bssh 2.0.1

Parallel SSH command execution tool for cluster management
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482

# Security Guide

[Back to Documentation Index](./README.md)

This guide covers security best practices for deploying and configuring bssh-server.

## Table of Contents

- [Overview](#overview)
- [Authentication Security](#authentication-security)
- [Network Security](#network-security)
- [Session Security](#session-security)
- [File Transfer Security](#file-transfer-security)
- [Host Key Management](#host-key-management)
- [Audit and Compliance](#audit-and-compliance)
- [Hardening Checklist](#hardening-checklist)

## Overview

bssh-server is designed with security as a primary concern. It implements multiple layers of protection:

- **Authentication**: Public key and password authentication with rate limiting
- **Network**: IP allowlists/blocklists with CIDR support
- **Sessions**: Per-user session limits, idle timeouts, and maximum duration
- **File Transfers**: Path traversal prevention and file filtering
- **Audit**: Comprehensive logging with multiple export options

## Authentication Security

### Public Key Authentication (Recommended)

Public key authentication is more secure than passwords because:
- No secrets are transmitted over the network
- Keys are computationally infeasible to brute-force
- Keys can be protected with passphrases locally

**Configuration:**

```yaml
auth:
  methods:
    - publickey
  publickey:
    # Per-user directory structure
    authorized_keys_dir: /etc/bssh/authorized_keys
    # Structure: /etc/bssh/authorized_keys/{username}/authorized_keys

    # OR pattern-based (for existing systems)
    authorized_keys_pattern: "/home/{user}/.ssh/authorized_keys"
```

**Best Practices:**
- Use Ed25519 keys (`bssh-keygen -t ed25519`)
- Protect private keys with passphrases
- Restrict authorized_keys file permissions to 0600
- Regularly rotate keys (annually or when personnel changes)

### Password Authentication

If password authentication is required, use strong passwords with Argon2id hashing:

```yaml
auth:
  methods:
    - password
  password:
    users:
      - name: username
        password_hash: "$argon2id$v=19$m=19456,t=2,p=1$..."
```

**Generating Password Hashes:**

```bash
bssh-server hash-password
# Uses Argon2id with:
# - 19 MiB memory cost (resistant to GPU attacks)
# - 2 iterations
# - 1 degree of parallelism
```

**Best Practices:**
- Require minimum 12-character passwords
- Use unique passwords per user
- Consider disabling password auth in favor of keys
- Never store plaintext passwords

### Rate Limiting and Banning

Protect against brute-force attacks:

```yaml
security:
  # Ban IP after 5 failed attempts
  max_auth_attempts: 5

  # Time window for counting failures (5 minutes)
  auth_window: 300

  # Ban duration (5 minutes)
  ban_time: 300

  # IPs exempt from rate limiting
  whitelist_ips:
    - "127.0.0.1"
    - "::1"
    - "10.0.0.0/8"  # Internal network
```

## Network Security

### IP Access Control

Restrict access to trusted networks:

```yaml
security:
  # Allow only these IP ranges (whitelist mode)
  allowed_ips:
    - "192.168.1.0/24"      # Office network
    - "10.0.0.0/8"          # Internal network
    - "2001:db8::/32"       # IPv6 range

  # Always block these IPs (takes priority)
  blocked_ips:
    - "192.168.1.100/32"    # Compromised host
    - "203.0.113.0/24"      # Known bad actors
```

**Priority Rules:**
1. Blocked IPs are always denied (highest priority)
2. If allowed_ips is configured, only those IPs are permitted
3. If allowed_ips is empty, all IPs (except blocked) are permitted

**Best Practices:**
- Use CIDR notation for precise control
- Block entire ranges known for abuse
- Use allowlists in high-security environments
- Monitor blocked connection attempts

### Network Binding

Bind to specific interfaces when possible:

```yaml
server:
  # Bind to specific internal interface
  bind_address: "10.0.0.1"

  # Or all interfaces (for containers)
  bind_address: "0.0.0.0"
```

### Port Selection

```yaml
server:
  # Use non-standard port to reduce automated scans
  port: 2222

  # Or standard port 22 (requires root or capabilities)
  port: 22
```

## Session Security

### Session Limits

Prevent resource exhaustion and detect compromised accounts:

```yaml
security:
  # Maximum sessions per user
  max_sessions_per_user: 10

  # Idle session timeout (1 hour)
  idle_timeout: 3600

  # Maximum session duration (24 hours, 0 = disabled)
  session_timeout: 86400

server:
  # Maximum total connections
  max_connections: 100

  # Connection timeout (5 minutes)
  timeout: 300

  # SSH keepalive interval
  keepalive_interval: 60
```

### Shell Security

```yaml
shell:
  # Use restricted shell if available
  default: /bin/rbash

  # Command execution timeout
  command_timeout: 3600

  # Minimal environment
  env:
    PATH: /usr/bin:/bin
    LANG: C.UTF-8
```

**Per-User Shell Restrictions:**

```yaml
auth:
  password:
    users:
      - name: sftp-only
        password_hash: "..."
        shell: /usr/sbin/nologin  # No shell access
```

## File Transfer Security

### SFTP/SCP Control

```yaml
# Disable if not needed
sftp:
  enabled: false

scp:
  enabled: false

# Or enable with restrictions
sftp:
  enabled: true
  root: /data/sftp  # Chroot to this directory
```

### File Transfer Filtering

Block dangerous file types:

```yaml
filter:
  enabled: true
  rules:
    # Block executable uploads
    - pattern: "*.exe"
      action: deny
    - pattern: "*.sh"
      action: deny
    - pattern: "*.py"
      action: deny

    # Block uploads to sensitive directories
    - path_prefix: "/etc/"
      action: deny
    - path_prefix: "/usr/"
      action: deny

    # Log all transfers to temp
    - path_prefix: "/tmp/"
      action: log
```

**Filter Actions:**
- `deny`: Block the transfer
- `allow`: Explicitly allow (overrides other rules)
- `log`: Allow but log the transfer

### Path Traversal Prevention

bssh-server automatically prevents path traversal attacks:
- All paths are normalized before processing
- `..` components cannot escape the root directory
- Symlinks are resolved and validated
- Absolute paths are stripped and joined with the user's root

## Host Key Management

### Key Generation

```bash
# Generate Ed25519 key (recommended)
bssh-server gen-host-key -t ed25519 -o /etc/bssh/ssh_host_ed25519_key

# Generate RSA key (for compatibility)
bssh-server gen-host-key -t rsa -o /etc/bssh/ssh_host_rsa_key --bits 4096
```

### Key Permissions

```bash
# Ensure secure permissions
chmod 600 /etc/bssh/ssh_host_*_key
chown root:root /etc/bssh/ssh_host_*_key
```

### Key Rotation

Rotate host keys periodically (annually) or when:
- Key may have been compromised
- Significant personnel changes occur
- Migrating to new infrastructure

**Rotation Process:**
1. Generate new host key
2. Update configuration to include both old and new keys
3. Notify users of host key change
4. After transition period, remove old key

## Audit and Compliance

### Enable Audit Logging

```yaml
audit:
  enabled: true
  exporters:
    # Local file (JSON Lines format)
    - type: file
      path: /var/log/bssh/audit.log

    # Send to SIEM via OpenTelemetry
    - type: otel
      endpoint: http://otel-collector:4317

    # Send to Logstash
    - type: logstash
      host: logstash.example.com
      port: 5044
```

### Audit Events

The following events are logged:
- **Authentication**: Success, failure, rate limiting
- **Sessions**: Start, end, duration
- **Commands**: Executed commands (can contain sensitive data)
- **File Operations**: Read, write, delete, rename
- **Security**: IP blocks, suspicious activity

### Log Protection

```bash
# Protect audit logs
chmod 600 /var/log/bssh/audit.log
chown root:root /var/log/bssh/audit.log

# Configure log rotation
cat > /etc/logrotate.d/bssh << EOF
/var/log/bssh/*.log {
    daily
    rotate 90
    compress
    delaycompress
    missingok
    notifempty
    create 0600 root root
}
EOF
```

## Hardening Checklist

### Minimal Configuration

- [ ] Use public key authentication only
- [ ] Disable password authentication
- [ ] Disable unused subsystems (SFTP/SCP)
- [ ] Set appropriate timeouts
- [ ] Configure session limits

### Network Hardening

- [ ] Configure IP allowlists for production
- [ ] Use non-standard port if appropriate
- [ ] Bind to specific interface if possible
- [ ] Deploy behind firewall/load balancer

### Key Management

- [ ] Use Ed25519 keys
- [ ] Set correct file permissions (0600)
- [ ] Rotate keys periodically
- [ ] Store keys securely (HSM for high security)

### Monitoring and Audit

- [ ] Enable audit logging
- [ ] Configure log shipping to SIEM
- [ ] Set up alerts for security events
- [ ] Regularly review access logs

### File Security

- [ ] Enable file transfer filtering
- [ ] Block dangerous file types
- [ ] Restrict upload directories
- [ ] Use SFTP chroot when possible

### Container Security

- [ ] Use minimal base image
- [ ] Run as non-root if possible
- [ ] Set resource limits
- [ ] Use read-only filesystem
- [ ] Generate unique host keys per instance

## Security Configuration Example

Complete security-focused configuration:

```yaml
# /etc/bssh/server.yaml - High Security Configuration

server:
  bind_address: "10.0.0.1"
  port: 2222
  host_keys:
    - /etc/bssh/ssh_host_ed25519_key
  max_connections: 50
  timeout: 120
  keepalive_interval: 30

auth:
  methods:
    - publickey
  publickey:
    authorized_keys_dir: /etc/bssh/authorized_keys

shell:
  default: /bin/rbash
  command_timeout: 1800
  env:
    PATH: /usr/bin:/bin

sftp:
  enabled: true
  root: /data/sftp

scp:
  enabled: false

filter:
  enabled: true
  rules:
    - pattern: "*.exe"
      action: deny
    - pattern: "*.dll"
      action: deny
    - path_prefix: "/etc/"
      action: deny

audit:
  enabled: true
  exporters:
    - type: file
      path: /var/log/bssh/audit.log
    - type: otel
      endpoint: http://siem:4317

security:
  max_auth_attempts: 3
  auth_window: 300
  ban_time: 900
  whitelist_ips:
    - "127.0.0.1"
  max_sessions_per_user: 5
  idle_timeout: 1800
  session_timeout: 28800
  allowed_ips:
    - "10.0.0.0/8"
    - "192.168.0.0/16"
  blocked_ips:
    - "0.0.0.0/8"
```

## See Also

- [Server Configuration](./architecture/server-configuration.md)
- [Audit Logging](./audit-logging.md)
- [Quick Start Guide](./quick-start.md)