Tag Archives: SSH

Linux under attack: Compromised SSH keys lead to rootkit

The U.S. Computer Emergency Readiness Team (CERT) has issued a warning for what it calls “active attacks” against Linux-based computing infrastructures using compromised SSH keys.

The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as “phalanx2″ is installed, US-CERT said in a note on its current activity site.

Read the full article here

Generating DSA or RSA SSH Keys

From: original link
Generating Keys
The first step involves the generation of a set of DSA or RSA keys for use in authentication. Typically, you would do this on the machine you intend to use for logging into all other machines, but this does not matter too much, as you can always move the keys around to other machines as needed.

To generate a set of DSA or RSA public/private keys, use the following command:

ssh-keygen -t rsa

or

ssh-keygen -t dsa

You will be prompted for a location for saving the keys, and a passphrase for the keys. When choosing the passphrase for the keys, pick a very strong passphrase, and remember, or note it in a secure place. This passphrase will be required to use the keys every time you need to login to a key-based system:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Locating the Keys on Remote Computers
Assuming the remote computers you wish to use the keys for have running ssh daemons already, then locating your public portion of the key pair on those machines is quite simple. For example, if you’d like to begin using key-based logins as user username on a remote machine named host, and host is running sshd, and reachable by name on your network, simply use the ssh-copy-id command to properly locate your key:

ssh-copy-id -i ~/.ssh/id_rsa.pub username@host

or

ssh-copy-id -i ~/.ssh/id_dsa.pub username@host

Testing the Login
Next, you need to test the login, by attempting a connection to the machine and using your passphrase to unlock the key:

ssh username@host

You will be prompted for the passphrase for your key:

Enter passphrase for key ‘/home/username/.ssh/id_rsa':

Enter your passphrase, and provided host is configured to allow key-based logins, you should then be logged in as usual.

Mount a remote filesystem via sshfs

sshfs is a file system client based on the SSH File Transfer Protocol. Since most SSH servers already support this protocol it is very easy to set up: i.e. on the server side there’s nothing to do. On the client side mounting the file system is as easy as logging into the server with ssh.

SERVER-SIDE
Install SSH Server:

sudo apt-get update
sudo apt-get install ssh

CLIENT SIDE
NOTE: Throughout this part of the tutorial, always replace username with your server’s username, and host with the IP Address or domain of your server.

Test your SSH connection to the server:

ssh username@host

If your connection was successful move on to the next step

Install sshfs:

sudo apt-get update
sudo apt-get install sshfs
sudo modprobe fuse

Configure your user to be a member of the FUSE group:

sudo adduser username fuse
sudo chown root:fuse /dev/fuse
sudo chmod +x /dev/fuse

Because a new user group has been created, we must now logout and back into the system. A reboot is not required.

When you have logged back in, we need to create a mount point within your home folder. It is important to note that the mount point must be within a folder owned by your user, so the safest place to put the mount point will be in your home directory.

mkdir ~/what_ever_you_like_to_call_this_directory

Let’s mount and test the remote file system:

sshfs username@host:/remote/dir/to/mount ~/what_ever_you_like_to_call_this_directory/

Now if all is successful you remote directory should be mounted. You should be able to type ls -lg in terminal or use you favorite file manager like nautalus to view the remote server mount point.

To unmount the remote file system:

fusermount -u ~/what_ever_you_like_to_call_this_directory/