5. How to improve the security around SSH Monitor#

Important

This how-to is strongly recommended for virtually any situation, unless your security experts explicitly state otherwise.

5.1. How to setup a customized restricted shell#

Setup your target shell in bash restricted mode:

Create the restricted shell rbash:
```
target $ sudo cp /bin/bash /bin/rbash
```
Warning

Depending on your system, the absolute path to bash may vary (not necessary /bin/bash)!
Then, modify the target user (or create a dedicated one if not done already) in order to ensure that only the restricted shell is available:
- For existing users:
```
target $ sudo usermod -s /bin/rbash sshmonitor-user
```
- For new users:
```
target $ sudo useradd -s /bin/rbash sshmonitor-user
```
This way, some packages will be impossible to use, like cd, or like packages specified with an absolute or relative path (e.g. /path/to/my/malicious/script, or ./../../../my/malicious/script).

To restrict the shell even more, it is recommended to specify only the needed packages:

Create an empty directory (e.g. $HOME/bin):

target $ sudo mkdir /home/sshmonitor-user/bin
target $ sudo chdown sshmonitor-user:sshmonitor-user /home/sshmonitor-user/bin

Modify (or create) the $HOME/.bash_profile and $HOME/.bashrc files like so:

target $ sudo cat /home/sshmonitor-user/.bashrc
    > readonly PATH=$HOME/bin

target $ sudo cat /home/sshmonitor-user/.bash_profile
    > source $HOME/.bashrc

This way, one can be sure the PATH environment variable is only set to $HOME/bin no matter how you try to connect.

Symlink the needed packages (e.g. the ones needed by the default .substitutions files):

target $ sudo ln -s /bin/awk /home/sshmonitor-user/bin
target $ sudo ln -s /bin/cat /home/sshmonitor-user/bin
target $ sudo ln -s /bin/curl /home/sshmonitor-user/bin
target $ sudo ln -s /bin/cut /home/sshmonitor-user/bin
target $ sudo ln -s /bin/df /home/sshmonitor-user/bin
target $ sudo ln -s /bin/echo /home/sshmonitor-user/bin
target $ sudo ln -s /bin/free /home/sshmonitor-user/bin
target $ sudo ln -s /bin/grep /home/sshmonitor-user/bin
target $ sudo ln -s /bin/ls /home/sshmonitor-user/bin
target $ sudo ln -s /bin/lscpu /home/sshmonitor-user/bin
target $ sudo ln -s /bin/print /home/sshmonitor-user/bin
target $ sudo ln -s /bin/rev /home/sshmonitor-user/bin
target $ sudo ln -s /bin/sed /home/sshmonitor-user/bin
target $ sudo ln -s /bin/shuf /home/sshmonitor-user/bin
target $ sudo ln -s /bin/tail /home/sshmonitor-user/bin
target $ sudo ln -s /bin/tr /home/sshmonitor-user/bin
target $ sudo ln -s /bin/uptime /home/sshmonitor-user/bin
target $ sudo ln -s /bin/xargs /home/sshmonitor-user/bin

Now, sshmonitor-user will be able to use all those packages (and only them) on the target.

5.2. How to improve your SSH connection restrictions#

It is also recommended to restrict your SSH authorized keys:

As a prerequisite, the SSH how-to should should have been followed.

Then just add the restrict option in front of every line in /home/sshmonitor-user/.ssh/authorized_keys, e.g.:

    target $ sudo vi /home/sshmonitor-user/.ssh/authorized_keys

      ~ > restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTF6BBBBIGs5JCa454FvcStf/wFtxVWMEzkIW2ZXU9Mos6dRR987 sshmonitor-user@your-hostname
      ~ > restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5BBBBIBGXjqrDhkiIDtIFStz7LqgBjj1OD0GufNCy1iAXMIR7 othermonitor-user@other-hostname
    ```

Optionally, you can also specify which IPs and Users are allowed for the SSH connection. E.g. every sshmonitor-manager from 192.168.*.*, any user from 10.2.*.*, and every root user from 178.*.42.*:

target $ sudo vi /etc/ssh/sshd_config
    > ...
  + >
  + > AllowUsers sshmonitor-manager@192.168.* *@10.2.* root@178.*.42.* 

target $ sudo systemctl restart sshd

How to improve the security around SSH Monitor

Contents

5. How to improve the security around SSH Monitor#

5.1. How to setup a customized restricted shell#

5.2. How to improve your SSH connection restrictions#