This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Simon_Macpherso
Advisor
‎2020-08-25 07:01 PM

Restrict SSH Access to Management Station - R80.40

Hello

There is a bug in R80.40 JHF GA take 67 which allows ssh connection access from any external IP to a management station, despite only specific IPs or networks being configured as trusted clients.

We have logged a TAC and R&D are investigating. In the interim, they have suggested the following to restrict access.

-------------------------

Configure ssh daemon in sshd_config (/etc/ssh/sshd.conf) to use different authentication method depending on the client address/hostname.

First remove default authentication methods:

PasswordAuthentication no

PubkeyAuthentication no

Then add desired authentication methods after a Match Address in the end of the file. Placing Match in the end of the file is important, since all the configuration lines after it are placed inside the conditional block until the next Match line.

For example:

Match Addres 127.0.0.*

  PubkeyAuthentication yes

 

Other clients are still able to connect, but logins will fail because there is no available authentication methods.

-------------------------

Have anyone used this to restrict traffic?

We need to restrict access to 4 /24 networks and a /32 host. 

 

More information about Match method in sshd_config

https://linux.die.net/man/5/sshd_config

 

Regards,

Simon

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2020-08-25 08:46 PM

It’s leveraging fairly standard OpenSSH functionality, I don’t see an issue with the suggestion.

0 Kudos
John_Fleming
Advisor
‎2020-08-25 08:52 PM

Could be wrong here, but I think why trusted hosts doesn't do anything to ssh is because tcp wrappers support isn't compiled into sshd.

https://man7.org/linux/man-pages/man1/ldd.1.html

 

[Expert@MDS1:0]# fw ver
This is Check Point's software version R80.40 - Build 101
[Expert@MDS1:0]# ldd `which sshd` | grep -i wrap
[Expert@MDS1:0]#

[Expert@MDS1:0]# ldd `which xinetd` | grep -i wrap
libwrap.so.0 => /lib/libwrap.so.0 (0xf76a8000)
[Expert@MDS1:0]#

https://www.thegeekdiary.com/understanding-tcp-wrappers-in-linux/

 

I think if you wanted to use trusted hosts you would need to start sshd from xinetd instead of running sshd as its own daemon. Then you could prevent ssh hand shake of any kind of not passing tcp wrappers.

I will say your method is creative however.

0 Kudos
Simon_Macpherso
Advisor
‎2020-08-25 10:46 PM

My main concern is whether or not the below syntax for multiple hosts and networks is valid i.e. if it does not match on the first, it will proceed to the second and so on
 
e.g.
Match Address <ip address>/32
  PasswordAuthentication yes
Match Address <ip address>/24
  PasswordAuthentication yes
Match Address <ip address>/24
  PasswordAuthentication yes
Match Address <ip address>/24
  PasswordAuthentication yes
Match Address <ip address>/24
  PasswordAuthentication yes
 
I don't have out of band access to the management server and don't want to lock myself out. 
 
Regards,
Simon
0 Kudos
Yuri_Slobodyany
Collaborator
‎2020-08-30 03:05 AM
In response to Simon_Macpherso

I guess depends a lot on the issue/bug itself - is it an OpenSSH (by Checkpoint implementation) bug or Checkpoint component working WITH ssh bug ?

When you talk about "trusted hosts" - what do you mean? Where did you try to limit access to SSH ?

Their suggestion of setting authentication type per IP is quite exotic - haven't seen such one in production Linux system.  I do sometimes limit SSH access in sshd_config as a foolproof against someone misconfiguring security rules allowing ANY to ssh, but usually something like that is enough:

AllowUsers  admin@123.123.123.10 admin@10.88.88.*  yurisk

 

Taken from my post of 2011 and still working great 🙂 Two tips to secure SSH access from specific IPs to specific users in Checkpoint or any Linux 

https://www.linkedin.com/in/yurislobodyanyuk/
0 Kudos
Simon_Macpherso
Advisor
‎2020-08-30 05:32 PM
In response to Yuri_Slobodyany

Hello,

I dont think what I'm wanting to implement depends on the mentioned bug, which appears to be specific to R80.40. 

I said trusted clients, not hosts, i.e. limiting the access to the SMS from a specified list of hosts.

Adding the entry mentioned in my 2nd post above to  sshd_config worked, after also changing or removing the default authentication methods. 

Regards,

Simon

 

0 Kudos
cosmos
Advisor
‎2020-10-08 01:16 AM
In response to Simon_Macpherso

I'm curious, does this R80.40 build ignore "add allowed-client host|network" entries in clish? I found R77.10 does, the hard way. Bumped a cluster up to 77.30 today (yes today, please don't ask) and thought I'd lost a member after the first reboot, because my client wasn't in the list. I'd hate to see a repeat...

No console either. Yay for field engineers and cprid_util 🙂

0 Kudos
Douglas_Rich
Contributor
‎2021-06-07 01:57 PM

Just installed R80.40 + Take 118 in AWS and this issue is still present.

This issue was present with a open sever vmware install on take 76 but is fixed after installing Take 118, but not fixed in AWS with the same Take.

The specific line  in "/etc/ssh/sshd_config" which seems to be the root cause is: "PasswordAuthentication yes"

"yes" is BAD!

===============

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

===============

Change this to "no" and restart sshd "service sshd restart" and then the issue appears to go away.  Could be more to it, but this was the least single change that made a positive affect.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events