If you have ever stood up a Linux server publicly on the internet and watched system logs you will know that it begins to be pounded almost immediately by people looking for a new machine to add to their botnet or use for other nefarious purposes. This is an even bigger problem with the rise of public clouds which has drastically increased the number of servers with public facing SSH daemons enticing the bad guys with a larger target. For this reason, you should never leave the ssh config set to the default when publicly available on the internet. Most are familiar with how to do this on the traditional Linux OSs, but what about the new comer, CoreOS Container Linux? Here I will give some tips on optimizing the SSH configurations on your CoreOS server to make it more secure.
First things first, you shouldn’t really be using a password for a server with a public facing SSH daemon. SSH keys are much larger and almost impossible to crack, making them my method of choice for securing SSH connections. If you don’t have one generated on your Mac or Linux machine execute the following command to generate a key pair. This needs to be completed first, otherwise you will be locked out of your machine via ssh.
ssh-keygen -t rsa
This will generate a two files, id_rsa and id_rsa.pub. Adding the keys to an existing CoreOS box is pretty simple. Log in over ssh and execute the below command.
echo '<contents of ~/.ssh/id_rsa.pub>' | update-ssh-keys -a core
Now that you have an ssh key configured we can move on to securing the daemon.
Securing the SSH Daemon
Now we need to make some configuration changes to the sshd config to turn off all password related authentication functions and disable root login via ssh.
- Remove the old templated config symlink:
sudo rm -r /etc/ssh/sshd_config
- Copy the template into place:
sudo cp /usr/share/ssh/sshd_config /etc/ssh/sshd_config
- Edit /etc/ssh/sshd_config as sudo and add the following lines to it:
UsePAM no #Stop processing of keyboard based authentication altogether
ChallengeResponseAuthentication no #No longer prompt for login.
PasswordAuthentication no #Turn off password authentication
PermitRootLogin no #Disable root login altogether
Change Listen Port
To increase security further, you can change the port SSH listens on to something other than 22. This makes it slightly less convenient to log in, but greatly improves security.
- Copy SSH socket config to systemd/system
sudo cp /usr/lib/systemd/system/sshd.socket /etc/systemd/system/sshd.socket
- Edit /etc/systemd/system/sshd.socket as root and change the value of
ListenStreamto the desired port.
- Reload systemd and restart the sshd socket
sudo systemctl daemon-reload && sudo systemctl restart sshd.socket
Hopefully, this post has been helpful and will put you a step ahead of the bad guys when deploying Container Linux. Remember, security is a never ending battle that you must always continue to fight.