Aniket Raj's Blog
#DAY4 AWS and DevOps Challenge: Password-less SSH and IPTABLES (Enhancing Security)

#DAY4 AWS and DevOps Challenge: Password-less SSH and IPTABLES (Enhancing Security)

aniket raj verma's photo
aniket raj verma
·

6 min read

Table of contents

Secure Shell (SSH) is a widely used protocol for securely connecting to remote servers and managing them. Traditionally, SSH requires users to enter a username and password for authentication. However, this method can be both cumbersome and less secure, as passwords can be vulnerable to brute force attacks or eavesdropping. To address these issues, SSH offers a more convenient and secure way to authenticate: password-less SSH.

What is Password-less SSH?

Password-less SSH, also known as SSH key-based authentication, is a method of logging into a remote server or device without the need to enter a password. Instead, it relies on cryptographic keys to authenticate users. The two main components of password-less SSH are:

  1. SSH Key Pair: In password-less SSH, you generate a pair of cryptographic keys—a public key and a private key. The public key is placed on the remote server, while the private key remains on your local machine. The private key should be kept secure and never shared.

  2. Authorized Keys File: On the remote server, there is a file called authorized_keys in the ~/.ssh directory of the user you want to log in as. This file contains one or more public keys that are allowed to authenticate as that user. When you attempt to connect to the server, SSH checks your private key against the public keys in the authorized_keys file to grant access.

Advantages of Password-less SSH:

  1. Enhanced Security: Passwords can be guessed, stolen, or intercepted. SSH key pairs, on the other hand, are extremely difficult to compromise if properly managed and secured.

  2. Convenience: Once set up, password-less SSH makes connecting to remote servers effortless. You won't need to remember or enter passwords each time you log in.

  3. Automation: Password-less SSH is essential for automating tasks like server backups, deployments, and other administrative tasks where secure, unattended access is required.

Setting Up Password-less SSH:

Setting up password-less SSH involves a few simple steps:

  1. Generate SSH Key Pair: Use the ssh-keygen command to generate your key pair. You can specify an optional passphrase for additional security.

     ssh-keygen -t rsa

  2. Copy Your Public Key: After generating your keys, you need to copy your public key to the remote server. You can use the ssh-copy-id command for this purpose.

     ssh-copy-id username@remote_server_ip

  3. Test Your Connection: Attempt to log in to the remote server without a password. If everything is set up correctly, you'll gain access seamlessly.

     ssh username@remote_server_ip

Best Practices for Password-less SSH:

  • Use Passphrases: While optional, adding a passphrase to your private key provides an additional layer of security. It means that even if someone gains access to your private key, they would still need the passphrase to use it.

  • Secure Your Private Key: Protect your private key by setting restrictive file permissions (chmod 600) and storing it in a secure location.

  • Regularly Rotate Keys: For enhanced security, consider rotating your SSH keys periodically.

IPTABLES:

Iptables is a firewall management tool for Linux systems. It is an essential part of the netfilter framework, which provides the necessary infrastructure for packet filtering, network address translation (NAT), and other packet mangling tasks. Iptables enables system administrators to define rules that determine how incoming and outgoing network traffic should be processed.

To configure an application to connect to the database(with application data) on port 5432 and to be connected from a user account using IP address - 192.158.21.10 and also that it connects to an application server from port 80 we can make use of IPTABLES.

To implement this system we first connect to the application using SSH to the application server.

ssh DEVAPP01

Implementation of IPTABLES:

In the Red Hat or centos system the iptables comes pre-installed but on the Ubuntu system, we have to install the iptables service.

sudo apt install iptables -y

OUTPUT:

To take a look at the structure of the iptable use the command sudo iptables -L

sudo iptables -L

Chain INPUT — Under this section we can provide the linux systems with rules that defines which system can connect to the server and which system’s request has to be dropped when a request of connection is asked.

Common use cases for the Input chain include allowing or blocking incoming SSH, HTTP, or other services. For example, you might want to allow incoming SSH (port 22) traffic to your server but block all incoming traffic to a specific port like Telnet (port 23).

Chain OUTPUT — Under this section we can provide the system with rules that defines to which system the application server can be connect to or ask data from. This is responsible for filtering the outgoing packets from the local system.

Common use cases for the Output chain include restricting outgoing access from your server. For instance, you might want to allow outbound traffic to external DNS servers (port 53) while blocking all other outbound connections, except for certain services.

Chain Forward — This section is not used frequently but it comes into play when our linux system is used as a router or gateway to forward packets between multiple systems. It manages traffic passing through your system from one network interface to another.

For example, if you have a Linux-based router that connects your local network to the internet, the Forward chain would control how packets from your internal network are forwarded to the internet and vice versa.

Commands:

iptables -A INPUT -p tcp -s 172.16.238.187 --dport 22 -j ACCEPT

This command is used to insert the rule that the ip address 172.16.238.187 will get accepted when it makes a connection request on the port 22. This rule is added in the INPUT chain.

Now to configure the iptable so that the other systems do not have permission to connect to the application server we give this command:

iptables -A INPUT -p tcp --dport 22 -j DROP
OptionDescription
-ADefines The ADD RULE
-pProtocol
-sSource
-dDestination
—dportPort number
-jAction to take

Conclusion:

Password-less SSH is a secure and convenient way to authenticate with remote servers. By using SSH key pairs, you can significantly enhance the security of your SSH connections while simplifying the login process. Whether you're a system administrator, developer, or anyone who frequently accesses remote servers, password-less SSH is a valuable tool that streamlines your workflow while keeping your data secure.

Iptables is a powerful tool for managing network traffic on Linux systems. By understanding the three primary chains (Input, Output, and Forward) and the anatomy of an iptables rule, you can control how traffic flows in and out of your system, enhancing security and network management capabilities. Whether you're securing a single server or managing complex network configurations, iptables is an essential tool in your Linux networking arsenal.

KodeKloudWeMakeDevslinux for beginnersLinux