LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-31-2006, 04:04 AM   #1
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
Securing a LAMP server [1] SSHD


I'm currently trying to secure a LAMP server (Slackware 10.1) and have plenty of questions.

This thread has some questions about SSHD.

Q1)
What SSHD can do for me? One of the things as I understand it, is providing a secure 'kind of telnet' where the communication is encrypted (so it can not be snooped).

I have the feeling that it can do other things (reading between the lines of man pages etc). If so, what?

Q2)
If it does encrypted communication, how does it work? I understand that there are some negotiations before a session_key is generated and used by the two parties?

What prevents an attacker from snooping (and understanding) those negotiations? And as a result getting the session_key and be able to decrypt the communication?

A newbie friendly link is fine (I could not find one ).

Q3)
Everywhere I fall over the term fingerprint. E.g. when I connect the first time to the SSHD, PuTTY (a Windows SSH client) tells me something in the line of "it can't verify the fingerprint and if it can trust it". Where can I find the fingerprint of my SSHD (or how can I calculate it)? I've looked in the files in /etc/ssh, but don't seem to be able to find it. As I could not find it, I assume it's a checksum/hash type of value which one might be able to calculate.

Q4)
Is there a difference between 'PermitRootLogin no' and 'DenyUsers root' in the sshd_config?

PS I modified sshd_config to only allow protocol 2
 
Old 05-31-2006, 06:19 AM   #2
imagineers7
Member
 
Registered: Mar 2006
Distribution: BackTrack, RHEL, FC, CentOS, IPCop, Ubuntu, 64Studio, Elive, Dream Linux, Trix Box
Posts: 310

Rep: Reputation: 30
Hi wim,

Quote:
Originally Posted by Wim
Q4)
Is there a difference between 'PermitRootLogin no' and 'DenyUsers root' in the sshd_config?
I thought there is a difference :- First asks for password and another does not.

But I tried this on my machine and both asked for the password!!

Then what it is?
 
Old 05-31-2006, 07:49 AM   #3
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Hi imagineers7, please note that I want to deny the access for root user.
 
Old 06-01-2006, 07:56 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
I don't know the difference exactly, but my guess would be DenyUsers is a "general" ACL. If you "man sshd_config" for PermitRootLogin you see it makes provisions for circumstances where you would actually more finegrained control over a root account login, like if you need to make backups (forced command only). The default should be to use "PermitRootLogin no" unless you have specific requirements. While on the topic of ACL's also note PAM can be used easily to allow or deny users access using the pam_listfile module. Comes in handy when you have different requirements for different services and want a centralised solution instead of having to tweak various confs.
 
Old 06-07-2006, 06:57 AM   #5
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Q1) Yes, it can use authentication based on keys. And SFTP.

Q2 and Q3 still open. Specially Q3 is quite important as I must be able to give users this information.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LAMP Server Security paraiso Linux - Security 4 02-24-2006 04:48 PM
LAMP server problems dcdbutler Slackware 2 02-20-2006 03:12 PM
New LAMP Server dragondefj Linux - General 5 01-31-2006 01:38 AM
Lamp Server kwickcut Mandriva 1 11-25-2005 10:02 PM
on-x Rx linux as a LAMP server violentpurrr Linux - Software 0 06-26-2004 12:33 AM


All times are GMT -5. The time now is 05:36 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration