Today I'll bring you two tips to secure SSH access to the Checkpoint firewall/Linux server beyond firewall rules itself. SSH access is the most powerful way to own the firewall so it should be secured to the paranoid level and even then it is never enough.
Tip 1 Change the listening port.
You may say obscurity is not security but I will not agree - any measure that makes attacking your system harder without much burden on you is valid. After all there is no such thing total security, only endless arms race. Checkpoint just being a Linux in disguise uses OpenSSH server so changing the port is done via :
NOTE before changing listening port don't forget to allow incoming connection on this port in firewall rules.
/etc/ssh/sshd_config #Port 22
You change the above line to (if say I want to change port to 5022):
Port 5022
Then save , then restart the SSH daemon:
[Expert@fireball]#service sshd restart
Now you connect to the firewall #ssh -p 5022 user@IP
Tip 2 Limit SSH access per user and per IP address
Openssh provides the possibility to restrict access for specific user to specific IP addresses. I will look here at few potential scenarios.
Case 1 Limit all SSH users to access from specific IP , here from network 99.19.19.0/24:
At the bottom of the same file /etc/ssh/sshd_config I add:
AllowUsers *@99.19.19.*Save , restart SSH daemon and this will take effect - only users coming from network99.19.19.0/24 will be able to login by ssh , any other source IP will always get "Wrong username or password"
Case 2 Limit some users to access from specific IPs but allow others from Any.
Checkpoint comes with default user admin that people often do not change, and I concluded over the years that changing people's bad behavior is much harder than changing firewalls. So I do this:When both me and client are managing the firewall, I create the username for me , here yurisk and restrict the username admin to internal networks (for emergency cases) and his specific IP. Here my user is yurisk, client's user is admin, the LAN is 10.88.88.0/24 and client's WAN IP is 123.123.123.10
/etc/ssh/sshd_config:
AllowUsers admin@123.123.123.10 admin@10.88.88.* yuriskNow the user admin will be able to connect from 123.123.123.123 or 10.88.88.0/24 IP addresses only, while yurisk will be able to connect from anywhere.
Resources
- You may want to additionally limit access to SSH by time of the day, here is how to do it: Time-based access limiting on Checkpoint or any Linux for any network service To prevent SSH session disconnect on time out, make sure to increase your session time, see Increase SSH session timeout in Checkpoint Firewall SSH log rotation in Checkpoint is excessive, deleting logs too fast, make sure to increase the SSH log retention, see Increase the limit and rotate SSH log files in Checkpoint firewall
Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.
