CNT4603 - 2012 Spring
Group Assignment 6
Printed journals due Monday, July 23, at the beginning of class.

Assignment: Improving SSHD security on your Debian box and your CentOS virtual machine

Objectives: (1) Move SSHD to a non-obvious port on both your CentOS and Debian instances. (2) Configure your iptables firewall. (3) Install knockd and configure it to protect your SSHD.

Moving SSHD

This is by far the easiest portion of the assignment. Just edit the /etc/ssh/sshd_config file to move your sshd to a non-obvious port, and restart sshd. "Non-obvious" in this case means a random port above 20,000 of your choice. Please use the same port for both your Debian and your CentOS machines.

Configuring IP tables

This is a bit more challenging. While your CentOS box most likely was installed with iptables configured and enabled, unless you have already set up a firewall on your Debian box, your Debian iptables rulesets are empty (you can see this with iptables -L -n.)

The objective here is to set up your firewall so that it allows (1) pings to your Debian and CentOS instances and (2) connections to ports 80 and 443, but should generally forbid other TCP connections (we will take of your new sshd port in the next section with knockd.)

You are welcome to install whatever firewall management toolkit you like on your Debian box (ufw, for instance, is quite popular), or you can just use the standard iptables-restore and iptables-save by hand — but if you do so, you will also have to set up automatic installation of your iptables on reboot.

In either case, verify that your changes are permanent by rebooting the machine and doing an iptables -L -n on both your CentOS and Debian instances.

Installing and configuring knockd

Now we want to set up special access to your sshd, which is now blocked by your firewalls.

We are going to use the program knockd to do this. First, install knockd (hint, check your repositories). Second, please configure it so that:

You will need to do at least three verification steps for this: (1) verify that you can connect only for a short period from one box to your other box. (2) Verify using iptables -L -n both during and after the 20 second window to verify that the sshd port rule is correctly appearing and disappearing. (3) Verify that everything works correctly after a reboot.

It is slightly possible that VirtualBox could interfere with your testing by providing "magic" local access from one of your instances to another that seems to get around the iptables firewall. If you suspect that you are seeing such a phenomenon (it's quite unlikely, I have only seen this one time a few years ago with VirtualBox), you can ask another classmate to test your firewall, but remember that we are having a security exercise soon and it would be best not to reveal your final sshd port assignment and certainly not the final knock sequence that you choose.

A journal is due for this assignment. Make sure that you document in your journal all of the steps that you went through, following the guidelines on the class home page. For this assignment, please include in your write-up both

Please turn in a printed copy of this assignment at the beginning of class on Monday, July 23.