SSH

Secure Shell Protocol - Port 22

Key Generation
RSA
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Ed25519
ssh-keygen -t ed25519
ECDSA
ssh-keygen -t ecdsa-sk

FIDO/U2F NO-TOUCH MODE

Without Touch-Mode
ssh-keygen -O no-touch-required -t ed25519-sk
Allow mode on sshd
no-touch-required sk-ssh-ed25519@openssh.com AAAAInN... user@example.com
Enumeration
Show Details
ssh-keygen -C "$(whoami)@$(uname -n)-$(date -I)"
Key lenght
ssh-keygen -l -f public_key
Check SSH access
netexec ssh <IP> -u <USER> -p 'password'
SSH Brute Force
nmap -n -p22 --script ssh-brute --script-args userdb=usernames.txt,passdb=passwords.txt <IP>
Trouble-shooting

SSH2_MSG_KEX_ECDH_REPLY error:

ssh -o MACs=hmac-sha2-256 <HOST>

  • Sometimes the /etc/hosts.allow or /etc/hosts.deny may be configured to blacklist or whitelist IPs trying to connect to the server:

Whitelist
ALL : 10.10.16.8

  • Add that in the /hosts.allow file; make sure to let a blank line at the end.

  • sshd_wl is the syslink to host.allow and is normally in .ssh

  • In recent versions of OpenSSH, certain older key types like ssh-rsa have been deprecated because of security concerns with the SHA-1 hash algorithm they use:

ssh root@10.10.10.34 -i id_rsa -o PubkeyAcceptedKeyTypes=ssh-rsa
OpenSSH Vulnerabilities

Repology

RsaCtfTool

  • RSA attack tool (mainly for ctf) - retrieve private key from weak public key and/or uncipher data.

  • Install libmpc-dev, libgmp3-dev and sagemath

  • Also recommend to use a virtual environment

RsaCtfTool/RsaCtfTool.py --publickey decoder.pub --decryptfile pass.crypt

CVE-2008-0166

  • Debian OpenSSL Predictable PRNG -> Check the repo

  • Look for matches for a given public_key:

grep -R -n `cat public_key` rsa/
sshd - SSH Server
Configuration File
/etc/ssh/sshd_config
Sampler config
# Disable root login
PermitRootLogin no

# Use SSH Protocol 2 only
Protocol 2

# Use only strong authentication methods
PasswordAuthentication no
PubkeyAuthentication yes
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no

# Limit user access (replace 'youruser' with your username)
AllowUsers youruser

# Use non-standard port (optional, requires adjustment to QEMU port forwarding)
Port 2233

# Restrict key exchange, ciphers, and MACs to strong algorithms
KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com

# Strict mode
StrictModes yes

# Disable X11 forwarding
X11Forwarding no

# Set low login grace time
LoginGraceTime 30s

# Limit maximum authentication attempts
MaxAuthTries 3

# Enable logging
LogLevel VERBOSE

# Disable GSSAPI authentication
GSSAPIAuthentication no

# Disable host-based authentication
HostbasedAuthentication no

# Disable empty passwords
PermitEmptyPasswords no

# Disable TCP forwarding for stealthiness
AllowTcpForwarding no
GatewayPorts no

# Set idle timeout (15 minutes)
ClientAliveInterval 300
ClientAliveCountMax 3

Enable fail2ban to prevent brute force attempts

sudo pacman -S fail2ban
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the SSH jail configuration
sudo nano /etc/fail2ban/jail.local
Add this to the SSH section
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 3600
Enable/Start the service
sudo systemctl enable fail2ban
sudo systemctl start fail2ban

Configure system auditing

Set up audit
sudo pacman -S audit
sudo systemctl enable auditd
sudo systemctl start auditd
Configure it
sudo auditctl -w /etc/ssh/sshd_config -p wa -k sshd_config
sudo auditctl -w /etc/passwd -p wa -k user_modification
sudo auditctl -w /etc/shadow -p wa -k user_modification
PreviousICMPNextTelnet

Last updated