Back to article
Securing Your Asterisk Server, Part 2
Locking Down OpenSSH
July 26, 2006
Last week in part 1 we changed a bale of passwords. Today we'll take two more important steps to lock down our Asterisk@Home server: make sure that all Web administration traffic is encrypted, and lock down OpenSSH more tightly.
By default, Asterisk@Home sets up OpenSSH to run after installation, and to accept root logins. Accepting remote root logins is not the best security practice, because it leaves the door open for brute-force attacks on the root account.
If you're thinking that you don't need to worry about these things because your Asterisk server is safely tucked behind your stout firewall, using a non-routable private IP, you are right that this reduces the potential for attacks from the Internet. However, should a remote attacker succeed in getting behind your firewall, it's better for them to find more barriers, rather than a wide-open welcome. And don't forget that most security breaches are inside jobs, rather than silly Hollywood-type break-ins from the outside.
There are a couple of different ways to make OpenSSH more secure. A simple way is to create an ordinary, unprivileged user on the Asterisk server, use this account for remote logins, then disable remote root logins. To set this up, log into the server from another PC on your LAN and create this user, using any name you like:
carla@windbag:~$ ssh email@example.com Last login: Tue Apr 25 13:13:35 2006 from 192.168.1.10 Welcome to Asterisk@Home ------------------------------------------------- For access to the Asterisk@Home web GUI use this URL http:// For help on Asterisk@Home commands you can use from this command shell type help-aah. [root@asterisk1 ~]# useradd freduser [root@asterisk1 ~]# passwd freduser Changing password for user freduser. New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. [root@asterisk1 ~]#
Now exit the root login, then login as your new user:
[root@asterisk1 ~]# exit Connection to 192.168.1.25 closed. carla@windbag:~$ ssh firstname.lastname@example.org
After you are logged in, use the
[freduser@asterisk1 ~]$ su Password: [root@asterisk1 freduser]#
Excellent! It works. Now open
[root@asterisk1 freduser]# nano /etc/ssh/sshd_config PermitRootLogin No AllowUsers freduser Protocol 2
Then restart OpenSSH:
[root@asterisk1 freduser]# /etc/init.d/sshd restartThe AllowUsers directive is a nice way to preserve the flexibility of logging in from random remote hosts on your LAN, while blocking unauthorized users and brute-force attacks on the other Asterisk system accounts.
OpenSSH supports two ssh protocols, 1 and 2. ssh1 is obsolete and weak, so it's important to limit your SSH sessions to Protocol 2 only.
This makes SSH logins a two-step process, which is a bit inconvenient, but it adds a significant measure of security. Our little "freduser" has no power to do anything on the server, so even if an attacker succeeded in cracking freduser's account, the attacker would have to escalate to the root user to do any damage. This is called "privilege escalation." Privilege escalation is a fundamental tactic in any Linux intrusion attempt, because an attacker can't touch system files without rootly powers. This is why old Linux/Unix admins always nag about "don't do anything as root except what you really really have to." Strong passwords work, so make sure freduser has one. (See last week's article for information on password management.)