LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 04-09-2011, 12:10 AM   #1
The Moorish
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Rep: Reputation: 0
How to disable tcpwrappers?


Hello

I've setup a network within my lab and only gave access to local machines (Redhat 5,and a windows server 2000) ,First i have succeded to enable iptables,logwatch,nfs,logwatch,portmap,tcpwrapper.

this is my hosts.allow file:

Code:
#
# hosts.allow	This file describes the names of the hosts which are
#		allowed to use the local INET services, as decided
#		by the '/usr/sbin/tcpd' server.
#
hosts.deny:

Code:
#
# hosts.deny	This file describes the names of the hosts which are
#		*not* allowed to use the local INET services, as decided
#		by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!
this is my /etc/xinetd.d:

Code:
23:04:36 # ls
cvs
eklogin
ekrb5-telnet
gssftp
klogin
krb5-telnet
kshell
ktalk
rsync
Now i want to use ssh from a remote machine, i have disabled iptables,nfs,logwatch,portmap

what should i do to be able to access my network from my laptop which is not connected to my network?

Thank you in advance.

Last edited by The Moorish; 04-09-2011 at 01:08 AM.
 
Old 04-09-2011, 02:51 AM   #2
Nermal
Member
 
Registered: Jan 2009
Distribution: Debian
Posts: 59
Blog Entries: 2

Rep: Reputation: 6
Morning Moorish,

Just a couple of questions:

1. What version of Linux you using?
2. Do you have sshd installed?

if you type as root:
Code:
which sshd
this will tell you if it can find the ssh service called sshd.

I'm guessing that either sshd is not installed or not configured.

so to install sshd you need to use yum

Code:
yum install openssh-server
and to start it

Code:
service sshd start
you may want to look at chkconfig to make it start all the time.

for your laptop, you need a ssh client and attach it to the network. I use cygwin as it also has X11.

Last edited by Nermal; 04-09-2011 at 03:02 AM. Reason: still waking up... sorry should take more time to read.
 
Old 04-09-2011, 03:42 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786Reputation: 2786
Quote:
Originally Posted by The Moorish View Post
Now i want to use ssh from a remote machine, i have disabled iptables,nfs,logwatch,portmap
what should i do to be able to access my network from my laptop which is not connected to my network?
Disabling NFS and portmap makes sense if you do not need to provide those services: it is unrelated to and has nothing to do with enabling or running SSH.
Disabling Logwatch and iptables makes no sense at all unless you have no need for them (unlikely) or have no clue at all what you're doing (more likely). In case of the latter your initial reflex should not be to disable services but to first read some basic documentation that RHEL provides (which is not too shabby) and familiarize yourself with Linux concepts and server administration: note that Linux may be free to use but using it is not free of responsibilities.


If, like Nermal suggested, you have the openssh-server server package installed you continue editing /etc/ssh/sshd_config to ensure PermitRootLogin and PasswordAuthentication are denied. After you have 0) set up a local unprivileged user account to access SSH with PubKey auth, have 1) tested this user can access the server and use sudo to perform commands as root, configure your tcp_wrapper ('man hosts_access') configuration files.

Quote:
Originally Posted by The Moorish View Post
this is my hosts.allow file:
Code:
# grep -v ^# /etc/hosts.allow|grep .
* Note tcp_wrappers work only for services that use /lib/libwrap.so. You can find out if a binary is compiled with Libwrap with 'ldd /path/to/binary|grep libwrap'.
** Note the "grep|grep" construct as posting configuration files without comments makes it easier to read.
Your /etc/hosts.deny file should contain one line "ALL: ALL" to deny unrestricted access to services.
Your /etc/hosts.allow file then should contain process names (not service names) and the IP addresses or IP ranges to allow access from.
Also see tcp_wrappers vs iptables.

When accessing SSH on a server behind a router performing NAT, the router must allow inbound TCP/22 and redirect this traffic to your server. If your are the only one using remote SSH then add your remote IP address or IP range to the routers inclusion list for that port if possible. Also set iptables to allow TCP/22 from outside your LAN range and add the IP address or IP range to /etc/hosts.allow.

*** Do not postpone hardening SSH and I strongly suggest you read and act on the sticky Failed SSH login attempts thread wrt AllowUsers, AllowGroups and fail2ban before allowing remote SSH access.
 
Old 04-09-2011, 03:47 AM   #4
The Moorish
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Nermal View Post
Morning Moorish,

Just a couple of questions:

1. What version of Linux you using?
2. Do you have sshd installed?

if you type as root:
Code:
which sshd
this will tell you if it can find the ssh service called sshd.

I'm guessing that either sshd is not installed or not configured.

so to install sshd you need to use yum

Code:
yum install openssh-server
and to start it

Code:
service sshd start
you may want to look at chkconfig to make it start all the time.

for your laptop, you need a ssh client and attach it to the network. I use cygwin as it also has X11.

Morning Nermal

yes of course i have sshd installed

Code:
# which sshd
/usr/sbin/sshd
my Linux version is:

Code:
Red Hat Enterprise Linux Server release 5 Tikanga
 
Old 04-09-2011, 04:39 AM   #5
Nermal
Member
 
Registered: Jan 2009
Distribution: Debian
Posts: 59
Blog Entries: 2

Rep: Reputation: 6
Oki Doki,

lets see if it is in memory:

Code:
ps -ea | grep sshd
Should come back with:
Code:
12345 ? 00:00:00 sshd
Also can you provide:
Code:
iptables-save | grep 22
+-
What a difference a coffee makes.
 
Old 04-09-2011, 04:46 AM   #6
The Moorish
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by unSpawn View Post
Disabling NFS and portmap makes sense if you do not need to provide those services: it is unrelated to and has nothing to do with enabling or running SSH.
Disabling Logwatch and iptables makes no sense at all unless you have no need for them (unlikely) or have no clue at all what you're doing (more likely). In case of the latter your initial reflex should not be to disable services but to first read some basic documentation that RHEL provides (which is not too shabby) and familiarize yourself with Linux concepts and server administration: note that Linux may be free to use but using it is not free of responsibilities.


If, like Nermal suggested, you have the openssh-server server package installed you continue editing /etc/ssh/sshd_config to ensure PermitRootLogin and PasswordAuthentication are denied. After you have 0) set up a local unprivileged user account to access SSH with PubKey auth, have 1) tested this user can access the server and use sudo to perform commands as root, configure your tcp_wrapper ('man hosts_access') configuration files.


* Note tcp_wrappers work only for services that use /lib/libwrap.so. You can find out if a binary is compiled with Libwrap with 'ldd /path/to/binary|grep libwrap'.
** Note the "grep|grep" construct as posting configuration files without comments makes it easier to read.
Your /etc/hosts.deny file should contain one line "ALL: ALL" to deny unrestricted access to services.
Your /etc/hosts.allow file then should contain process names (not service names) and the IP addresses or IP ranges to allow access from.
Also see tcp_wrappers vs iptables.

When accessing SSH on a server behind a router performing NAT, the router must allow inbound TCP/22 and redirect this traffic to your server. If your are the only one using remote SSH then add your remote IP address or IP range to the routers inclusion list for that port if possible. Also set iptables to allow TCP/22 from outside your LAN range and add the IP address or IP range to /etc/hosts.allow.

*** Do not postpone hardening SSH and I strongly suggest you read and act on the sticky Failed SSH login attempts thread wrt AllowUsers, AllowGroups and fail2ban before allowing remote SSH access.
Hi unSpawn, Thank you for your awesome comment!

I fully understand what you've said about those services, and i appreciate alot all the advices you gave me!


this is my sshd_config

Code:
# cat /etc/ssh/sshd_config
#       $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server
this is man hosts_access:

Code:
# man hosts_access
HOSTS_ACCESS(3)                                                HOSTS_ACCESS(3)



NAME
       hosts_access,  hosts_ctl,  request_init,  request_set  - access control
       library

YNOPSIS
       #include "tcpd.h"

       extern int allow_severity;
       extern int deny_severity;

       struct request_info *request_init(request, key, value, ..., 0)
       struct request_info *request;

       struct request_info *request_set(request, key, value, ..., 0)
       struct request_info *request;

       int hosts_access(request)
       struct request_info *request;

       int hosts_ctl(daemon, client_name, client_addr, client_user)
       char *daemon;
       char *client_name;
       char *client_addr;
       char *client_user;

DESIPTION
       The routines described in this  document  are  part  of  the  libwrap.a
       library.  They  implement  a  rule-based  access  control language with
       optional shell commands that are executed when a rule fires.

       request_init() initializes a structure with information about a  client
       request.  request_set()  updates  an already initialized request struc-
       ture. Both functions take a variable-length list of key-value pairs and
       return  their first argument.  The argument lists are terminated with a
       zero key value. All string-valued arguments are  copied.  The  expected
       keys (and corresponding value types) are:

       RQ_FILE (int)
              The file descriptor associated with the request.

       RQ_CLIENT_NAME (char *)
              The client host name.

       RQ_CLIENT_ADDR (char *)
              A printable representation of the client network address.

       RQ_CLIENT_SIN (struct sockaddr_in *)
              An  internal  representation  of  the client network address and
              port.  The contents of the structure are not copied.

       RQ_SERVER_NAME (char *)
              The hostname associated with the server endpoint address.

       RQ_SERVER_ADDR (char *)
              A printable representation of the server endpoint address.

       RQ_SERVER_SIN (struct sockaddr_in *)
              An internal representation of the server  endpoint  address  and
              port.  The contents of the structure are not copied.

       RQ_DAEMON (char *)
              The name of the daemon process running on the server host.

       RQ_USER (char *)
              The  name  of the user on whose behalf the client host makes the
              request.

       hosts_access() consults the access  control  tables  described  in  the
       hosts_access(5)  manual  page.   When  internal endpoint information is
       available, host names and client user names are looked  up  on  demand,
       using the request structure as a cache.  hosts_access() returns zero if
       access should be denied.

       hosts_ctl() is a wrapper around the request_init()  and  hosts_access()
       routines  with  a perhaps more convenient interface (though it does not
       pass  on  enough  information  to  support  automated  client  username
       lookups).  The client host address, client host name and username argu-
       ments should contain valid data or STRING_UNKNOWN.  hosts_ctl() returns
       zero if access should be denied.

       The llow_severity  and deny_severity variables determine how accepted
       and rejected requests may be logged.  They  must  be  provided  by  the
       caller and may be modified by rules in the access control tables.

DIAGNOSTICS
       Problems are reported via the syslog daemon.

SEE ALSO
       hosts_access(5),    format    of    the    access    control    tables.
       hosts_options(5), optional extensions to the base language.

ILES
       /etc/hosts.allow, /etc/hosts.deny, access control tables.

BUSS
       hosts_access() uses the strtok() library function. This  may  interfere
       with other code that relies on strtok().

AUTHRR
       Wietse Venema (wietse@wzv.win.tue.nl)
       Department of Mathematics and Computing Science
       Eindhoven University of Technology
       Den Dolech 2, P.O. Box 513,
       5600 MB Eindhoven, The Netherlands




                                                               HOSTS_ACCESS(3)


Code:
# ldd /usr/sbin/sshd
        linux-gate.so.1 =>  (0x003cd000)
        libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00594000)
        libpam.so.0 => /lib/libpam.so.0 (0x00657000)
        libdl.so.2 => /lib/libdl.so.2 (0x00490000)
        libselinux.so.1 => /lib/libselinux.so.1 (0x00963000)
        libaudit.so.0 => /lib/libaudit.so.0 (0x0085f000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x00110000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x00123000)
        libutil.so.1 => /lib/libutil.so.1 (0x00255000)
        libz.so.1 => /opt/lampp/lib/libz.so.1 (0x00ddf000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x00259000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x00753000)
        libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x004d7000)
        libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x009d3000)
        libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00f7d000)
        libcom_err.so.2 => /lib/libcom_err.so.2 (0x0026f000)
        libc.so.6 => /lib/libc.so.6 (0x00272000)
        /lib/ld-linux.so.2 (0x00a67000)
        libsepol.so.1 => /lib/libsepol.so.1 (0x003ce000)
        libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x005ab000)

and definitely i'm gonna read those posts!
 
Old 04-09-2011, 04:51 AM   #7
The Moorish
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Nermal View Post
Oki Doki,

lets see if it is in memory:

Code:
ps -ea | grep sshd
Should come back with:
Code:
12345 ? 00:00:00 sshd
Also can you provide:
Code:
iptables-save | grep 22
+-
What a difference a coffee makes.
Okay!

output:

Code:
 # ps -ea | grep sshd
 3768 ?        00:00:00 sshd
and i did

Code:
# iptables-save | grep 22
 
Old 04-09-2011, 05:06 AM   #8
Nermal
Member
 
Registered: Jan 2009
Distribution: Debian
Posts: 59
Blog Entries: 2

Rep: Reputation: 6
Your Keen....

so, sshd is running.

there is no rule for ssh in iptables, if iptables is configured.

so that is what we need to know now.

Code:
iptables-save | grep INPUT
This will list the content of your INPUT table of your iptables. Feel free to mask anything you don'e want us to see.

If you have enabled iptables, as you have said in the first post, this may be blocking the ssh connection.
 
Old 04-09-2011, 06:21 AM   #9
The Moorish
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Nermal View Post
Your Keen....

so, sshd is running.

there is no rule for ssh in iptables, if iptables is configured.

so that is what we need to know now.

Code:
iptables-save | grep INPUT
This will list the content of your INPUT table of your iptables. Feel free to mask anything you don'e want us to see.

If you have enabled iptables, as you have said in the first post, this may be blocking the ssh connection.

the above command doesn't work because i can't re-enable my iptables

Code:
# chkconfig iptables on
# service iptables start
# service iptables status
Firewall is stopped.
 
Old 04-09-2011, 07:44 AM   #10
The Moorish
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Original Poster
Rep: Reputation: 0
Great iptables is running again:

Code:
# service iptables restart
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination


# service iptables status
Table : filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination

# service iptables status
Table : filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
this is what i've got from your command:
Code:
# iptables-save | grep INPUT
:INPUT ACCEPT [211:45338]

Last edited by The Moorish; 04-09-2011 at 07:47 AM.
 
Old 04-09-2011, 08:17 AM   #11
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Quote:
PasswordAuthentication yes
This will use in the clear password authentication. Read the paragraph above the "UsePAM Yes" line. It tells you exactly the changes to make for public key authentication.

Programs built with libwrap often can have the same access controls in their own config files. So you don't need to use xinetd for that service.
 
Old 04-11-2011, 05:57 AM   #12
The Moorish
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Original Poster
Rep: Reputation: 0
Hi

scanning outside the network:

Code:
# nmap -p 22 remoteIP

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-04-11 12:49 UTC
Nmap scan report for 127.0.0.1 (127.0.0.1)
Host is up (0.13s latency).
PORT   STATE    SERVICE
22/tcp filtered ssh
now scanning inside the network:

Code:
# nmap -p 22 localhost

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-04-11 10:46 WET
Interesting ports on BLADE5 (127.0.0.1):
PORT   STATE SERVICE
22/tcp open  ssh

what shall i do to my lab config to be able to allow ssh access from outside the network?

Last edited by The Moorish; 04-15-2011 at 01:10 PM.
 
Old 04-14-2011, 03:36 AM   #13
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Your two scans are identical. You scanned localhost (the same machine) both times.
Scan your computer from another computer on the lan.

You will need to A) open port 22 in your computers firewall
B) forward port 22 in your gateway router to your computer. (e.g. your cable/dsl modem)

If you want ssh accessible from the internet, change the port used to a higher number port. This is done by editing /etc/ssh/sshd_config and restarting the sshd service. An open ssh port will attract script kiddies. Moving the port will, you will see far fewer brute force attacks against ssh in your logs.

Also add your username to a line in sshd_config
AllowUsers <your_user_name>
This will reject all login attempts for other usernames (attackers will try common usernames, system users, and root)

Last edited by jschiwal; 04-14-2011 at 03:39 AM.
 
Old 04-15-2011, 01:09 PM   #14
The Moorish
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Original Poster
Rep: Reputation: 0
Quote:
Your two scans are identical. You scanned localhost (the same machine) both times.
Scan your computer from another computer on the lan.
Hi

No its not the same, I just changed my real IP Address to 127.0.0.1 to make a difference between it and the local network

Quote:
You will need to A) open port 22 in your computers firewall
B) forward port 22 in your gateway router to your computer. (e.g. your cable/dsl modem)
do you mean making an SSH tunnel?

Quote:
If you want ssh accessible from the internet, change the port used to a higher number port. This is done by editing /etc/ssh/sshd_config and restarting the sshd service. An open ssh port will attract script kiddies. Moving the port will, you will see far fewer brute force attacks against ssh in your logs.

Also add your username to a line in sshd_config
AllowUsers <your_user_name>
This will reject all login attempts for other usernames (attackers will try common usernames, system users, and root)
This is my sshd_config:

Code:
# cat sshd_config
#       $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server
what shall i do now?
 
Old 04-19-2011, 02:36 AM   #15
The Moorish
LQ Newbie
 
Registered: Apr 2011
Posts: 13

Original Poster
Rep: Reputation: 0
i am confused what to do next!!
 
  


Reply

Tags
disable, tcpwrappers


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dovecot and tcpwrappers in FC3? jonsson Fedora 1 08-09-2010 03:53 AM
Tcpwrappers keysorsoze Solaris / OpenSolaris 2 09-10-2007 08:40 PM
tcpwrappers in the kernel matters Slackware 4 05-19-2007 05:15 AM
tcpwrappers & xinted? hank43 Linux - Security 3 10-30-2006 05:10 AM
Do I need an firewall if I set my tcpwrappers like this? rbrasil Linux - Security 7 12-18-2003 10:19 AM


All times are GMT -5. The time now is 03:08 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration