security

Install and configure SSH on Debian or Ubuntu

SSH is a protocol that enables secure connections over unsecured networks. It supports the use of asymmetric encryption for user authentication. Private keys are kept locally, while public keys are stored on the remote machine.

The following configuration disables root logins on the remote machine. Only users belonging to the group ssh-users may establish a connection. Access to the remote machine is tied to the local user’s private key.

In this example, the name of the remote machine is debian-server, which has the address 192.168.1.10 on the network. sid is a user on debian-server, whereas bookworm is a user on the local machine. Choose an encryption passphrase to secure the private key that you will generate in Step 5.

On the remote machine

Step 1

Install the secure shell server with the following command:

$ sudo apt install --yes openssh-server

Step 2

If you are using ufw as a host-based firewall

Configure ufw to allow connections to the secure shell server.

$ sudo ufw limit ssh

If you are using firewalld as a host-based firewall

Configure firewalld to allow connections to the secure shell server.

$ sudo -- bash -c 'firewall-cmd --zone=public --add-service=ssh --permanent && firewall-cmd --reload && firewall-cmd --info-zone=public'

Step 3

Restrict access to the remote machine to members of a specific group. Start by creating the group ssh-users.

$ sudo addgroup --system ssh-users

Add the user sid to the group ssh-users.

$ sudo adduser sid ssh-users

On the local machine

Step 4

Install the secure shell client with the following command.

$ sudo apt install openssh-client

Step 5

Generate a new key pair for the local user bookworm:

$ ssh-keygen -t ed25519 -o -a 100

Save the key pair to the directory /home/bookworm/.ssh/. Choose a name that facilitates easy identification.

Enter file in which to save the key (/home/bookworm/.ssh/id_ed25519): ~/.ssh/id_ed25519-debian-server

The use of an appropriate passphrase to secure the private key is mandatory.

Step 6

Create the file ~/.ssh/config to configure the secure shell client.

$ nano ~/.ssh/config

Add the follwing minimal entry for the host debian-server.

Host debian-server
   Hostname 192.168.1.10
   IdentitiesOnly yes

Step 7

Deploy the public key with the following command.

$ ssh-copy-id -i ~/.ssh/id_ed25519-debian-server.pub sid@debian-server

Step 8

Log into the remote machine.

$ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server

When prompted to confirm the authenticity of the host debian-server, type yes and press [Enter].

The authenticity of host 'debian-server (192.168.1.10)' can't be established.
ED25519 key fingerprint is SHA256:C9RxLLVbvFwVJc0L4JHzcuHQSaPHJZe/GrRDvqy6rAG.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':

Step 9

On the remote machine, download a file to harden the ssh server. You are encouraged to inspect its contents.

$ sudo -- bash -c 'wget -P /etc/ssh/sshd_config.d/ --show-progress https://edafe.de/debian/sshd_config.conf'

Activate the modifications on the remote machine.

$ sudo systemctl restart ssh.service

Step 9

On the local machine, open a new terminal window and run the following command.

$ $ ssh -i ~/.ssh/id_ed25519-debian-server sid@debian-server

In the next step, enter the passphrase for your private key.

Enter passphrase for key '/home/bookworm/.ssh/id_ed25519-debian-server':

Display the active configuration for the remote ssh server and verify its settings, paying particular attention to options for maxauthtries, permitrootlogin and passwordauthentication.

$ sudo sshd -T

All done!

For more in-depth information, please see stribika’s post-Snowden advice on hardening OpenSSH server installations.

The book SSH The Secure Shell by Daniel Barrett, Richard Silverman and Robert Byrnes is still useful today and has information on other clever stuff you can do with SSH.

The process of security

“Security is a process, not a product. Products provide some protection, but the only way to effectively do business in an insecure world is to put processes in place that recognize the inherent insecurity in the products.” Bruce Schneier acknowledges that perfect computer security probably doesn’t exist. He reminds us that we need to understand our risk of exposure in order to be able to manage it.
www.schneier.com

Trust the process, Tina!

What’s in a PR statement: LastPass breach explained

“LastPass likely could have prevented this if they were more concerned about keeping their users secure than about saving their face. Their statement is also full of omissions, half-truths and outright lies. As I know that not everyone can see through all of it, I thought that I would pick out a bunch of sentences from this statement and give some context that LastPass didn’t want to mention.” Wladimir Palant helps to decode what LastPass had to say about their latest security breach.
palant.info

Return of the russian passenger

“After a secret breaks in the news, Reply All re-examines how Alex Blumberg’s Uber account was hacked.”

Die AAA-Bürger

“So wie Alibaba und Amazon wissen, wofür sich ihre Nutzer interessieren und was sie als Nächstes kaufen könnten, will der chinesische Staat aus den Datenspuren seiner Bürger ableiten, wie sie sich in der Vergangenheit verhalten haben und in der Zukunft verhalten könnten und sie nach einem Punktesystem entsprechend bewerten. Wer zum Beispiel über das Internet gesunde Babynahrung bestellt, soll Pluspunkte erhalten. Wer sich hingegen Pornos ansieht oder zu viel Zeit mit Computerspielen verbringt, muss mit Abzügen rechnen.” Da trifft es sich gut, daß Felix Lee nichts zu verbergen hat und ein solcher Umgang mit Nutzerdaten überhaupt nur in China in Erwägung gezogen wird…
www.zeit.de

With thanks to Michael August

Wie, Du bist nicht bei Whatsapp?

“Wer Whatsapp liebt, sollte besser nicht weiterlesen, oder vielleicht gerade dann, denn Liebe macht ja bekanntlich oft blind.” Boris Pohler, selbst Lehrer und Vater von zwei Kindern, bennent den Preis für die Verwendung des weit verbreiteten Dienstes und erklärt, warum jeder Nutzer gegen deutsches Recht verstößt.
blog.pohlers-web.de

Is Facebook spying on you?

“This year we’ve gotten one question more than any other from listeners: is Facebook eavesdropping on my conversations and showing me ads based on the things that I say?”

Terrorists don’t scare city cyclists. We already have to deal with cars.

“If there’s one group of road users virtually immune to being cowed by a lowly act of terrorism involving a motor vehicle, it’s cyclists. We’re reminded every day—through rolled-down car windows, on too-narrow roads, via social media—that we “share” the roads with people who actively hate us and that our interests (including safety) come behind theirs. Every one of us knows what it’s like to stare death in the grille. Daily riders have all had drivers aim their cars at us as if they were about to plow us down, whether because of run-of-the-mill inattention or out-and-out road rage. This reality is priced into our decision to ride.” Eben Weiss alias Bike Snob NYC offers the urban cyclist’s perspective on the latest terrorist threat.
www.washingtonpost.com

How not to get phished

“Most humans can tell the difference most of the time, but if they are tired, or stressed, or in a rush, or have any number of other common obstacles to computer use, there’s a good chance they won’t notice the difference, will type their password into the wrong site, and will have their account taken over by bad guys.” Jacob Hoffman-Andrews identifies password managers as the average human’s best defence against phishing attacks.
jacob.hoffman-andrews.com

Katz-und-Maus-Spiel der Polizei mit dem Rechtsstaat

“Es ist schlicht und ergreifend nicht wahr, dass die Kritik an Hamburgs Polizeiführung nur von einer ‘militanten linken Szene’ komme, wie Innensenator Grote Glauben machen will. Dass es letztere gibt und dass sie extrem gewaltbereit ist, bezweifelt niemand. Doch wenn Grote sagt, es gebe zwar viele, die auch friedlich campen wollten, aber ‘wir können sie nicht von potenziellen Gewalttätern trennen’, dann ist dies schlicht und ergreifend ein Offenbarungseid. Denn genau das ist nun einmal Aufgabe der Polizei. Man stelle sich vor, die Polizei würde mit ähnlicher Begründung Bundesligaspiele verbieten, weil sich im Stadion auch Gewalttäter aufhalten.” Andrej Reisin formuliert seine Kritik an der Vorgehensweise der Polizei vor und während des G20-Gipfels in Hamburg.
www.daserste.de

Conversations

“Welcome to this introduction to Conversations. It is gonna be a great introduction. It’s gonna be fabulous. Other instant messengers have fought Conversations for many years, but they couldn’t beat it. Just couldn’t do it. Total loosers. They’re all dead now. All the other messengers have failed. Forget WhatsApp, okay? Signal …total disaster. Threema is so bad, it’s not even a real messenger. It’s fake. Threema is a fake messenger. Converstations has got to be the best messenger in the world. It’s huge. OMEMO. You’ll love it. Best protocol. Tremendous. Absolutely fantastic. Nobody has messengers better than Conversations. This messenger is so big, you can even see it from the moon. And I am going to make you pay for it. It’s true. Important people tell me that Conversations is so great, it’s unbelievable. So great, it’s beautiful. Conversations is the best instant messenger that God ever created.”
conversations.im

The swedish kings of cyberwar

“Among the many questions posed by Scandinavia’s embrace of mass surveillance is one that has lingered at the margins throughout the Snowden debate: Are advanced democracies any different than their authoritarian counterparts in seeking to gain broad access into the private lives of citizens?” Hugh Eakin shines a light on the underreported activities of Sweden’s FRA in spying on people everywhere.
www.nybooks.com

With thanks to Michael August

Complexity is the enemy of security: how to stay relevant in a hacked world

“And one way to fight back is through Open Source. To make sure that the systems we use are trustworthy and can be verified and can be veryfied by anybody [sic]. Relying on Open Source to bring us privacy and trustworthy security is a crucial point for our future on the Internet. The Utopia is gone, it’s not coming back. But we can do what we can to maintain as much trust on the Internet as possible. And openess is key to trust. Without openess there is no trust—without trust there is no democracy.”
Mikko Hypponen

What we give away when we log on to a public Wi-Fi network

“Already 20 smartphones and laptops are ours. If he wanted to, Slotboom is now able to completely ruin the lives of the people connected.” Wouter Slotboom is one of the good guys, demonstrating to Maurits Martijn his effortless ability to retrieve people’s passwords, steal their identity, and plunder their bank accounts.
decorrespondent.nl

Signal

“I am regularly impressed with the thought and care put into both the security and the usability of this app. It’s my first choice for an encrypted conversation.”
Bruce Schneier

Signal offers private messaging and calling in one simple app. It is both free and open source. Development is supported by community donations and grants. This means that there are no hidden strings attached. Use Signal as an alternative to WhatsApp or, better still, its replacement.
signal.org

Copy public key to ssh server

user@ubuntu:~$ ssh-copy-id user@123.45.56.78

askubuntu.com

Germanwings-Absturz: Wenn Sicherheitstechnik sich gegen die Sicherheit richtet

“Gäbe es keine Panzertür, dann hätte es diesen Absturz nicht gegeben … Dieses nachgerüstete 9/11-Geschwür ist Materialisierung eines vergifteten Zeitgeistes, dieses paranoiden Misstrauens.” Sascha Lobo und ein annonymer Pilot betrachten den Absturz von Flug 4U9525 als Flugzeugentführung infolge unzulänglicher Sicherheitskonzepte.
www.spiegel.de

“Security theatre is the practice of investing in countermeasures intended to provide the feeling of improved security while doing little or nothing to actually achieve it.”
Wikipedia

Why privacy matters

“Mass surveillance creates a prison in the mind.”
Glenn Greenwald

Mail-Dienste sehen alles

“Die elektronische Post kam mit kostenlosen Diensten in Mode. Für sie zahlen Kunden nicht in harter Währung, sondern akzeptieren Werbung und meist auch die Verwertung der aus ihren Daten gespeisten Kundenprofile.” Mittlerweile bekannt gewordene Abhörpraktiken der NSA rücken immer mehr auch Fragen nach der Sicherheit von E-Mails in den Vordergrund. Die Stiftung Warentest hat 14 Provider unter die Lupe genommen: Als Testsieger gehen Mailbox.org und Posteo hervor.
www.test.de

Edward Snowden: the untold story

“The question for us is not what new story will come out next. The question is, what are we going to do about it?” James Bamford interviews Edward Snowden, who regards the use of strong encryption in your everyday communication as a viable means to end mass surveillance.
www.wired.com

Also watch United States of Secrets, a two-part series detailing how the US government came to monitor and collect the communications of millions around the world.