{"id":1958,"date":"2019-09-24T14:32:11","date_gmt":"2019-09-24T20:32:11","guid":{"rendered":"https:\/\/ugit.siua.ac.cr\/?p=1958"},"modified":"2019-09-24T14:56:52","modified_gmt":"2019-09-24T20:56:52","slug":"instalacion-openssh-completo","status":"publish","type":"post","link":"https:\/\/sada.services\/?p=1958","title":{"rendered":"Instalaci\u00f3n OpenSSH-COMPLETO"},"content":{"rendered":"\n<ul class=\"wp-block-list\"><li>Esta secci\u00f3n explica c\u00f3mo instalar el servicio openssh sobre el puerto 44 (si fuera necesario) y con medidas de seguridad<\/li><li>Instalamos el servicio:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>apt install openssh-server openssh-client -y<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Abrimos el archivo:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Modificamos el n\u00famero de puerto <\/li><li><strong>NOTA IMPORTANTE: si es un servidor PROXMOX esto no se hace<\/strong><\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#Port 22\nX\nPort 44<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Por defecto cualquier usuario del sistema que tenga permisos de shell se puede conectar por SSH, para evitar esto vamos a negar la conexi\u00f3n SSH del usuario root.<\/li><li><strong>NOTA IMPORTANTE: si es un servidor PROXMOX esto no se hace<\/strong><\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>#PermitRootLogin prohibit-password\nX\nPermitRootLogin no<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Aplicamos las siguientes configuraciones:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>-----------------------------------------------------------------------\n#Tiempo para introducir la contrase\u00f1a\n-----------------------------------------------------------------------\n#LoginGraceTime 2m\nX\nLoginGraceTime 120 #PROXMOX\nLoginGraceTime 45 #Servidor Normal\n\n-----------------------------------------------------------------------\n#N\u00famero de sesiones m\u00e1xima por usuario permitida\n-----------------------------------------------------------------------\n#StrictModes yes\nX\nStrictModes yes\n\n-----------------------------------------------------------------------\n#N\u00fameros de intentos permitidos de introducir la contrase\u00f1a antes de desconectarnos\n-----------------------------------------------------------------------\n#MaxAuthTries 6\nX\nMaxAuthTries 3\n\n-----------------------------------------------------------------------\n#N\u00famero de sesiones m\u00e1xima por usuario permitida\n-----------------------------------------------------------------------\n#MaxSessions 10\nX\nMaxSessions 10 #PROXMOX\nMaxSessions 8 #Normal\n\n-----------------------------------------------------------------------\n#Si queremos habilitar el acceso ssh de usuarios del sistema con usuario y clave\n#yes\n#Si lo queremos impedir: no\n-----------------------------------------------------------------------\n#PubkeyAuthentication yes\nX\nPubkeyAuthentication yes\n-----------------------------------------------------------------------\n#PasswordAuthentication yes\nX\nPasswordAuthentication yes\n-----------------------------------------------------------------------\n\n\n-----------------------------------------------------------------------\n#Agregamos al final del archivo: usuarios permitidos para conexi\u00f3n ssh\n-----------------------------------------------------------------------\n#Servidor com\u00fan\nAllowUsers ugit \n#servidor proxmox\nAllowUsers root ugit<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Para brindar una mayor seguridad, vamos a indicarle a openssh cuales algoritmos de intercambio de claves, cifrado sim\u00e9trico y configuraci\u00f3n de HMAC para la comprobaci\u00f3n de la integridad deseamos utilizar.<\/li><li>Primero vamos a ver estas herramientas que me permiten ver el estado de seguridad actual\u00a0de mi ssh<\/li><li>Mozilla: <a href=\"https:\/\/observatory.mozilla.org\/\">https:\/\/observatory.mozilla.<\/a><a rel=\"noreferrer noopener\" aria-label=\"org (abre en una nueva pesta\u00f1a)\" href=\"https:\/\/observatory.mozilla.org\" target=\"_blank\">org<\/a><\/li><li>Aqu\u00ed simplemente ponemos el dominio del servidor, este debe escuchar sobre el puerto 22 o no sirve<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1000\" height=\"396\" src=\"\/wp-content\/uploads\/2019\/09\/a1-3.png\" alt=\"\" class=\"wp-image-1962\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a1-3.png 1000w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a1-3-300x119.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a1-3-768x304.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>RESULTADOS:<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1000\" height=\"490\" src=\"\/wp-content\/uploads\/2019\/09\/a2-3.png\" alt=\"\" class=\"wp-image-1963\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a2-3.png 1000w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a2-3-300x147.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a2-3-768x376.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1000\" height=\"448\" src=\"\/wp-content\/uploads\/2019\/09\/a3-3.png\" alt=\"\" class=\"wp-image-1964\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a3-3.png 1000w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a3-3-300x134.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a3-3-768x344.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Cipher usados:<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"720\" src=\"\/wp-content\/uploads\/2019\/09\/a4-3.png\" alt=\"\" class=\"wp-image-1965\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a4-3.png 1000w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a4-3-300x216.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a4-3-768x553.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Otra herramienta que nos puede ayudar a determinar cuales cifrados no debemos usar es:<\/li><li><a href=\"https:\/\/sshcheck.com\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (abre en una nueva pesta\u00f1a)\">https:\/\/sshcheck.com\/<\/a><\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"530\" src=\"\/wp-content\/uploads\/2019\/09\/a5-3.png\" alt=\"\" class=\"wp-image-1966\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a5-3.png 1000w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a5-3-300x159.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a5-3-768x407.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>RESULTADOS:<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"670\" src=\"\/wp-content\/uploads\/2019\/09\/a6-3.png\" alt=\"\" class=\"wp-image-1967\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a6-3.png 1000w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a6-3-300x201.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a6-3-768x515.png 768w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a6-3-120x80.png 120w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"596\" src=\"\/wp-content\/uploads\/2019\/09\/a7-2.png\" alt=\"\" class=\"wp-image-1968\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a7-2.png 1000w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a7-2-300x179.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a7-2-768x458.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Y finalmente esta otra que esta programada en python<\/li><li><a rel=\"noreferrer noopener\" aria-label=\" (abre en una nueva pesta\u00f1a)\" href=\"https:\/\/github.com\/arthepsy\/ssh-audit\" target=\"_blank\">https:\/\/github.com\/arthepsy\/ssh-audit<\/a><\/li><li>Para\u00a0usarla debemos clonar el proyecto en alg\u00fan directorio de nuestro equipo:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>git clone https:\/\/github.com\/arthepsy\/ssh-audit.git<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Ingresamos a la carpeta del proyecto:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>cd ssh-audit\/<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Ahora para utilizarlo<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/ssh-audit.py metis.siua.ac.cr:44<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1020\" height=\"573\" src=\"\/wp-content\/uploads\/2019\/09\/Selecci\u00f3n_014.png\" alt=\"\" class=\"wp-image-1970\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/Selecci\u00f3n_014.png 1020w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/Selecci\u00f3n_014-300x169.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/Selecci\u00f3n_014-768x431.png 768w\" sizes=\"(max-width: 1020px) 100vw, 1020px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"985\" height=\"812\" src=\"\/wp-content\/uploads\/2019\/09\/Selecci\u00f3n_015.png\" alt=\"\" class=\"wp-image-1971\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/Selecci\u00f3n_015.png 985w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/Selecci\u00f3n_015-300x247.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/Selecci\u00f3n_015-768x633.png 768w\" sizes=\"(max-width: 985px) 100vw, 985px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Ahora\u00a0abrimos el archivo:<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>nano \/etc\/ssh\/sshd_config<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Y al final de archivo vamos a agregar<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512\nCiphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr\nMACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-128-etm@openssh.com\nHostKeyAlgorithms ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss,ssh-ed25519<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Reiniciamos el servicio<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>\/etc\/init.d\/ssh restart<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Y volvemos a correr el test<\/li><\/ul>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/ssh-audit.py metis.siua.ac.cr:44<\/code><\/pre>\n\n\n\n<ul class=\"wp-block-list\"><li>Ahora podemos ver como hemos asegurado la conexi\u00f3n SSH<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"919\" height=\"567\" src=\"\/wp-content\/uploads\/2019\/09\/a8-3.png\" alt=\"\" class=\"wp-image-1973\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a8-3.png 919w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a8-3-300x185.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a8-3-768x474.png 768w\" sizes=\"(max-width: 919px) 100vw, 919px\" \/><\/figure>\n\n\n\n<ul class=\"wp-block-list\"><li>Y como podemos ver por logwatch un gran porcentaje de los ataques de ssh se reducen.<\/li><\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1000\" height=\"407\" src=\"\/wp-content\/uploads\/2019\/09\/a9-3.png\" alt=\"\" class=\"wp-image-1974\" srcset=\"https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a9-3.png 1000w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a9-3-300x122.png 300w, https:\/\/sada.services\/wp-content\/uploads\/2019\/09\/a9-3-768x313.png 768w\" sizes=\"(max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Esta secci\u00f3n explica c\u00f3mo instalar el servicio openssh sobre el puerto 44 (si fuera necesario) y con medidas de seguridad Instalamos el servicio: Abrimos el archivo: Modificamos el n\u00famero de puerto NOTA IMPORTANTE: si es un servidor PROXMOX esto no se hace Por defecto cualquier usuario del sistema que tenga permisos de shell se puede [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1958","post","type-post","status-publish","format-standard","hentry","category-sin-categoria"],"blocksy_meta":{"styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[],"version":6}},"_links":{"self":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/1958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1958"}],"version-history":[{"count":3,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/1958\/revisions"}],"predecessor-version":[{"id":2000,"href":"https:\/\/sada.services\/index.php?rest_route=\/wp\/v2\/posts\/1958\/revisions\/2000"}],"wp:attachment":[{"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sada.services\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}