Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have upgraded the ssh version in my Linux,
the latest is SSH 3.1.0 (non-commercial version) on i686-pc-linux-gnu.
Problem is I am looking at two configurations at
/etc/ssh_config
/etc/sshd_config
and another at
/etc/ssh2/ssh2_config
/etc/ssh2/sshd2_config
Why does the ssh config get the settings on "/etc" instead of "/etc/ssh2"? Where can I define this?
The server is secure from windows users using ssh.
However it allows users from linux servers to access
even though only a specific ip is allowed to access.
Guess you need to upgrade first.
Lastest still is openssh-3.4p1.tar.gz.
Configs should be in /etc/ssh unless you mucked with the source.
If compiled with libwrap (TCP Wrappers) add a line (w/o quotes) to /etc/hosts.allow
"ssh: <ip address allowed access from>"
You can tighten access more by adding the Deny(Users|Groups), Allow(Users|Groups) directives to /etc/ssh/sshd_config, and block in the firewall as well.
openssh has lots of vulnerabilities. any other versions
besides openssh ? have you tried using ssh only?
Here are my sshd_config settings____________
# This is ssh server systemwide configuration file.
Port 22
ListenAddress 0.0.0.0
HostKey /etc/ssh_host_key
RandomSeed /etc/ssh_random_seed
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts no
StrictModes yes
QuietMode no
X11Forwarding yes
X11DisplayOffset 10
FascistLogging no
PrintMotd yes
KeepAlive yes
SyslogFacility DAEMON
RhostsAuthentication yes
RhostsRSAAuthentication yes
# HostbasedAuthentication no
# AllowedAuthentications hostbased
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
UseLogin yes
# CheckMail no
# PidFile /u/zappa/.ssh/pid
# AllowHosts newbie.com
AllowHosts
# DenyHosts *
# Umask 022
# SilentDeny yes
__________________________________
How do I uninstall the ssh that was installed
so
I can install a different version of ssh.
Why does the ssh config get the settings on "/etc" instead of "/etc/ssh2"? Where can I define this?
sshd -f <configfile>, also defined in your startup script /etc/rc.d/init.d/ssh(d?)
Quote:
any other versions besides openssh?
Only one or two commercial versions AFAIK.
Quote:
have you tried using ssh only?
What do you mean by this?
Quote:
How do I uninstall the ssh that was installed so
I can install a different version of ssh.
IIRC correct versions are needed for (glibc), libwrap, OpenSSL before upgrading OpenSSH, check with your RPM tools.
If al goes well you can download and make the OpenSSH tarball with which you can make and rpm to install.
Your sshd_config settings:
PermitRootLogin yes: insecure, set to "no"
IgnoreRhosts no: insecure, set to "yes"
RhostsAuthentication yes: insecure (sshv1), set to "no"
RhostsRSAAuthentication yes: insecure (sshv1), set to "no"
UseLogin yes[b]: disables Xforwarding[b]
AllowHosts: won't work in sshv2: if compiled with libwrap use /etc/hosts.{deny,allow}
Btw, Red Hat's 6x releases haven't been the best in terms of security. Did you regularly check for upgrades?
/etc/hosts.{allow,deny} should take lines like
<service name|ALL>: <IP addr/range|ALL (EXCEPT FROM addr/range)>
If it doesn't work, probably your sshd hasn't been compiled with TCP Wrappers support (-llibwrap iirc).
Sshd should run from a script in /etc/rc.d/init.d linked to your runlevel else you make managing checking/starting/stopping services hard on yourself. It should be in the rpm or the contrib dir of the tarball. If not it's quite easy to write one taking one of the scripts in /etc/rc.d/init.d as a template. If the script you wrote won't work, check for application locations, if the application config is readable/correct, if you provided all startup variables like config, if running the script command manually logs any errors, if running the script command manually with debug enabled logs any errors.
Have compiled the ssh to use "tcp wrapper", e.g. "--with-libwrap".
However after setting this on "hosts.allow" and "hosts.deny" it does not work. Should the settings be also included in the "inetd.conf"?
Fyi in the "sshd2_config" the setting "AllowHosts" works when configured.
I want to ensure that even connecting will return a message
"Connection Failed" for ip's that are not allowed to connect.
Have compiled the ssh to use "tcp wrapper", e.g. "--with-libwrap". However after setting this on "hosts.allow" and "hosts.deny" it does not work. Should the settings be also included in the "inetd.conf"? Doh. I you run sshd through xinetd it'll have it's own way of denying access like using TCP Wrappers. Dunno bout inetd tho. It's old, less secure, deprecated. Adding a new version of ssh to your box may seem like false security, because the system supporting it stems from the time dinos walked the earth. Guess you never upgraded anything on that box?
Fyi in the "sshd2_config" the setting "AllowHosts" works when configured. Guess you have to remove your old ssh binaries and configs and decide what conf to use.
I want to ensure that even connecting will return a message "Connection Failed" for ip's that are not allowed to connect.If you only have a few addresses that are allowed access to ssh block others tru the firewall. If you did configure sshd to use TCP Wrappers and run in standalone mode it could use TCP Wrappers' banner function to present a msg of choice.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.