
  2. Anonymity and Privacy:
    • Employ SSH for secure communication and data transfer.
  3. Data Security:
    • Protect sensitive data by encrypting communication channels with SSH.

Remote Port Forwarding with SSH

Remote-Port-Forwarding-with-SSH

Overview

  1. What is Remote Port Forwarding?
    • Remote port forwarding allows you to expose a local service (e.g., a web server) on your machine to a remote SSH server.
    • This creates an inbound tunnel to your SSH server, making the local service accessible via a port on the SSH server.
  2. Use Cases:
    • Expose a local web server or command-line access to a remote network.
    • Useful for accessing services behind firewalls or NAT (Network Address Translation).
  3. Command Syntax:
    • ssh -R <remote_port>:localhost:<local_port> <user>@<ssh_server>
    • Example: ssh -R 8080:localhost:9999 user@demo.offsce.com

Demonstration

  1. Setting Up a Local Service:
    • A simple HTTP server is created using Python on port 9999.
    • Command: python -m http.server 9999 (for Python 3).
  2. Executing Remote Port Forwarding:
    • The command ssh -R 8080:localhost:9999 user@demo.offsce.com is used to forward traffic from the SSH server’s port 8080 to the local machine’s port 9999.
  3. Testing the Forwarding:
    • Accessing the SSH server’s port 8080 (e.g., http://demo.offsce.com:8080) displays the local web server’s content.
    • The HTTP server logs the incoming connection, confirming the forwarding works.
  4. Advanced Example:
    • Using Netcat (nc) to expose a bash shell on the local machine via the SSH server’s port 8080.
    • Command: nc -l -p 9999 -e /bin/bash
    • This allows remote access to the local machine’s command line via the SSH server.

Configuration for Remote Port Forwarding

  1. Firewall/IP Tables:
    • Ensure the port (e.g., 8080) is open on the SSH server.
    • Example command for IP tables: iptables -A INPUT -p tcp --dport 8080 -j ACCEPT
  2. SSH Server Configuration:
    • Edit the SSH server configuration file (/etc/ssh/sshd_config).
    • Set GatewayPorts to yes to allow remote port forwarding.
    • Restart the SSH service: systemctl restart sshd (on Linux).

Windows Example with PuTTY

  1. Setting Up a Local Service:
    • Use Python to create a simple HTTP server on port 9999.
    • Command: python -m http.server 9999
  2. Configuring PuTTY:
    • In PuTTY, go to the “SSH” > “Tunnels” section.
    • Add a new forwarding rule:
      • Source port: 9999 (local port)
      • Destination: localhost:8080 (remote port)
      • Select “Remote” and click “Add”.
    • Connect to the SSH server and test the forwarding.

Remote port forwarding is a powerful feature of SSH that allows you to securely expose local services to remote networks. By configuring the SSH server and firewall correctly, you can use this technique to bypass firewalls, access local services remotely, or even expose command-line access securely.

Local Port Forwarding with SSH

Overview

  1. What is Local Port Forwarding?
    • Local port forwarding allows you to use a remote port as if it were a local port.
    • This is essentially using SSH for outbound connections, where you connect to a remote service via an SSH tunnel.
  2. Use Cases:
    • Securely access a remote service (e.g., a web admin interface or FTP server) that is blocked or restricted by a firewall.
    • Encrypt traffic to a remote service without exposing it directly to the internet.
  3. Command Syntax:
    • ssh -L <local_port>:localhost:<remote_port> <user>@<ssh_server>
    • Example: ssh -L 8080:localhost:6666 user@demo.offsce.com

Demonstration

  1. Example Scenario:
    • A web server with an admin interface on port 6666 is blocked from external access.
    • Instead of directly connecting to port 6666, the user creates an SSH tunnel to access it securely.
  2. Executing Local Port Forwarding:
    • Command: ssh -L 8080:localhost:6666 user@demo.offsce.com
    • This creates a local port 8080 on the user’s machine that forwards traffic to port 6666 on the remote server via an SSH tunnel.
  3. Testing the Forwarding:
    • Accessing localhost:8080 on the local machine connects to the remote server’s port 6666.
    • The connection is encrypted and secure.

Configuration for Local Port Forwarding

  1. Firewall Rules:
    • Block external access to sensitive ports (e.g., 6666) to prevent unauthorized access.
    • Allow SSH (port 22) for secure tunneling.
  2. SSH Server Configuration:
    • Ensure SSH is properly configured to allow tunneling.
    • No additional settings are required for local port forwarding, as it is enabled by default.

Windows Example with PuTTY

  1. Configuring PuTTY:
    • In PuTTY, go to the “SSH” > “Tunnels” section.
    • Add a new forwarding rule:
      • Source port: 8080 (local port)
      • Destination: localhost:6666 (remote port)
      • Select “Local” and click “Add”.
    • Connect to the SSH server and test the forwarding.
  2. Testing the Forwarding:
    • Accessing localhost:8080 on the Windows machine connects to the remote server’s port 6666.

Advanced Example: Forwarding to a Specific Destination

  1. Forwarding to an FTP Server:
    • Command: ssh -L 8080:ftp.example.com:21 user@demo.offsce.com
    • This creates a local port 8080 that connects to an FTP server on port 21 via an SSH tunnel.
  2. Use Case:
    • Useful when a specific port (e.g., FTP port 21) is blocked by a firewall, but SSH is allowed.
    • Allows secure access to the FTP server without exposing it directly.

Local port forwarding is a powerful feature of SSH that allows you to securely access remote services via an encrypted tunnel. By creating a local port that forwards to a remote port, you can bypass firewalls, encrypt traffic, and enhance security. This technique is particularly useful for accessing sensitive services like web admin interfaces or FTP servers.

Dynamic Port Forwarding with SSH and Setting Up a SOCKS Proxy

Dynamic-Port-Forwarding-with-SSH-and-Setting-Up-a-SOCKS-Proxy

Overview

  1. What is Dynamic Port Forwarding?
    • Dynamic port forwarding allows you to create a local SOCKS5 proxy on your device that tunnels traffic through an SSH server.
    • This enables you to use any protocol and access any site, as long as the SSH server allows it.
  2. Use Cases:
    • Bypassing firewalls or network restrictions.
    • Encrypting traffic to enhance privacy and security.
    • Accessing geo-restricted content or services.
  3. Command Syntax:
    • ssh -D <local_port> -f -N <user>@<ssh_server>
    • Example: ssh -D 8080 -f -N user@demo.offsce.com

Understanding the Command

  1. D (Dynamic Port Forwarding):
    • Specifies the local port for dynamic application-level port forwarding.
    • SSH acts as a SOCKS5 proxy server.
  2. f (Background Mode):
    • Runs SSH in the background before executing the command.
    • Useful for keeping the SSH tunnel running without a login prompt.
  3. N (No Command Execution):
    • Prevents SSH from executing a command on the remote machine.
    • Used when you only want to create a tunnel.
  4. C (Compression):
    • Optional, compresses data for faster transfer.

Demonstration

  1. Creating the SOCKS Proxy:
    • Command: ssh -D 8080 -f -N user@demo.offsce.com
    • This creates a local SOCKS5 proxy on port 8080 that tunnels traffic through the SSH server.
  2. Testing the Proxy:
    • Configure your browser or application to use the local SOCKS5 proxy (e.g., localhost:8080).
    • Example: In Firefox, go to Preferences > Network Settings > Manual Proxy Configuration.
    • Set the SOCKS Host to localhost and the port to 8080.
  3. Verifying the Proxy:
    • Visit a website or use a tool like ipinfo.io to check if the traffic is routed through the SSH server.
    • Example: The IP address should match the SSH server’s location (e.g., Amazon Dublin data center).

Using TSOCKS for Command-Line Tools

  1. What is TSOCKS?
    • TSOCKS is a tool that forces command-line applications to use a SOCKS proxy.
    • Useful for applications that don’t natively support proxy settings.
  2. Configuring TSOCKS:
    • Edit the TSOCKS configuration file (/etc/tsocks.conf).
    • Set the default server to 127.0.0.1 and the port to 8080 (or the port used for the SSH proxy).
  3. Using TSOCKS:
    • Run commands with tsocks to force them through the SOCKS proxy.
    • Example: tsocks wget <http://ipinfo.io>

Windows Example with PuTTY

  1. Setting Up the SOCKS Proxy:
    • In PuTTY, configure the SSH connection:
      • Set the hostname and port.
      • Go to Connection > SSH > Tunnels.
      • Set the source port to 8080 and select “Dynamic”.
      • Click “Add” and then “Open”.
  2. Testing the Proxy:
    • Configure your browser to use the SOCKS5 proxy (localhost:8080).
    • Verify the traffic is routed through the SSH server.

Security Considerations

  1. Web Traffic Fingerprinting:
    • SSH tunnels are susceptible to web traffic fingerprinting, where an adversary can guess the website being visited based on the traffic pattern.
    • This is a passive attack that analyzes the size and timing of encrypted data streams.
    • Mitigation: Use protocols like Tor or OpenSSH, which require more data before HTTP packets can be identified.
  2. Adversary Requirements:
    • The adversary must be able to intercept and analyze your traffic (e.g., on a compromised network).
    • If the adversary doesn’t have the traffic pattern, they cannot guess the website.

Managing the SSH Proxy

  1. Stopping the Proxy:
    • Use pkill ssh or kill <PID> to stop the SSH process running in the background.
  2. Remote Command Execution:
    • Use the - flag to execute remote commands without creating a shell.
    • Example: ssh user@demo.offsce.com -- whoami

Comparison of proxifiers – Wikipedia

Dynamic port forwarding with SSH is a powerful feature that allows you to create a secure SOCKS5 proxy for encrypting and routing traffic. While it enhances privacy and security, it is important to be aware of potential vulnerabilities like web traffic fingerprinting. Use tools like TSOCKS or proxifiers to force applications to use the proxy, and always consider the security implications of your setup.

Public-Private Key Authentication for SSH

Generating-a-new-SSH-key

Overview

  1. Why Use Public-Private Key Authentication?
    • Public-private key authentication is more secure than password-based authentication.
    • It eliminates the need for passwords, reducing the risk of brute-force attacks.
  2. How It Works:
    • Generate a pair of keys: a public key and a private key.
    • Place the public key on the SSH server.
    • Use the private key for authentication without needing a password.

Generating Keys on Linux/Mac

  1. Command:
    • ssh-keygen -t rsa -b 4096 -C "user@client"
    • Example: ssh-keygen -t rsa -b 4096 -C "tim@debian"
  2. Key Generation Process:
    • Choose a location to save the keys (default is ~/.ssh/).
    • Encrypt the private key with a passphrase (optional but recommended).
    • The passphrase is used to decrypt the private key when logging in.
  3. Key Files:
    • Public Key: id_rsa.pub
    • Private Key: id_rsa

Copying the Public Key to the SSH Server

  1. Using ssh-copy-id:
    • Command: ssh-copy-id -i ~/.ssh/id_rsa.pub user@server
    • This automatically copies the public key to the server’s ~/.ssh/authorized_keys file.
  2. Manual Method:
    • Use cat to manually copy the public key to the server: cat ~/.ssh/id_rsa.pub | ssh user@server "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Logging In with Public-Private Key Authentication

  1. Using the Private Key:
    • When logging in, SSH will prompt for the passphrase to decrypt the private key.
    • If no passphrase is set, the login will be automatic.
  2. Local Authentication vs. Server Authentication:
    • The passphrase is for decrypting the private key locally.
    • The server authenticates using the public-private key pair.

Troubleshooting on Ubuntu/Gnome Keyring

  1. Agent Admitted Failure to Sign:
    • This is a known bug with Gnome Keyring.
    • Solution: Add the private key to the SSH agent: ssh-add ~/.ssh/id_rsa

Generating Keys on Windows with PuTTY

  1. Tools Needed:
    • PuTTYGen (for generating keys)
    • Pageant (for managing keys)
  2. Generating Keys:
    • Open PuTTYGen and select the key type (e.g., SSH2 RSA).
    • Generate the key pair by moving the mouse to create randomness.
    • Save the public and private keys.
    • Encrypt the private key with a passphrase.
  3. Copying the Public Key to the Server:
    • Copy the public key content and add it to the server’s ~/.ssh/authorized_keys file.
  4. Using Pageant:
    • Run Pageant and add the private key.
    • Enter the passphrase to decrypt the private key.
  5. Logging In with PuTTY:
    • Configure PuTTY to use the private key:
      • Go to Connection > SSH > Auth.
      • Select the private key file.
    • Log in without needing a password.

Generate SSH Private and Public Keys in macOS Big Sur

Public-private key authentication is a secure and efficient way to log into an SSH server. By generating and managing keys properly, you can eliminate the need for passwords and reduce the risk of unauthorized access. Whether you’re using Linux, Mac, or Windows, the process is straightforward and provides a high level of security.

Hardening SSH and Additional Authentication Methods

Hardening-SSH-and-Additional-Authentication-Methods

Server-Side Hardening

  1. Configuration File:
    • Edit the SSH server configuration file: /etc/ssh/sshd_config.
    • Use modern settings for OpenSSH 9.8+ for enhanced security.
  2. Key Settings:
    • Key Exchange Algorithms: Set a secure order (e.g., curve25519-sha256, diffie-hellman-group-exchange-sha256).
    • Ciphers: Use strong ciphers (e.g., chacha20-poly1305@openssh.com, aes256-gcm@openssh.com).
    • MACs (Message Authentication Codes): Use secure MACs (e.g., hmac-sha2-512-etm@openssh.com).
  3. Disable Password Authentication:
  4. Verbose Logging:
    • Enable detailed logging to track user activity.
    • Set LogLevel VERBOSE.
  5. SFTP Logging:
    • Log SFTP file access for auditing purposes.
    • Set Subsystem sftp /usr/lib/openssh/sftp-server -l INFO.
  6. Disable Root Login:
    • Prevent root login via SSH.
    • Set PermitRootLogin no.
  7. User Privilege Separation Sandbox:
    • Use sandboxing for better security.
    • Set UsePrivilegeSeparation sandbox.

Client-Side Hardening

  1. Configuration File:
    • Edit the SSH client configuration file: ~/.ssh/config.
    • Force clients to connect only to servers with known host keys.
    • Specify preferred host key algorithms, key exchange algorithms, MACs, and ciphers.
  2. Key Generation:
    • Use ssh-keygen with strong algorithms (e.g., ed25519).
    • Fallback to RSA for compatibility with older systems.

Additional Authentication Methods

  1. Multi-Factor Authentication (MFA):
    • Use tools like All toolkit or Duo Security for MFA.
    • Configure PAM (Pluggable Authentication Module) for integration.
  2. OpenPGP/GPG Authentication:
    • Use OpenPGP or GNU Privacy Guard (GPG) keys for authentication.
    • Check the provided link for detailed instructions.
  3. Google Authenticator:
  4. **YubiKey Authentication:**
    • Use YubiKey for hardware-based two-factor authentication.
    • Follow the provided link for setup instructions on various platforms.

Security/Guidelines/OpenSSH – MozillaWiki

Hardening SSH involves configuring both the server and client to use the most secure settings available. By disabling password authentication, enabling verbose logging, and implementing multi-factor authentication, you can significantly enhance the security of your SSH setup. Additionally, using strong encryption algorithms and sandboxing mechanisms ensures that your SSH server is as secure as possible.

Conclusion

SSH is a cryptographic network protocol offering secure communication between networked computers. It’s used for secure data communication, remote login, command execution, and other secure network services. SSH provides local, remote, and dynamic port forwarding, enhancing security and privacy.

Public-private key authentication offers a more secure login method than passwords, eliminating brute-force risks. Hardening SSH involves server and client configuration for security, disabling root login, and enabling MFA. Despite network issues preventing the parsing of certain URLs, the key points on using SSH for optimal security, privacy, and anonymity remain valid. For the URLs provided, please check their legitimacy and retry due to potential network-related problems.

Leave a Comment