CNT4603 - 2015 Fall
Group Assignment 6
Printed journals due Thursday, October 29, at the beginning of class.

Assignment: Improving SSHD security on your Debian box

Objectives: (1) Move SSHD to a non-obvious port on your Debian instance. (2) Configure your iptables firewall. (3) Install knockd and configure it to protect your SSHD.

Moving SSHD

This is by far the easiest portion of the assignment. Just edit the /etc/ssh/sshd_config file to move your sshd to a non-obvious port, and restart sshd. "Non-obvious" in this case means a random port above 20,000 of your choice.

Configuring IP tables

This is a bit more challenging. Unless you have already set up a firewall on your Debian box, your Debian iptables rulesets are empty; you can see this with iptables -L -n, which for an empty machine will something like:

# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

The objective here is to set up your firewall so that it allows (1) pings to your Debian instance and (2) connections to ports 80 and 443 on your Debian machine, but should generally forbid other TCP connections (we will take of your new sshd port in the next section with knockd.)

Please install iptables-persistent. (If you have installed ufw or other firewalling software, it would be good idea to remove it first.)

Configure your firewall (just the ipv4 rules; don't worry about the ipv6 versions.) Unfortunately, your text isn't strong on this subject, but reasonably good instructions are on the Debian Wiki. (You can remove the lines that start like ":INPUT ACCEPT"; those are just statistics and are not useful in your configuration.) As mentioned in the objective, please leave ping available, and ports 80 and 443.

Installing and configuring knockd

Now we want to set up special access to your sshd, which is now blocked by your firewalls.

We are going to use the program knockd to do this. First, install knockd (hint, check your repositories). Second, please configure it so that:

You will need to do at least three verification steps for this: (1) verify that you can connect only for a short period from one box to your other box. (2) Verify using iptables -L -n both during and after the 20 second window to verify that the sshd port rule is correctly appearing and disappearing. (3) Verify that everything works correctly after a reboot.

Your testing is probably best done from a separate machine. If you come by my office hours on Wednesday, October 28, we can go to the lab and verify your setup from the class server.

A journal is due for this assignment. Make sure that you document in your journal all of the steps that you went through, following the guidelines on the class home page. For this assignment, please include in your write-up both

Please turn in a printed copy of this assignment at the beginning of class on Thursday, October 29.