Hi,

I have upgraded the ssh version in my Linux,
the latest is SSH 3.1.0 (non-commercial version) on i686-pc-linux-gnu.

Problem is I am looking at two configurations at
/etc/ssh_config
/etc/sshd_config

and another at
/etc/ssh2/ssh2_config
/etc/ssh2/sshd2_config

Why does the ssh config get the settings on "/etc" instead of "/etc/ssh2"? Where can I define this?

The server is secure from windows users using ssh.
However it allows users from linux servers to access
even though only a specific ip is allowed to access.

Guess you need to upgrade first.
Lastest still is openssh-3.4p1.tar.gz.
Configs should be in /etc/ssh unless you mucked with the source.
If compiled with libwrap (TCP Wrappers) add a line (w/o quotes) to /etc/hosts.allow
"ssh: <ip address allowed access from>"
You can tighten access more by adding the Deny(Users|Groups), Allow(Users|Groups) directives to /etc/ssh/sshd_config, and block in the firewall as well.

openssh has lots of vulnerabilities. any other versions
besides openssh ? have you tried using ssh only?

Here are my sshd_config settings____________
# This is ssh server systemwide configuration file.

Port 22
ListenAddress 0.0.0.0
HostKey /etc/ssh_host_key
RandomSeed /etc/ssh_random_seed
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts no
StrictModes yes
QuietMode no
X11Forwarding yes
X11DisplayOffset 10
FascistLogging no
PrintMotd yes
KeepAlive yes
SyslogFacility DAEMON

RhostsAuthentication yes
RhostsRSAAuthentication yes
# HostbasedAuthentication no
# AllowedAuthentications hostbased

RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
UseLogin yes
# CheckMail no
# PidFile /u/zappa/.ssh/pid
# AllowHosts newbie.com
AllowHosts
# DenyHosts *
# Umask 022
# SilentDeny yes
__________________________________
How do I uninstall the ssh that was installed
so
I can install a different version of ssh.

sshd -f <configfile>, also defined in your startup script /etc/rc.d/init.d/ssh(d?)

Only one or two commercial versions AFAIK.

What do you mean by this?

IIRC correct versions are needed for (glibc), libwrap, OpenSSL before upgrading OpenSSH, check with your RPM tools.
If al goes well you can download and make the OpenSSH tarball with which you can make and rpm to install.

Your sshd_config settings:
PermitRootLogin yes: insecure, set to "no"
IgnoreRhosts no: insecure, set to "yes"
RhostsAuthentication yes: insecure (sshv1), set to "no"
RhostsRSAAuthentication yes: insecure (sshv1), set to "no"
UseLogin yes[b]: disables Xforwarding[b]
AllowHosts: won't work in sshv2: if compiled with libwrap use /etc/hosts.{deny,allow}

HTH.

I have defined this in
file "/etc/rc.d/rc.local"
and included script "/usr/local/sbin/sshd &"
so ssh can run during startup.

You are right on "AllowHosts", however /etc/hosts.{deny,allow}
dont work either, why is that is there anything i should do..

fyi done this already "ssh: <ip address allowed access from>"

Btw, Red Hat's 6x releases haven't been the best in terms of security. Did you regularly check for upgrades?

/etc/hosts.{allow,deny} should take lines like
<service name|ALL>: <IP addr/range|ALL (EXCEPT FROM addr/range)>
If it doesn't work, probably your sshd hasn't been compiled with TCP Wrappers support (-llibwrap iirc).

Sshd should run from a script in /etc/rc.d/init.d linked to your runlevel else you make managing checking/starting/stopping services hard on yourself. It should be in the rpm or the contrib dir of the tarball. If not it's quite easy to write one taking one of the scripts in /etc/rc.d/init.d as a template. If the script you wrote won't work, check for application locations, if the application config is readable/correct, if you provided all startup variables like config, if running the script command manually logs any errors, if running the script command manually with debug enabled logs any errors.

Have compiled the ssh to use "tcp wrapper", e.g. "--with-libwrap".
However after setting this on "hosts.allow" and "hosts.deny" it does not work. Should the settings be also included in the "inetd.conf"?

Fyi in the "sshd2_config" the setting "AllowHosts" works when configured.

I want to ensure that even connecting will return a message
"Connection Failed" for ip's that are not allowed to connect.

Thanks.

Have compiled the ssh to use "tcp wrapper", e.g. "--with-libwrap". However after setting this on "hosts.allow" and "hosts.deny" it does not work. Should the settings be also included in the "inetd.conf"? Doh. I you run sshd through xinetd it'll have it's own way of denying access like using TCP Wrappers. Dunno bout inetd tho. It's old, less secure, deprecated. Adding a new version of ssh to your box may seem like false security, because the system supporting it stems from the time dinos walked the earth. Guess you never upgraded anything on that box?

Fyi in the "sshd2_config" the setting "AllowHosts" works when configured. Guess you have to remove your old ssh binaries and configs and decide what conf to use.

I want to ensure that even connecting will return a message "Connection Failed" for ip's that are not allowed to connect.If you only have a few addresses that are allowed access to ssh block others tru the firewall. If you did configure sshd to use TCP Wrappers and run in standalone mode it could use TCP Wrappers' banner function to present a msg of choice.