Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I've setup a network within my lab and only gave access to local machines (Redhat 5,and a windows server 2000) ,First i have succeded to enable iptables,logwatch,nfs,logwatch,portmap,tcpwrapper.
this is my hosts.allow file:
Code:
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
hosts.deny:
Code:
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
Now i want to use ssh from a remote machine, i have disabled iptables,nfs,logwatch,portmap
what should i do to be able to access my network from my laptop which is not connected to my network?
Disabling NFS and portmap makes sense if you do not need to provide those services: it is unrelated to and has nothing to do with enabling or running SSH.
Disabling Logwatch and iptables makes no sense at all unless you have no need for them (unlikely) or have no clue at all what you're doing (more likely). In case of the latter your initial reflex should not be to disable services but to first read some basic documentation that RHEL provides (which is not too shabby) and familiarize yourself with Linux concepts and server administration: note that Linux may be free to use but using it is not free of responsibilities.
If, like Nermal suggested, you have the openssh-server server package installed you continue editing /etc/ssh/sshd_config to ensure PermitRootLogin and PasswordAuthentication are denied. After you have 0) set up a local unprivileged user account to access SSH with PubKey auth, have 1) tested this user can access the server and use sudo to perform commands as root, configure your tcp_wrapper ('man hosts_access') configuration files.
Quote:
Originally Posted by The Moorish
this is my hosts.allow file:
Code:
# grep -v ^# /etc/hosts.allow|grep .
* Note tcp_wrappers work only for services that use /lib/libwrap.so. You can find out if a binary is compiled with Libwrap with 'ldd /path/to/binary|grep libwrap'.
** Note the "grep|grep" construct as posting configuration files without comments makes it easier to read.
Your /etc/hosts.deny file should contain one line "ALL: ALL" to deny unrestricted access to services.
Your /etc/hosts.allow file then should contain process names (not service names) and the IP addresses or IP ranges to allow access from.
Also see tcp_wrappers vs iptables.
When accessing SSH on a server behind a router performing NAT, the router must allow inbound TCP/22 and redirect this traffic to your server. If your are the only one using remote SSH then add your remote IP address or IP range to the routers inclusion list for that port if possible. Also set iptables to allow TCP/22 from outside your LAN range and add the IP address or IP range to /etc/hosts.allow.
*** Do not postpone hardening SSH and I strongly suggest you read and act on the sticky Failed SSH login attempts thread wrt AllowUsers, AllowGroups and fail2ban before allowing remote SSH access.
Disabling NFS and portmap makes sense if you do not need to provide those services: it is unrelated to and has nothing to do with enabling or running SSH.
Disabling Logwatch and iptables makes no sense at all unless you have no need for them (unlikely) or have no clue at all what you're doing (more likely). In case of the latter your initial reflex should not be to disable services but to first read some basic documentation that RHEL provides (which is not too shabby) and familiarize yourself with Linux concepts and server administration: note that Linux may be free to use but using it is not free of responsibilities.
If, like Nermal suggested, you have the openssh-server server package installed you continue editing /etc/ssh/sshd_config to ensure PermitRootLogin and PasswordAuthentication are denied. After you have 0) set up a local unprivileged user account to access SSH with PubKey auth, have 1) tested this user can access the server and use sudo to perform commands as root, configure your tcp_wrapper ('man hosts_access') configuration files.
* Note tcp_wrappers work only for services that use /lib/libwrap.so. You can find out if a binary is compiled with Libwrap with 'ldd /path/to/binary|grep libwrap'.
** Note the "grep|grep" construct as posting configuration files without comments makes it easier to read.
Your /etc/hosts.deny file should contain one line "ALL: ALL" to deny unrestricted access to services.
Your /etc/hosts.allow file then should contain process names (not service names) and the IP addresses or IP ranges to allow access from.
Also see tcp_wrappers vs iptables.
When accessing SSH on a server behind a router performing NAT, the router must allow inbound TCP/22 and redirect this traffic to your server. If your are the only one using remote SSH then add your remote IP address or IP range to the routers inclusion list for that port if possible. Also set iptables to allow TCP/22 from outside your LAN range and add the IP address or IP range to /etc/hosts.allow.
*** Do not postpone hardening SSH and I strongly suggest you read and act on the sticky Failed SSH login attempts thread wrt AllowUsers, AllowGroups and fail2ban before allowing remote SSH access.
Hi unSpawn, Thank you for your awesome comment!
I fully understand what you've said about those services, and i appreciate alot all the advices you gave me!
this is my sshd_config
Code:
# cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
this is man hosts_access:
Code:
# man hosts_access
HOSTS_ACCESS(3) HOSTS_ACCESS(3)
NAME
hosts_access, hosts_ctl, request_init, request_set - access control
library
YNOPSIS
#include "tcpd.h"
extern int allow_severity;
extern int deny_severity;
struct request_info *request_init(request, key, value, ..., 0)
struct request_info *request;
struct request_info *request_set(request, key, value, ..., 0)
struct request_info *request;
int hosts_access(request)
struct request_info *request;
int hosts_ctl(daemon, client_name, client_addr, client_user)
char *daemon;
char *client_name;
char *client_addr;
char *client_user;
DESIPTION
The routines described in this document are part of the libwrap.a
library. They implement a rule-based access control language with
optional shell commands that are executed when a rule fires.
request_init() initializes a structure with information about a client
request. request_set() updates an already initialized request struc-
ture. Both functions take a variable-length list of key-value pairs and
return their first argument. The argument lists are terminated with a
zero key value. All string-valued arguments are copied. The expected
keys (and corresponding value types) are:
RQ_FILE (int)
The file descriptor associated with the request.
RQ_CLIENT_NAME (char *)
The client host name.
RQ_CLIENT_ADDR (char *)
A printable representation of the client network address.
RQ_CLIENT_SIN (struct sockaddr_in *)
An internal representation of the client network address and
port. The contents of the structure are not copied.
RQ_SERVER_NAME (char *)
The hostname associated with the server endpoint address.
RQ_SERVER_ADDR (char *)
A printable representation of the server endpoint address.
RQ_SERVER_SIN (struct sockaddr_in *)
An internal representation of the server endpoint address and
port. The contents of the structure are not copied.
RQ_DAEMON (char *)
The name of the daemon process running on the server host.
RQ_USER (char *)
The name of the user on whose behalf the client host makes the
request.
hosts_access() consults the access control tables described in the
hosts_access(5) manual page. When internal endpoint information is
available, host names and client user names are looked up on demand,
using the request structure as a cache. hosts_access() returns zero if
access should be denied.
hosts_ctl() is a wrapper around the request_init() and hosts_access()
routines with a perhaps more convenient interface (though it does not
pass on enough information to support automated client username
lookups). The client host address, client host name and username argu-
ments should contain valid data or STRING_UNKNOWN. hosts_ctl() returns
zero if access should be denied.
The llow_severity and deny_severity variables determine how accepted
and rejected requests may be logged. They must be provided by the
caller and may be modified by rules in the access control tables.
DIAGNOSTICS
Problems are reported via the syslog daemon.
SEE ALSO
hosts_access(5), format of the access control tables.
hosts_options(5), optional extensions to the base language.
ILES
/etc/hosts.allow, /etc/hosts.deny, access control tables.
BUSS
hosts_access() uses the strtok() library function. This may interfere
with other code that relies on strtok().
AUTHRR
Wietse Venema (wietse@wzv.win.tue.nl)
Department of Mathematics and Computing Science
Eindhoven University of Technology
Den Dolech 2, P.O. Box 513,
5600 MB Eindhoven, The Netherlands
HOSTS_ACCESS(3)
This will use in the clear password authentication. Read the paragraph above the "UsePAM Yes" line. It tells you exactly the changes to make for public key authentication.
Programs built with libwrap often can have the same access controls in their own config files. So you don't need to use xinetd for that service.
# nmap -p 22 remoteIP
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-04-11 12:49 UTC
Nmap scan report for 127.0.0.1 (127.0.0.1)
Host is up (0.13s latency).
PORT STATE SERVICE
22/tcp filtered ssh
now scanning inside the network:
Code:
# nmap -p 22 localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-04-11 10:46 WET
Interesting ports on BLADE5 (127.0.0.1):
PORT STATE SERVICE
22/tcp open ssh
what shall i do to my lab config to be able to allow ssh access from outside the network?
Last edited by The Moorish; 04-15-2011 at 01:10 PM.
Your two scans are identical. You scanned localhost (the same machine) both times.
Scan your computer from another computer on the lan.
You will need to A) open port 22 in your computers firewall
B) forward port 22 in your gateway router to your computer. (e.g. your cable/dsl modem)
If you want ssh accessible from the internet, change the port used to a higher number port. This is done by editing /etc/ssh/sshd_config and restarting the sshd service. An open ssh port will attract script kiddies. Moving the port will, you will see far fewer brute force attacks against ssh in your logs.
Also add your username to a line in sshd_config
AllowUsers <your_user_name>
This will reject all login attempts for other usernames (attackers will try common usernames, system users, and root)
Your two scans are identical. You scanned localhost (the same machine) both times.
Scan your computer from another computer on the lan.
Hi
No its not the same, I just changed my real IP Address to 127.0.0.1 to make a difference between it and the local network
Quote:
You will need to A) open port 22 in your computers firewall
B) forward port 22 in your gateway router to your computer. (e.g. your cable/dsl modem)
do you mean making an SSH tunnel?
Quote:
If you want ssh accessible from the internet, change the port used to a higher number port. This is done by editing /etc/ssh/sshd_config and restarting the sshd service. An open ssh port will attract script kiddies. Moving the port will, you will see far fewer brute force attacks against ssh in your logs.
Also add your username to a line in sshd_config
AllowUsers <your_user_name>
This will reject all login attempts for other usernames (attackers will try common usernames, system users, and root)
This is my sshd_config:
Code:
# cat sshd_config
# $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
Protocol 2
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
