msec4 and no more SSH access

bluediver · 10-11-2002, 03:52 PM

hi,

On mandrake 8.2, i use iptables and msec.
if i set security to msec 3, my ssh connection (from lan) is ok.
if i set security to msec 4 my ssh is rejected ??

I refer to http://www.mandrakesecure.net/en/docs/msec.php
without understanding where is the mistake (from me).

the reference advice a level 4 for my server connecting internet.
it specifies "This level will allow connections to pre-determined servers via remote,":
but how to specify this host that will be allowed to access with SSH.

any help appreciate, I 'm a beginner in linux.

Level 4: High. This is the recommended security level for network server systems or systems permanently connected to the internet. This level will allow connections to pre-determined servers via remote, and all locally. By default, a number of services are disabled, so as an administrator you will need to enable them by hand. The security checks msec performs are more advanced as well, as indicated by the above tables.

unSpawn · 10-11-2002, 09:01 PM

I don't have Mandy, and if I get the sparse docs floating around msec changes a shedload of things per level. Chances are the firewall rules in /etc/rc.d/rc.firewall change as well. Gotta find out where they're stored in level 3 and how to add 'em to work in level 4. Did you try adding firewall rules for ssh in level 4? Also there was something about ssh only being available to members of the "ntools" group in level 4.

Let's hope some Mandy user will provide more accurate info...

bluediver · 10-12-2002, 02:52 AM

Found ! (after no many hours searching and testing)
like so often the solution is not where you search it ...

/etc/hosts.allow define "hosts allow" !
# allow localhost and from one admin host on my lan
ALL : 127.0.0.1
ALL : 10.39.10.110

man mseclib : redirecting to
vi /usr/share/doc/msec-0.19/security.txt
and syntax tutorial on :
http://www.userlocal.com/securinginetdetc.shtml

see you guys !
you know what? I'm happy.....

unSpawn · 10-12-2002, 02:57 PM

Uhuh, TCPWrappers was the other thing I thought of, stupid I didn't post it as well. Btw, you could tighten acces by substituting "ssh" for "ALL" to allow only access to that service.

bluediver · 10-13-2002, 01:54 PM

you are right, i will restrict to services i publish only.

by the way I have a ppp0 connection with adsl, and I just give all the we (quite 8 hours) and i have a daughter (poor she is this we, with no daddy..)

re.firewall does not let me access the net from lan ???
idiot is the solution (just found at this time)
I had put $InetFace = eth0 (my network card connected to adsl modem)
but NO, the one used should be ppp0 for iptables, because it is the interface (ifconfig) created to go on the net, and not the network card !!!

hope it could help another poor daddy blocked behind his screen and not playing with kids (18 months for mine ...)

tchao