Find the answer to your Linux question:
Page 3 of 4 FirstFirst 1 2 3 4 LastLast
Results 21 to 30 of 33
Originally Posted by anomie The file to tweak on the client side (if you don't want to type in -p 123 or whatever..) is actually /etc/ssh/ssh_config. Code: man ssh_config for ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #21
    Linux Newbie framp's Avatar
    Join Date
    Jul 2006
    Location
    Stuttgart, Germany
    Posts
    240

    Quote Originally Posted by anomie
    The file to tweak on the client side (if you don't want to type in -p 123 or whatever..) is actually /etc/ssh/ssh_config.

    Code:
    man ssh_config
    for more info.

    sshd_config is for sshd configuration settings.

    anomie: You are right. All the config has to be done in the client config file ssh_config. I corrected the typos in my postings above.
    "Really, I'm not out to destroy Microsoft. That will just be a completely unintentional side effect." Linus Benedict Torvalds

  2. #22
    Just Joined! cuervo73's Avatar
    Join Date
    Apr 2006
    Posts
    47

    Re: My own ssh server

    malloy,

    what anomie said about 5 things to do for security.. are entirely correct,
    particularly #4 use public key auth... if you do that, there will be no need to
    either use a non-standard port number nor even restrict root logins. The sshd
    server will refuse to even talk to a client if they do not use PKA and have the
    correct public keys; it simply disconnects the session. Besides "hiding" sshd
    by using another port usually doesn't thwart a good cracker from finding it.
    If you want to hide your servers, you should look into "port knocking".. that
    is good cloaking technique.

    the only downside of using PKA alone is that if you use a computer lab or
    someone else's computer at work, you may not have the public keys for your
    home computer already installed .. unless you keep them on a USB keyfob or
    memory stick, which you plug into the computer you currently use.

    and the suggestion to use tcp_wrapper blocks will not work if sshd does not
    run under the super-daemon inetd. check the command line of the currently
    running server sshd and look to see if it uses cmdline option -i If so, then
    it is running as a child to inetd. Otherwise, if not, then the server was spawned
    from bootscripts and is running persistently.

    cuervo

  3. #23
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    and the suggestion to use tcp_wrapper blocks will not work if sshd does not
    run under the super-daemon inetd.
    Using hosts.allow/.deny should work on any modern distro, as tcp_wrappers support is now commonly compiled into sshd by default.

    For example, on my FC5 box:
    Code:
    [hector@troy ~]$ ldd /usr/sbin/sshd | grep 'libwrap.so'
            libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00a77000)
    If that command is returning a result (with libwrap.so), you can use tcp_wrappers with sshd. If not, then you won't be able to use tcp_wrappers with sshd directly.

  4. $spacer_open
    $spacer_close
  5. #24
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    A few days ago I verified that I could ssh back to this computer, and everything worked fine. Then I started locking down the security, and now the damn thing won't work!

    Here are the changes I made to /etc/ssh/sshd_config,
    Code:
    Port <a non-standard port>
    Protocol 2
    
    LogLevel VERBOSE
    
    AllowUsers ******  # Created a new user for this
    LoginGraceTime 1m
    PermitRootLogin no
    StrictModes yes
    MaxAuthTries 10
    
    RSAAuthentication yes
    PubkeyAuthentication yes
    PasswordAuthentication yes
    PermitEmptyPasswords no
    ChallengeResponseAuthentication yes
    UsePAM yes
    X11Forwarding no
    MaxStartups 6
    I also made a few changes to hosts.allow and hosts.deny,
    Code:
    # hosts.allow
    ssh : <my work IP>
    ssh : 192.168.
    Code:
    # hosts.deny
    ALL : ALL
    I have commented out the changes in hosts.allow and hosts.deny, but I still cannot ssh back home from work. It just hangs indefinitely after I enter the ssh command.

    Can anyone see my error?
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  6. #25
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Code:
    # hosts.allow
    ssh : <my work IP>
    ssh : 192.168.
    There are a couple problems with this.

    1. It is sshd (not ssh).

    2. The directives need to be on one line.

    You might try to re-write something like:
    Code:
    # hosts.allow
    sshd : <my work IP> 192.168.
    Or you could be even more explicit with:
    Code:
    # hosts.allow
    sshd : <my work IP> 192.168.0.0/255.255.0.0
    I believe both are accepted notations. Also, one important thing to remember is to back up any config files before you start changing them. That way if you really mess things up (which I have done many times), you can just run a diff against the backup.

    e.g.
    Code:
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
    and so on.

  7. #26
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Another thing - did you open a hole in your firewall for the correct port? Hanging on the connection is normally a symptom of a filtered port.

  8. #27
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Thanks Anomie.

    It seems the problem was the way I configured the yast firewall. I set it to allow ssh connections and I entered the new ssh port number into Additional Allowed Ports: TCP Ports. This seemed to break a lot (my laptop uses this linux box as a firewall, and it stopped working), so I got rid of that.

    I now have it running on the standard port, but only allowing one user to log in, and that user must use public key authentication -- no passwords allowed. That's working for the moment, but I'd still like to figure out how to restrict access to one (non-standard) port, and how to open my firewall to just this port.

    I'll try your suggestions for hosts.allow, and see if this works.

    Thanks for helping, and thanks for following along with this!
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  9. #28
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    There is an option in SUSE firewall to add specific ports, it's the button at the bottom of the setup dialog. Just add the ports you need under the relative type (TCP/UDP etc) and delimit the ports with a space.

  10. #29
    Linux Guru smolloy's Avatar
    Join Date
    Apr 2005
    Location
    CA, but from N.Ireland
    Posts
    2,414
    Seems my ISP doesn't want to trust me with any other ports. Ah well, port 22 it is for the moment then.

    Security I have put in place on my ssh server:
    1. Only one specific user (with an unusual username) allowed to log in.
    2. Root is not allowed to log in.
    3. Passwords aren't used on login -- only pubkey authentication.
    4. My work domains and my internal network are in hosts.allow, and everyone else is in hosts.deny (which means I don't need to use denyhost, despite it looking like a very cool piece of software).
    5. Only protocol 2 allowed.
    6. Verbose logging, and a cronjob to dump any logs with 'ssh', 'security', or 'breakin' to my home directory every day.

    I'm starting to think I'm being a little too paranoid, but I want to make sure I did this right, and I already got a bit of a scare when I saw evidence for a couple of script kiddies bombarding me with hundreds of login attempts in the last couple of days.

    Can anyone see anything I've forgotten?
    Registered Linux user #388328 || Registered LFS user #15880
    AMD 64 X2 4600+ :: 2X1GB DDR2 800 :: GeForce 9400 GT 512MB :: ASUS M2N32 Deluxe :: 4X250GB SATAII
    Need instant help? Try us on IRC -- #linuxforums on freenode

  11. #30
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    I'd say once you're using keys instead of passwords you'll be alright. Now the only trouble is emptying /var/log more often because of all of the attempts

Page 3 of 4 FirstFirst 1 2 3 4 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •