Find the answer to your Linux question:
Page 2 of 4 FirstFirst 1 2 3 4 LastLast
Results 11 to 20 of 33
That sounds like really good advice anomie , thanks. I just checked that I could get ssh working (ssh from this machine into work, and then back again), and it ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414

    That sounds like really good advice anomie, thanks.

    I just checked that I could get ssh working (ssh from this machine into work, and then back again), and it worked. Now I need to look at the security aspect of things. I'll set up all the things you advised in sshd_config, but I was wondering if I need to do a lot of work with the firewall (iptables)?

    I can configure the SUSE YAST firewall so that it only allows SSH connections, but will this be sufficient? Should I resign myself to learning the details of iptables?

    If I'm using a non-standard port (as bigtom suggested), then will the SUSE firewall even work? In other words, does the SUSE firewall expect incoming SSH connections to be on a specific port (22 I think)?

    Thanks for all your help so far guys -- you've been great.
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  2. #12
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Hmmmmm......

    I have,
    Code:
    AllowUsers smolloy
    PermitRootLogin no
    in /etc/ssh/sshd_config, but somehow I can still ssh in as root.

    What am I missing?
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  3. #13
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    As for the iptables question, it's probably worth learning just so that you can take advantage of how flexible it is in the future (for other tasks as well). I found what looks to be a pretty good tutorial here: http://iptables-tutorial.frozentux.n...-tutorial.html

    Your rule will wind up being added something like:
    Code:
    iptables -A INPUT -s 192.168.1.1 -m tcp --dport 22 -j ACCEPT
    Which means: Accept into the INPUT chain a connection to local tcp port 22, if it originated from source IP 192.168.1.1. (You'll want to replace the port with your real sshd port, and the IP with the IP you want to be able to ssh in from.)

    The downside to this is iptables is not exactly simple. And I don't know how to add rules like this to SFW2 (I haven't used suse in a very long time).

    As an alternative, you could open your sshd port using YaST, and then add rules to /etc/hosts.allow like so:
    Code:
    sshd : 192.168.1.1 : ALLOW
    
    ALL : ALL : DENY
    ALL : DENY
    Which means: Allow connections to sshd from source IP 192.168.1.1, and deny everything else from external IPs to all other services. This uses the tcp_wrappers facility.

    Pros and cons? Using iptables, you will not show up on any port scans, unless you've explicitly allowed access in an INPUT chain rule. Using tcp_wrappers, you will show up on port scans, but they still will not be able to establish a connection with sshd (on their end, they receive a message "Connection closed by remote host", before they are able to authenticate).

    I've used both methods in different scenarios.

    in /etc/ssh/sshd_config, but somehow I can still ssh in as root.

    What am I missing?
    Assuming that you removed the comment (#) from the start of those lines before changing them, remember to restart (or reload) the sshd service so that the /etc/ssh/sshd_config file changes take effect.

  4. $spacer_open
    $spacer_close
  5. #14
    Linux Newbie framp's Avatar
    Join Date
    Jul 2006
    Location
    Stuttgart, Germany
    Posts
    240
    6) Block invalid access requests with denyhost
    "Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect." Linus Benedict Torvalds

  6. #15
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Thanks again guys -- this is all really good stuff. That tutorial looks a little intimidating, but it seems to have a lot of good stuff in it, so I guess I'll see if I can make sense of it.

    [EMBARRASSED] I only thought of restarting the ssh service hours later, but thank for pointing that out! [/EMBARRASSED]

    Questions on using non-standard ports:
    To do this I,
    1/ Set the Port variable in sshd_config to be something in the range of 49152 -> 65535, so that sshd will only listen on that port.
    2/ Then I configure the firewall with an IPtables rule that uses this new port number.

    Is this correct?
    To ssh into a machine that is using a non-standard port, do I need to include the port number in the ssh command? (i.e. ssh smolloy@xxx.xxx.xxx.xxx:newportnumber)?

    Sorry for the endless list of questions, but I've learnt an awful lot from your answers, and I'm finding this all really interesting.

    Thanks again.
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  7. #16
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    To answer your questions:
    1. It does not have to be in that range (but it certainly can be if you'd like).
    2. You can use an iptables rule or, I believe, just let YaST / SFW2 open that port.

    To ssh into a machine that is using a non-standard port, do I need to include the port number in the ssh command?
    You can use something like
    Code:
    ssh smolloy@xxx.xxx.xxx.xxx -p 123
    There may be other acceptable notations explained in the ssh manpages.

  8. #17
    Linux Newbie framp's Avatar
    Join Date
    Jul 2006
    Location
    Stuttgart, Germany
    Posts
    240
    Quote Originally Posted by smolloy
    To ssh into a machine that is using a non-standard port, do I need to include the port number in the ssh command? (i.e. ssh smolloy@xxx.xxx.xxx.xxx:newportnumber)?
    Should be smolloy@xxx.xxx.xxx.xxx -p newportnumber.
    Or you create a file called ~/.ssh/config or /etc/sshd/ssh_config which has the right statements to use port newportnumber every time a connection to xxx.xxx.xxx.xxx ist started. See man ssh_config for details (host and port statements) . Then -p portnumber is not needed.

    <EDIT>Corrected typo: Changed sshd_config to ssh_config. Thx anomie </EDIT>
    "Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect." Linus Benedict Torvalds

  9. #18
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Thanks guys.

    The reason I thought that the IP address had to be in that range was due to this website. I thought that it would be safer to use ports classified as "Dynamic and/or Private Ports" so that I didn't conflict with some other service.

    framp are those configurations to be done on my desktop (the server) or on the computer I am dialing in from?

    I guess I'll go RTFM now (as I should)!
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  10. #19
    Linux Newbie framp's Avatar
    Join Date
    Jul 2006
    Location
    Stuttgart, Germany
    Posts
    240
    Quote Originally Posted by smolloy
    framp are those configurations to be done on my desktop (the server) or on the computer I am dialing in from?
    They have to be done on the client you use to log on with ssh.
    "Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect." Linus Benedict Torvalds

  11. #20
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    The file to tweak on the client side (if you don't want to type in -p 123 or whatever..) is actually /etc/ssh/ssh_config.

    Code:
    man ssh_config
    for more info.

    sshd_config is for sshd configuration settings.

Page 2 of 4 FirstFirst 1 2 3 4 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •