Hi!
I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
Thanks.
--
Farewell.
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
João Reis
-------------------------------------------------------
Hello there,
I feel erroneusly (?) secure after .host.denyed in.telnetd and
in.sshd from everywhere except one pc, which is denying all exept
keyboard. I belive that if i can keep hosts.deny and hosts.allow files
safe, and from time to time patch most actual security holes i`ll be
conditionaly safe. Em i wrong? Probably I do.
I just cant imaginate how system can be cracked in lower stage, so
that is my problem. I heard that inetd is very insecure, and some
peoples using tcpd (or soundlike).
I run harden_suse, but was forced to answer 8/10 to no, as my server
should provide a lot of public services, and have world writible
directories as well. And thats right - this script was developed not
for systems like mine one. However i`ll run SuSE-firewall-3.0 script,
to make my system even stronger. But thats all. I dont know what can i
do else. I should keep folowing services open:
httpd; smptd; pop3d; ftpd; snmpd; named; inetd; sshd; nscd.
So if you know how to keep them at minimal risk, or know some holes at
those, i would be very gratefull for any info and/or tips.
I dont ask to do work for me - link to good manual would be nice too.
By the way i have SuSE 6.3 (2.2.13).
Thanks in advice.
Sincerely Yours,
Gediminas Grigas mailto:gedas@kryptis.lt
Hi folks,
umm, I have a small problem.
When setting up our server, I tried to get the best security as possible.
Maybe I changed some config-file to fit our needs to allow ssh-logins only
from specified users.(But I have no idea which file this was :-(( )
Now I want to allow another user to login using ssh.
I made ssh-keygen for this user, entered the password, copied identity.pub
to authorized_keys in the .ssh-directory.
But when trying to login via ssh, servers sends permission denied.
What else must be done ?
TIA
---Stephan
Hi all,
I have been portscanned a number of times recently by the same computer. I've
used a combination of nslookup and finger and have the name of the culprit. It
is being dealt with.
This has prompted me to look even more closely at my firewalling. Ports <1024
are OK, as they are totally blocked, but those >1023 are pretty much open.
Although virtually every single service is commented out in inetd.conf, I still
want to block and log any connect attempts to 'special' ports.
At the moment, these are the high numbered ports I block:
1433 Microsoft SQL
2049 NFS
5432 PostgreSQL
5999:6010 X-Windows
7100 X Font Server
12345:12346 NetBus
31337 Back Orifice
I was having a look at the high numbered ports that he was scanning, and was
wondering what the significance of these ports was (I couldn't see anything in
/etc/services). By the way, the following are the high numbered ports that he
tried to scan, have any ideas what they are used for?
5190
5191
5192
5193
5631
5632
5800
5900
8000
8010
8080
9100
25867
31787
33333
And finally, are there any other high numbered ports that you think could be
potentially damaging (eg webmin - which port is that on)? Even if I'm not
running that service, I would still like to know which ones pose a security
threat so that I can block them anyway (in case I'm playing and start webmin,
for example, without realilsing it).
Is it generally considered safe to open up most high numbered ports? What do
the people on these lists do? Do you close them all and open some, or open all
and close some (all meaning all ports >1023)?
One last question - I keep on coming around to this one every so often. If
someone wants to connect to me using ICQ, they connect to a port >1023. I am
assuming that ICQ doesn't have a daemon or anything listening on every possible
port, so how does it know when another ICQ user is trying to connect? This
isn't an ICQ specific question - I'm just using it as an example - it could
apply to any remotely opened connection to a port >1023. How is this handled
(how does the computer know whether ICQ should handle the connect attempt or
whether it should be handled by some other process)?
Thanks in advance,
Chris
--
__ _
-o)/ / (_)__ __ ____ __ Chris Reeves
/\\ /__/ / _ \/ // /\ \/ / ICQ# 22219005
_\_v __/_/_//_/\_,_/ /_/\_\
Hi everybody,
There has been alot of talk about portscans.
What utility are you using to detect a portscan. Do I NEED a firewall before
I can detect a portscan on the machine.
Could someone please point me to utility / package to simply detect such
a portscan and send a mail to me (the Network Admin).
thanks,
Stefan Becker
LUFA Speyer
becker(a)lufa-sp.vdlufa.de
> Right. But, as as my log-files show, in many cases an attack follows the port
> scan.
>
> I _always_ contact the gateway admin if I find a port scan, and, in some cases,
> they find out that somebody intruded in their systems.
>
> So I think it is helpful to inform admins about port scans that come from their
> systems. It's one way to avoid attacks followed by port scans.
>
> Regards,
>
> Martin
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Announcement of new security tools from SuSE
______________________________________________________________________________
Please note, that that we provide this information on an "as-is" basis only.
There is no warranty whatsoever and no liability for any direct, indirect or
incidental damage arising from this information or the installation of
the update package.
_____________________________________________________________________________
Tools developed by SuSE (all open source) and included in SuSE 6.3 :
SuSE FTP Proxy - The first program of the SuSE Proxy Suite.
A secure FTP proxy with support for SSL, LDAP, command
restriction, active and passive FTP support, and much more.
RPM: fwproxy.rpm, fwproxys.rpm (SSL - not in the US version)
SuSE Firewall - The new firewall script from SuSE, rewritten from scratch.
Autodetection of interface information, masquerading,
autoprotection of services, protection from internal
networks, fail-close design and easy to configure.
RPM: firewals.rpm
Harden SuSE - A special script for hardening a SuSE Linux 5.3 - 6.3.
By answering 9 questions, the system is reconfigured very
tightly. e.g. disabling insecure network services, removing
suid/sgid/world-writable permissions which are not critical.
RPM: hardsuse.rpm
SuSE Secumod - This loadable kernel module enhances the security of the
system by adding a symlink/hardlink/pipe protection,
procfs protection, trusted path execution and capabilities.
RPM: secumod.rpm
SuSE Secchk - These are cron scripts which run daily, weekly and monthly
to check the security of the system and compare them to the
last run.
RPM: seccheck.rpm
Yast-1 - New administration menu for setting password aging,
authentication fail delay and logging of logins + failures.
RPM: yast.rpm
SuSE auditdisk - Please note that this tool is in beta phase!
This tool generates a bootdisk with checksum data and all
binaries etc. needed to automaticaly verify file checksums
upon booting. This way it can't be subverted by lkm's like a
standard e.g. tripwire installation.
WWW: http://www.suse.de/~marc - not included on SuSE 6.3 yet
Watch out for updates of these tools on our WWW or FTP update sites.
Although these are tools developed by SuSE, they (should) work on any Linux
distributions with little problems.
New tools included in the SuSE Linux distribution (not created by SuSE):
FreeS/WAN - IPSEC implementation to build secure VPN tunnels via public
networks.
RPM: freeswan.rpm (not in the US version)
GNU Privacy Guard - A free pgp-like tool for secure (not limited to email)
communication. Frontends are also included.
RPM: gpg (not in the US version)
Nessus - A very good network security scanner!
RPM: nessus
plus tmpwatch, arpwatch, plug, sslwrap, the newest nmap and more.
"Old" packages include: john, saint, cipe, pgp, scanlogd, ssh, tripwire, etc.
______________________________________________________________________________
General information on SuSE Linux:
http://www.suse.com
You can find updates on our ftp-Server:
ftp://ftp.suse.com/pub/suse/i386/update for Intel processors
ftp://ftp.suse.com/pub/suse/axp/update for Alpha processors
or try the following web pages for a list of mirrors:
http://www.suse.com/ftp_new.html
Our webpage for patches:
http://www.suse.de/en/support/download/updates/
Our webpage for security announcements:
http://www.suse.de/security
If you want to report vulnerabilities, please contact
security(a)suse.de
______________________________________________________________________________
SuSE has got two free security mailing list services to which any
interested party may subscribe:
suse-security(a)suse.com - moderated and for general/linux/SuSE
security discussions. All SuSE security
announcements are send to this list.
suse-security-announce(a)suse.com - SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent
to this list.
To subscribe to the list, send a message to:
<suse-security-subscribe(a)suse.com>
To remove your address from the list, send a message to:
<suse-security-unsubscribe(a)suse.com>
Send mail to the following for info and FAQ for this list:
<suse-security-info(a)suse.com>
<suse-security-faq(a)suse.com>
_____________________________________________________________________________
This information is provided freely to everyone interested and may
be redistributed provided that it is not altered in any way.
Type Bits/KeyID Date User ID
pub 2048/3D25D3D9 1999/03/06 SuSE Security Team <security(a)suse.de>
- ------BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3i
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12Cg==
=pIeS
- ------END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
iQEVAwUBOD8G4Xey5gA9JdPZAQGdHwf9EqxQRsGFv+fONA6F5Aviv2pkf1pua3XM
kRAJJcrvpZswnDb2PH3sJBq3YGm9ZXnz0JVhSEDoxuSz1V8GXV5wjh73wBg9YtGR
hx6OzgfyFFYFdmJNEB3OpHNFzLmXuX0szrIfifRRcidWQzsPzAL50mtfcmGSZkab
3QHD3tz6oZLxuvQ6BGyie/iua3boza0MeJl2juKNq12VfievhZP6UK8/Y0nLbK2m
2zVqekGZIKfvlPitwCYPzF5Pxn9eh3TTnGDijxWTsMe0XpeakRZcAFte77kv9bNL
SQwqA0nUKtoOGXdFVGxrspCbDRMDOKuMryNPo5ljsqpo3fjkfRNYVg==
=obl6
-----END PGP SIGNATURE-----
Does anyone know if PGP works with Netscape's Messenger? I was at
the pgp site and it listed a lot of mail clients, no Netscape.
--
mailto:scott.mceachern@sympatico.ca
On the side of the software box, in the "System requirements section",
it said "Requires Windows 95 or better." So I installed Linux.
Hi,
> Yummy, now these tools sound nice :) Especially the proxie suite. What
> is the ambition here? A "new FWTK"? We could really use one (i.e. FWTK
> is getting old).
new secure proxies, which will replace most stuff of the fwtk
> > SuSE FTP Proxy - The first program of the SuSE Proxy Suite.
> > A secure FTP proxy with support for SSL, LDAP, command
> > restriction, active and passive FTP support, and much more.
> > RPM: fwproxy.rpm, fwproxys.rpm (SSL - not in the US version)
>
> Which bugs/exploits does this check for?
almost everything. you can configure very much
> Also, is there a ML that conatins *only* security announcements &
> alerts (no posting from third parties) ? If not would you consider
> making one, as this ML contains a bit to much "off-topic" disscusion
> when surfing on a cell phone?
ever heard of suse-security-announce? send an email to
suse-security-announce-subscribe(a)suse.com
it was created when suse-security was created ....
Greets,
Marc
--
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc(a)suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
Hi,
> Is there a possibility to get these packages as poor 6.{0,1,2} user
> without having to buy the new distribution?
>
> If it is open source, please place the srpms or rpms somewhere where
> we can find them!
1) You can find them on the CDs ;-)
2) You will find them on the ftp server once the distribution is placed
there. I don't know when this will happen, I think somewhere in december.
3) You can find most of the tools at http://www.suse.de/~marc
4) the FTP-Proxy (which is really cool!) can be found at
http://proxy-suite.suse.de
Greets,
Marc
--
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc(a)suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
>
>when i install suse my passwd file have a lot of users, like dbmaker and so on. How can i know these users password ?
>Um Abraco.
>
to increase the system-security set the shell of this user to "/bin/false"