# How to improve the security around SSH Monitor

```{important}
This how-to is **strongly** recommended for virtually any situation,
unless your security experts explicitly state otherwise.
```

```{seealso}
See [security explanations](../../explanations/security_explanations.md) to find out more about why
this how-to is so strongly recommended.
```

## How to setup a customized restricted shell

Setup your {{target}} shell 
in [bash restricted mode](web-archive:20240205174336/https://www.howtogeek.com/718074/how-to-use-restricted-shell-to-limit-what-a-linux-user-can-do/):

1. Create the restricted shell `rbash`:

    ```{code} bash
    target $ sudo cp /bin/bash /bin/rbash
    ```
    
    ```{warning}
    Depending on your system,
    the absolute path to `bash` may vary
    (not necessary `/bin/bash`)!
    ```

2. Then, modify the {{target}} user (or create a dedicated one if not done
   already) in order to ensure that only the restricted shell is available:

    * For existing users:

        ```{code} bash
        target $ sudo usermod -s /bin/rbash sshmonitor-user
        ```

    * For new users:

        ```{code} bash
        target $ sudo useradd -s /bin/rbash sshmonitor-user
        ```

    This way, some packages will be impossible to use, like `cd`, or like packages specified with
    an absolute or relative path (e.g. `/path/to/my/malicious/script`, or
    `./../../../my/malicious/script`).

3. To restrict the shell even more, it is recommended to specify only the needed packages:

    * Create an empty directory (e.g. `$HOME/bin`):

        ```{code} bash
        target $ sudo mkdir /home/sshmonitor-user/bin
        target $ sudo chdown sshmonitor-user:sshmonitor-user /home/sshmonitor-user/bin
        ```

    * Modify (or create) the `$HOME/.bash_profile` and `$HOME/.bashrc` files like so:

        ```{code} bash
        target $ sudo cat /home/sshmonitor-user/.bashrc
            > readonly PATH=$HOME/bin

        target $ sudo cat /home/sshmonitor-user/.bash_profile
            > source $HOME/.bashrc
        ```

        This way, one can be sure the `PATH` environment variable is only set to
        `$HOME/bin` no matter how you try to connect.

    * Symlink the needed packages (e.g. the ones needed by
      [the default `.substitutions` files](sshmonitor-directory-gitlab-url:sshmonitorApp/db)):

        ```{code} bash
        target $ sudo ln -s /bin/awk /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/cat /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/curl /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/cut /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/df /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/echo /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/free /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/grep /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/ls /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/lscpu /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/print /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/rev /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/sed /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/shuf /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/tail /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/tr /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/uptime /home/sshmonitor-user/bin
        target $ sudo ln -s /bin/xargs /home/sshmonitor-user/bin
        ```

        Now, `sshmonitor-user` will be able to use all those packages (and only them) on the
        {{target}}.

        ```{seealso}
        See also
        [the Python "full-tests" script](sshmonitor-file-gitlab-url:tests/full_tests_script.py),
        by searching `ln -s` for a more complete and up-to-date list of needed packages.
        ```

        ```{warning}
        Depending on your system,
        the absolute path to packages may vary
        (e.g. not necessary `/bin/ls` for the `ls` package)!
        ```

    * Finally, make sure the `$HOME.bash_profile` and `$HOME/.bashrc` files are immutable, so that
      other users can't change it:

        ```{code} bash
        target $ sudo chattr +i /home/sshmonitor-user/.bash_profile
        target $ sudo chattr +i /home/sshmonitor-user/.bashrc
        ```

## How to improve your SSH connection restrictions

It is also recommended to restrict your {{SSH}} authorized keys:

* As a prerequisite, the [SSH how-to](./ssh_how_to.md) should should have been followed.

* Then just add the `restrict` option in front of every line in
  `/home/sshmonitor-user/.ssh/authorized_keys`, e.g.:

    ```{code} bash
        target $ sudo vi /home/sshmonitor-user/.ssh/authorized_keys

          ~ > restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTF6BBBBIGs5JCa454FvcStf/wFtxVWMEzkIW2ZXU9Mos6dRR987 sshmonitor-user@your-hostname
          ~ > restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5BBBBIBGXjqrDhkiIDtIFStz7LqgBjj1OD0GufNCy1iAXMIR7 othermonitor-user@other-hostname
        ```

Optionally, you can also specify which IPs and Users are allowed for the {{SSH}} connection. E.g. every
`sshmonitor-manager` from `192.168.*.*`, any user from `10.2.*.*`, and every `root` user from
`178.*.42.*`:

```{code} bash
target $ sudo vi /etc/ssh/sshd_config
    > ...
  + >
  + > AllowUsers sshmonitor-manager@192.168.* *@10.2.* root@178.*.42.* 

target $ sudo systemctl restart sshd
```

---

```{seealso}
See
<web-archive:20240205174336/https://www.howtogeek.com/718074/how-to-use-restricted-shell-to-limit-what-a-linux-user-can-do/>
and
<web-archive:20230707144803/https://www.jamieweb.net/blog/restricting-and-locking-down-ssh-users/>
for more details.
```