KEMBAR78
Linux Permissions | PDF | Secure Shell | Application Layer Protocols
Scribd
Upload
28 views5 pages

Linux Permissions

This case study outlines the implementation of CIS Benchmark recommendations for securing SSH on SUSE Linux Enterprise 15. It covers essential security enhancements such as disabling root login, securing file permissions, and using strong cryptographic algorithms. The document provides detailed steps for configuration changes to enhance SSH security and concludes with a verification process to ensure proper implementation.

Uploaded by

mallarapusudhakar445
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
28 views5 pages

Linux Permissions

This case study outlines the implementation of CIS Benchmark recommendations for securing SSH on SUSE Linux Enterprise 15. It covers essential security enhancements such as disabling root login, securing file permissions, and using strong cryptographic algorithms. The document provides detailed steps for configuration changes to enhance SSH security and concludes with a verification process to ensure proper implementation.

Uploaded by

mallarapusudhakar445
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 5

Create a Case Study on security policy for ssh

in OpenSUSE Linux Enterpise 15

Case Study: Implementing CIS Benchmark


Recommendations for SSH on SUSE Linux Enterprise 15
1. Introduction
Secure Shell (SSH) is a critical component for secure remote
administration of servers. This case study explores the CIS Benchmark
recommendations for securing SSH on SUSE Linux Enterprise 15 (SLE 15) and
implements security enhancements focusing on root login restrictions,
password-based authentication, and SSH port security.

1. File Permissions & Ownership


1.1 Ensure Secure Permissions on SSH Config Files
Step 1: Check File Permissions
• stat /etc/ssh/sshd_config
Expected Output:
• File: /etc/ssh/sshd_config
• Access: 0600 (-rw-------)
• Owner: root
Fix if Incorrect:
• chown root:root /etc/ssh/sshd_config
• chmod 600 /etc/ssh/sshd_config

SIDHANT BOTE 1
1.2 Secure SSH Host Keys
Step 1: Check Private Key Permissions
• ls -l /etc/ssh/ssh_host_*_key
Expected Output:
• -rw------- 1 root ssh_keys 1704 Jan 1 00:00 /etc/ssh/ssh_host_rsa_key
Fix if Incorrect:
• chown root:ssh_keys /etc/ssh/ssh_host_*_key
• chmod 600 /etc/ssh/ssh_host_*_key
Step 2: Check Public Key Permissions
• ls -l /etc/ssh/ssh_host_*_key.pub
Expected Output:
• -rw-r--r-- 1 root root 400 Jan 1 00:00 /etc/ssh/ssh_host_rsa_key.pub
Fix if Incorrect:
• chown root:root /etc/ssh/ssh_host_*_key.pub
• chmod 644 /etc/ssh/ssh_host_*_key.pub

2. Secure Authentication Settings


2.1 Disable Root Login
Step 1: Check Configuration
• grep "^PermitRootLogin" /etc/ssh/sshd_config
Expected Output:
• PermitRootLogin no
Fix if Incorrect:
• echo "PermitRootLogin no" >> /etc/ssh/sshd_config
• systemctl restart sshd

2.2 Disable Empty Passwords


Step 1: Check Configuration
• grep "^PermitEmptyPasswords" /etc/ssh/sshd_config
Expected Output:
• PermitEmptyPasswords no
Fix if Incorrect:
• echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config
• systemctl restart sshd

2.3 Disable Host-Based Authentication


Step 1: Check Configuration
• grep "^HostbasedAuthentication" /etc/ssh/sshd_config
Expected Output:

SIDHANT BOTE 2
• HostbasedAuthentication no
Fix if Incorrect:
• echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config
• systemctl restart sshd

2.4 Ignore .rhosts Files


Step 1: Check Configuration
• grep "^IgnoreRhosts" /etc/ssh/sshd_config
Expected Output:
• IgnoreRhosts yes
Fix if Incorrect:
• echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config
• systemctl restart sshd

3. Cryptographic Hardening
3.1 Use Strong Ciphers
Step 1: Check Ciphers
• grep "^Ciphers" /etc/ssh/sshd_config
Expected Output:
• Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-
gcm@openssh.com
Fix if Incorrect:
• echo "Ciphers chacha20-poly1305@openssh.com,aes256-
gcm@openssh.com,aes128-gcm@openssh.com" >> /etc/ssh/sshd_config
• systemctl restart sshd

3.2 Use Strong MAC Algorithms


Step 1: Check MACs
• grep "^MACs" /etc/ssh/sshd_config
Expected Output:
• MACs hmac-sha2-512,hmac-sha2-256
• Fix if Incorrect:
• echo "MACs hmac-sha2-512,hmac-sha2-256" >> /etc/ssh/sshd_config
• systemctl restart sshd

4. Session Management & Hardening


4.1 Set Idle Timeout
Step 1: Check Timeout
• grep "^ClientAliveInterval" /etc/ssh/sshd_config

SIDHANT BOTE 3
• grep "^ClientAliveCountMax" /etc/ssh/sshd_config
Expected Output:
• ClientAliveInterval 300
• ClientAliveCountMax 3
Fix if Incorrect:
• echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
• echo "ClientAliveCountMax 3" >> /etc/ssh/sshd_config
• systemctl restart sshd

4.2 Limit Authentication Attempts


Step 1: Check Authentication Attempts
• grep "^MaxAuthTries" /etc/ssh/sshd_config
Expected Output:
• MaxAuthTries 4
Fix if Incorrect:
• echo "MaxAuthTries 4" >> /etc/ssh/sshd_config
• systemctl restart sshd

4.3 Limit Concurrent Sessions


Step 1: Check Session Limits
• grep "^MaxStartups" /etc/ssh/sshd_config
Expected Output:
• MaxStartups 10:30:60
Fix if Incorrect:
• echo "MaxStartups 10:30:60" >> /etc/ssh/sshd_config
• systemctl restart sshd

5. Additional Security Measures


5.1 Enable SSH Warning Banner
Step 1: Check SSH Banner
grep "^Banner" /etc/ssh/sshd_config
Expected Output:
• Banner /etc/issue.net
Fix if Incorrect:
• echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config
• systemctl restart sshd
Step 2: Create the Banner Message
• echo "Unauthorized access is prohibited!" > /etc/issue.net

SIDHANT BOTE 4
5.2 Disable SSH X11 Forwarding
Step 1: Check X11 Forwarding
• grep "^X11Forwarding" /etc/ssh/sshd_config
Expected Output:
• X11Forwarding no
Fix if Incorrect:
• echo "X11Forwarding no" >> /etc/ssh/sshd_config
• systemctl restart sshd

5.3 Disable SSH TCP Forwarding


Step 1: Check TCP Forwarding
• grep "^AllowTcpForwarding" /etc/ssh/sshd_config
Expected Output:
• AllowTcpForwarding no
Fix if Incorrect:
• echo "AllowTcpForwarding no" >> /etc/ssh/sshd_config
• systemctl restart sshd

Final Verification
o Check SSH Configuration for Errors
• sshd -t
❖ Restart SSH Service
• systemctl restart sshd
❖ Test SSH Connection
• ssh -vv user@your-server

Conclusion
By implementing these CIS SSH Benchmarks, you secure OpenSUSE 15
Leap against common threats. Let me know if you need further demos!

SIDHANT BOTE 5

You might also like