Testing SSH over local network

dachary · April 29, 2018, 9:38am

@mike @mickael ,

The test plan for 0.7 suggests:

Enable SSH over local network and ensure hosts can be accessed via SSH over local network
Verify that iptables-based SSH connection rate limiting works

But I confess I have no idea how to do that Would you be so kind as to provide me with detailed instructions?

Cheers

mickael · April 30, 2018, 1:34pm

Bonjour Loïc,

The docs were updated with instructions on how to enable ssh over local network see here.

tldr:

git checkout 0.7-rc1
./securedrop-admin update
./securedrop-admin setup
./securedrop-admin sdconfig

When prompted for Enable SSH over Tor, enter no, and run:

./securedrop-admin install

You might be prompted by the installer to run ./securedrop-admin install again. If so, please do. Finally, run:

./securedrop-admin tailsconfig

You should now be able to administer your SecureDrop instance by ssh over local network.

As for testing the rate limiting, try to ssh using the server’s IP, with an incorrect user name. If you do it several times, you should be locked out for a few minutes.

dachary · April 30, 2018, 2:22pm

Salut Mickael,

Does it mean that I can ssh to a local IP from the tails key? I thought it was only possible to ssh from tails via Tor. Looks like I’m missing something here

The rules in install_files/ansible-base/roles/restrict-direct-access/templates/rules_v4

-A OUTPUT -o lo -p tcp --dport 22 -m owner --uid-owner debian-tor -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT -m comment --comment "Rate limit traffic from tor to the ssh dameon"

suggest trying 3 times in less that one minute should be enought to trigger rate limiting. I’m unclear about how long it lasts?

mickael · April 30, 2018, 3:00pm

Correct, the idea is to not rely on Tor for SecureDrop administration (and only over local network), on an opt-in basis.

The iptables rule you specified is for ssh over Tor. The rule for ssh over local network is a bit further in the same file:

A INPUT -i {{ ssh_int }} -s {{ ssh_net_in_override|default(admin_net_cidr) }} -p tcp --dport 22 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT -m comment --comment "Rate limit incoming ssh traffic"

limit-burst 3 should allow 3 attempts in rapid succession, after which the limit of 3 per minute will kick in. The burst should be available after 3 minutes, if the rate limit isn’t hit in the meantime.

dachary · April 30, 2018, 4:18pm

So I should:

a) try 3 (burst) + 3 (rate limit) + 1 = 7 times within one minute and verify that I’m blocked (for how long?)
b) wait 3 minutes, verify that trying 3 times rapidly is not blocked

Correct?

mickael · May 1, 2018, 3:52pm

Yes, that sounds right. The throttling should then reset after 1 minute, to 3/minute.