-2

My goal is to have a VPN tunnel on a single port on a server's public IP and be able to SSH into the server with an additional VPN layer of encryption.

DETAILS OF THE SERVER CONFIGURATION:

I am running CentOS 7 on both server and clients. The documents I've read so far seem to focus on a configuration that runs through the browser and relays internet traffic. I don't need the server to relay anything. Can I access the server's SSH port through VPN and leave internet traffic (80/443) on the server and client alone. The server must still be able to serve 80/443 to the public via Apache and client access internet as normal.

I'm Root James
  • 202
  • 1
  • 12
  • Are you sure that it was the SSH that was compromised and that it wasn't something on your website code? SSH has prevention mechanisms against man-in-the-middle attacks by ensuring that the other end really is what it should be. – Tero Kilkanen Sep 11 '18 at 19:27
  • The website itself has not received any web-traffic. It's only a sandbox website for me to test web-development. I'm positive that I could reproduce the results without Apache running, but the end-goal is to serve a website from the same server. The server is either being compromised by the Cloud hosting company itself, or via SSH. Since I require a passphrase to load my SSH keys, I assume that the traffic is being picked off. SSH allows traffic to be picked off. A public router could easily be forwarding the SSH traffic on my behalf and decrypting packets to find my sudoer password. – I'm Root James Sep 11 '18 at 19:33
  • How have you verified that website has not received any traffic? Could you elaborate on how exactly SSH allows traffic to be picked off? I haven't seen any such claims before. Are you sure that your own workstation is clean? – Tero Kilkanen Sep 11 '18 at 19:42
  • I looked at the Apache logs. Either way, SSH is insecure. Try this: install wireshark and capture packets while connected via SSH. You can see the decrypted packet contents in cleartext on your end. So, if there is a mitm, if, the router or ISP imitates a response from the server in my direction when the connection is being initiated, they can decrypt all my packets because my client thinks it has setup a secure connection. The mitm can initiate connection with the server on clients behalf: BOOM they have cleartext of the communication. A VPN uses PRE-shared keys on the client and sever. – I'm Root James Sep 11 '18 at 19:50
  • Here is a description of SSH man in the middle attacks -> https://www.ssh.com/attack/man-in-the-middle – I'm Root James Sep 11 '18 at 20:00
  • Also, SSH uses SSL/TLS under the hood, as described here- > http://www.differencebetween.net/technology/difference-between-ssh-and-ssl/ . This means that a mitm can just forward the packets with their own SSL/TSL encryption layer. – I'm Root James Sep 11 '18 at 20:09

1 Answers1

2

If I may, I will take the liberty of decomposing your question, taking a step back, and helping to step through the entire solution design process so we can determine a workable solution for you. There are a number of inaccuracies in your question around the SSH protocol, VPNs, and in general, how we design secure systems. Let's work through them here.

At present, your question asks for guidance implementing specific technologies. However, your problem statement does not evaluate the specific threat you are facing, so it is premature to design a solution; in this respect, you have XY problemed us.

Any implementation you make will either not resolve the problem (because in fact the issue lies elsewhere) or add complexity where a simpler solution is adequate. Moreover, needless complexity is undesirable as it may be a source of further security vulnerabilities.

Rigorously define your problem

We should be objective focussed, not solution focussed. We should define the objects of our problem domain, ascertain any contributing factors to consider, understand the threats we face, and only then can we begin to determine which technology and process choices can be made to resolve the problem in hand. A process we may follow:

  • Identify the problem – what is the specific difficulty we are seeking to resolve? The difficulty should be an objective, measurable problem, backed up by hard evidence of its existence from observations made in the field.
  • Determine assumptions and constraints – are there specific items we can assume as being in a particular state, and are there other conditions imposed on the proposed solution? A significant constraint must include direct costs of implementing the solution (buying hardware, software, or consulting time) and indirect costs (making process change, training staff, accommodating lost productivity).

  • Identify threat actors (for security problems) – no system or process is 100% secure. We need to carefully determine the nature of all the adversaries who are likely to launch an attack in order to determine whether our solution adequately prevents such attacks. This applies to designing real-world physical security systems as much as designing for technical outcomes.

    For example, in your assessment, you may consider such factors as:

    • Capabilities of your adversary – how knowledgeable are they, do they have access to specific resources to aid an attack, etc.
    • Their position – there is a substantial difference between a script kiddie on the last mile of a residential internet service and a nation state actor with access to positions in the network from which man-in-the-middle attacks are feasible

    • Your risk and risk thermostat – what motivates the actor to attack you or your organization specifically? For example, does your system store or process sensitive and/or privileged data which is normally of a restricted nature and may be of value to others (personal data, company secrets, etc.)? Does it have a privileged position in a network from which further analysis or attacks may be launched (e.g. a core router in an ISP, a border gateway on the perimeter of a sensitive network in a large corporation)?

      This helps identify whether we are dealing with an Advanced Persistent Threat (APT) actor who seeks to target you specifically, or whether we're defending opportunists. It's much easier to defend against a passing opportunist by having modest protections which make you look secure relative to the competition.

      Furthermore, identifying your appetite for risk (your risk thermostat) contributes to optimizing the outcome to appropriately cover the identified risks without being over-the-top.

  • Implementation decision – using the information collected from this process, taking into account the constraints described and our stance on the risk, identify suitable technology and process changes to remedy the problem, or revise the constraints or risk profile if no solution can be identified.

Throughout the process, we remember security is a process, not a destination. We cannot "buy" security as a commodity off-the-shelf, and anyone who suggests as much is lying or has ulterior (likely pecuniary enrichment) motives.

Your specific problem

Your question is incredibly comprehensive, so we can follow our process in outline with your specific problems:

The problem

I have experienced a server compromise based on rkhunter analysis and want to mitigate the possibility of this happening again.

The specific problem is a past compromise of the machine, of which you wish to minimize any recurrences.

The primary goal I can identify from your question is to harden the machine against remote compromise events which may take place over a public network (such as the Internet). A secondary goal is to assure confidentiality and integrity of remote shell sessions to the remote machine.

Assumptions and constraints

Let's document these points to guide our solution:

  • The public website service(s) exposed from the machine are secure
  • The workstation(s) from which you initiate remote connections are not proxies for attacking the server machine in question. For example, they are not themselves infiltrated (so they are not a vector for keys leaking or being modified, or for the binaries used to make connections to be tampered with). You may wish to explore the security weaknesses of any client machines separately, or roll them into a single assessment.
  • The server machine is physically secure and tampering with the hardware or software configuration by a person physically attending the machine is unlikely or discounted. (A machine to which an attacker has had physical access is unlikely to be your machine any longer.)
  • The network is assumed compromised. There may be actors who have the ability to intercept or divert our packets.
  • We want to use freely available software to achieve the technical aspects of our solution.
  • We assume the users are adequately trained such that attacks on the wetware (human operators) can be discounted (e.g. social engineering threats). Again, in principle these are rarely mitigated adequately and are a weakness to most organizations, but this is Server Fault so besides a passing mention I will discount the non-technical aspects of the attack model.
  • It is acceptable if the solution requires offline distribution or verification of keys prior to the first connection.
  • Well-known cryptographic primitives are assumed to be immune to backdoor or non-publicly-disclosed attacks.

Threat model

I cannot adequately determine your threat model as I do not have visibility over your organization & infrastructure, nor do I possess an overview of the data portfolio you process or the private networks you may be connected to internally. From the public information in your profile, I can see you may work in a location which processes sensitive intellectual property on behalf of others, which would constitute a medium to high-risk collection of data for specific attack threats. (This threat may extend to personal systems which you operate.)

Implementation

Let's design a solution which meets our goals. To harden the machine, we need to consider public attack routes. It exposes two services, and we have assumed the web service is not vulnerable. Therefore, we must consider the remote shell connection.

For this purpose, SSH is more than capable of fulfilling your requirements without the added wrapper of a VPN session. Almost any Unix box is capable of running an SSH daemon, and a significant number are exposed directly or indirectly to hostile networks without infiltration.

How does SSH fit our goals?

Secure Shell (SSH) is designed to provide confidentiality and integrity of remote shell sessions. It does so using cryptographic approaches; in particular, hosts are assigned one or more host keys which can be used to positively identify the host to connecting client machines.

Man-in-the-middle attacks on SSH

As you have correctly identified, SSH is susceptible to a man-in-the-middle attack in a specific scenario: most users do not inspect the host keys presented by the machine on initial connection; they deploy a trust on first use policy. If a MitM can provide alternative host keys at this point, interception of the SSH session now and on future connections without further detection is feasible. Detection without inspecting the cached host key would require the MitM threat to be neutralized, or connection from an uncompromised network so the true host key of the remote host can be presented.

As we are concerned about MitM, we must design a solution to mitigate this. Options available to you include (non-exhaustive):

  • Only connecting over trusted networks. This is not workable as it does not meet our goals or assumptions around connections over public networks.
  • Distribution of the host key's fingerprint (or its entire public key) prior to initial connection. Use the ssh-keygen command on the server to obtain the fingerprint, distribute this to users, and have them compare the fingerprint presented on first connection with the version on the server. They must only log in if the fingerprint matches.
  • Publish the host keys in DNS and sign the zone using DNSSEC. Ensure all connecting clients use a DNSSEC-validating resolver and verify the DNS-based host keys. More information here. This approach avoids the burden of distributing and manually verifying the host key, but requires the presence of specific technical components which are not widespread on many networks yet.

Brute-force password attacks

Another vulnerability of a running SSH daemon is brute-force password attacks. It is common for attackers to probe your box for SSH services and attempt authentication using a common list of usernames and passwords. Boxes with usernames on the public list and weak passwords are likely to be compromised. Methods to mitigate this include:

  • Switching the SSH daemon to use key-based authentication and disabling password authentication from the public internet. Generate an RSA keypair for your user account using ssh-keygen with a large (e.g. >2048) number of bits, or an appropriate number of bits for a keypair signed with another crypto system.
  • Using software like fail2ban to watch your logs and add firewall rules to block further connection attempts from the same address after a failed login threshold is reached.

Would a VPN help?

VPN solutions may solve the same problem as you seek to solve with the SSH tunnel. They may use a different technical approach, or different crypto systems, but both are adequate to deliver on your security obligations. Both also incur similar overhead (e.g. the obligation to pre-distribute or verify the keys with each party in advance is identical).

The additional functionality provided by a VPN appears to be unnecessary in this particular instance if all you are seeking to operate is a remote shell server. Running a VPN likely carries additional risk through being another daemon running on your machine and a greater attack vector.

Cosmic Ossifrage
  • 1,610
  • 14
  • 23
  • Thanks. I will try to fix my question to be more clear. However, VPN is not a similar technical solution to SSH tunnel. An SSH tunnel uses asymetric encryp for PAM auth to the server and SSL to encypt packets in transit. The SSL encrpt keys are negotiated at run-time and so, the handshake can be spoofed by a MITM by injecting separate con between client/server, fwding packets and injecting packets going into the server. VPN relies on PRE-shared priv-pub key pairs not negotiated over the public internet. – I'm Root James Sep 11 '18 at 21:14
  • 1
    You're right, it's not necessarily technically identical. I've updated the answer. The point I was making, and which you will now see presented, was that VPN and SSH can deliver precisely the same level of "security", and both are adequate mechanisms for delivering on your security goals. Your understanding of SSH is flawed; you *can* negotiate sufficient details of the crypto system ahead of time that you are assured of the identity of the remote host on each connection. My post describes precisely the mechanism you need to follow to achieve this. – Cosmic Ossifrage Sep 11 '18 at 21:17
  • My goal is not ensuring the identity of the client because I need to mitigate MITM. My goal is to use consistent pre-shared keys (VPN); not run-time negotiated keys (SSH via SSL) to encrypt the packet-stream over SSH. – I'm Root James Sep 11 '18 at 21:43
  • If you know about an SSH configuration parameter that allows the use of pre-shared keys to symmetrically encrypt all packets instead of SSL tunnel instead of run-time shared keys (SSH via SSL) please share. However, I have not come across any. Otherwise, I need VPN to handle the symmetric packet encryption. Only on one port, allowing all other ports to function as normal. Specifically I may guess that some NAT configuration must be used in conjunction with VPN to manage the dev routing to ports in the CentOS. – I'm Root James Sep 11 '18 at 21:48
  • Can you articulate the reason why you must use this specific technical approach? What are you *objectively* trying to achieve by using pre-negotiated keys? The security of an SSH session from the user perspective rests primarily on the verification of host identity on first connection. If you use adequate offline channels to distribute and verify the host key, and subject to the assumptions about clients set out in the body of this answer, the integrity of the session is assured. Using shared keys arguably reduces confidentiality by eliminating any prospect of forward secrecy. – Cosmic Ossifrage Sep 11 '18 at 21:53
  • I require an this approach since I am making the assumption that ALL traffic is available in clear-text to the attacker during a true MITM attack. Setting up an ssh con to my cloud server, the private key is generated on my CLIENT machine (https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2) and then public key is loaded to the server. However, since I'm assuming that ALL traffic is clear-text to attackers, the keys themselves can be picked off and used. But, I can't spool up a server without that SSH auth vector. – I'm Root James Sep 11 '18 at 23:57
  • So, only available solution is to setup a VPN connection where both client and server use UN-publicized key pairs to decrypt each other's communication traffic. Again, using a cloud VPS, that VPN setup packet traffic is available in clear-text to a MITM attacker. I cannot guarantee that "Detection without inspecting ... would require the MitM threat to be neutralized, " as was posted in the answer. So, I need to use the initial VPN connection to access (from 3rd party server) an encrypted payload and use it to swap the VPN keys internally while I do the same on the client. – I'm Root James Sep 12 '18 at 00:03
  • 1
    I would give two upvotes for this answer if it was possible. Unfortunately it seems that it did not convince the OP of SSH security. It is NOT possible to MITM SSH if you have valid host identification on the client before making the connection. This answer clearly tells how to achieve that goal. I really wish you would not spend useless time implementing anything fancy like in the question, but concentrated on other possible security issues on your server. – Tero Kilkanen Sep 14 '18 at 06:48
  • 1
    *I am making the assumption that ALL traffic is available in clear-text to the attacker during a true MITM attack* While you can make that assumption, it is unreasonable as it is not evidence-based – an encrypted session with proper end-to-end verification of the client and server will not be available in clear text to the attacker. Exceptions are where the attacker has compromised the crypto system or one of the end hosts. If this has occurred, there is no viable technical solution anyway. Public keys are intended to be published (hence the name), so this vector does not merit consideration. – Cosmic Ossifrage Sep 15 '18 at 19:56
  • Actually, that assumption is valid. However, the implicit assumption that every SSH connection can be attacked via MITM is invalid. – Tero Kilkanen Sep 15 '18 at 20:15
  • Fair point! I suppose the other invalid assumption in there which I was teasing out is that the clear text traffic available to the attacker is meaningful - i.e. I can observe in clear text output C of some encryption process C = f(X), but this doesn't imply I can infer the value of the input X. – Cosmic Ossifrage Sep 15 '18 at 20:19