I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
I feel erroneusly (?) secure after .host.denyed in.telnetd and
in.sshd from everywhere except one pc, which is denying all exept
keyboard. I belive that if i can keep hosts.deny and hosts.allow files
safe, and from time to time patch most actual security holes i`ll be
conditionaly safe. Em i wrong? Probably I do.
I just cant imaginate how system can be cracked in lower stage, so
that is my problem. I heard that inetd is very insecure, and some
peoples using tcpd (or soundlike).
I run harden_suse, but was forced to answer 8/10 to no, as my server
should provide a lot of public services, and have world writible
directories as well. And thats right - this script was developed not
for systems like mine one. However i`ll run SuSE-firewall-3.0 script,
to make my system even stronger. But thats all. I dont know what can i
do else. I should keep folowing services open:
httpd; smptd; pop3d; ftpd; snmpd; named; inetd; sshd; nscd.
So if you know how to keep them at minimal risk, or know some holes at
those, i would be very gratefull for any info and/or tips.
I dont ask to do work for me - link to good manual would be nice too.
By the way i have SuSE 6.3 (2.2.13).
Thanks in advice.
Gediminas Grigas mailto:firstname.lastname@example.org
umm, I have a small problem.
When setting up our server, I tried to get the best security as possible.
Maybe I changed some config-file to fit our needs to allow ssh-logins only
from specified users.(But I have no idea which file this was :-(( )
Now I want to allow another user to login using ssh.
I made ssh-keygen for this user, entered the password, copied identity.pub
to authorized_keys in the .ssh-directory.
But when trying to login via ssh, servers sends permission denied.
What else must be done ?
we just considered the following problem: Assume that
a file system (let's say home directories of users)
is exported from a server to some other computers
(like in every university for instance).
Now one comes with his laptop to the university,
plugs one computer off, gives his laptop the ip
of the unplugged computer and creates a user on
his laptop that exists in the university domain
with the identical name and id.
Now the file system is exported to his laptop, too,
because it has an ip from a university computer,
and then the faker should be able to read and write the
home directory of the user which he created,
because NFS does not check the passwords but only
the user id.
We tried that and it did work.
This is indeed a huge problem, because it looks
like we cannot prevent any student from doing this,
i.e. installing a user for instance with name and id
of a professor, and then having access to the professors
Has anyone any idea how to prevent this???
Can NFS be told to check passwords during mounting?
For example, rlogin would not work in the situation
constructed above because it would realize the user
having two different passwords.
But can NFS be told to do that?
Thx for any help!
Today i downloaded CGI-scanner and scanned
my PC(SuseLinux 6.0).The scanner founds only one
Searching for test-cgi : Found!!
Can somebody tell me how does this bug work
and what would a cracker do to gain access.
And how can i fix this bug?
On Thu, 29 Jul 1999 17:39:03 +0100 (IST) Eric Mosley <ericm(a)iol.ie>
>I recently ran nessus and it gave me some information like this ...
>On this machine, there is an X11-Server that grants access
>without authentification. That means a hacker is able to sniff
>every keystroke that is typed on the X11-Server (or get a copy of the
>Solution: use MIT-Cookies, xauth.
>How do I get rid of this and stil use X11. Is using MIT-Cookies, xauth a
>real big change??
>Also, can I comment out in inetd.conf telnet shell and login and still
>start a new xterm?
>Thanks for you thoughts,
If you don't need or want to export your x server to any other machines,
I think you can configure xhost to not accept any connections at port
6000 from anywhere other than the localhost. I did that with my suse 6.1
box, and I no longer get an open port 6000 in any scans I do (nessus,
nmap, etc.). Look at man xhost.
I'm not positive, but with this setup, a box will not be compromised
*because* of X, but could be manipulated to setup up X to export. Course,
at that point, the box is already compromised anyway...
Get the Internet just the way you want it.
Free software, free e-mail, and free Internet access for a month!
Try Juno Web: http://dl.www.juno.com/dynoget/tagj.
I recently ran nessus and it gave me some information like this ...
On this machine, there is an X11-Server that grants access
without authentification. That means a hacker is able to sniff
every keystroke that is typed on the X11-Server (or get a copy of the
Solution: use MIT-Cookies, xauth.
How do I get rid of this and stil use X11. Is using MIT-Cookies, xauth a
real big change??
Also, can I comment out in inetd.conf telnet shell and login and still
start a new xterm?
Thanks for you thoughts,
SuSE 6.0 provides a solution for MIT-Cookies in conjunction with
startx almost out of the box. one just has to find (!) and activate it.
from /etc/skel/.xserverrc.secure (in package aaa_skel-98.12.10-0.rpm):
# move this file to ~/.xserverrc, if you don't want to allow
# everybody to get access to your X-Server
copying /etc/skel/.xserverrc.secure to /usr/X11R6/lib/X11/xinit/xserverrc
istaead of to ~/.xserverrc enables MIT-Cookies for all users of the system.
(SuSE: why not doing this in the default installation?)
btw: there is a startx-related local security issue.
when you fire up X11 using startx, xlock the screen and walk away, someone
with access to the keyboard could just switch back to the text console,
background the startx process, kill the xlock process and thus gain full
access to your Xsession. this can be prevented by using something like
(startx &); exit
instead of startx.
Arbeitsbereich Funktionalanalysis // Mathematisches Institut // Uni Tuebingen
+49 7071 29-78566
i just recently upgraded my suse6.1 with the 2.2.5 kernel to 6.1 with
the 2.2.7 kernel, and was wondering if theres any major security flaws
with it? i was using rh6.0 and was getting hacked all the time, so i got
smarter and switched to suse and havent been hacked yet....I just hope
that suse6.2 doesnt become bloated like rh6 did and increase their price
on it if i order online or purchase it in the store?
be sure to stop by irc-2.mit.edu:6667 #linux and say hey to everyone.
for those who still use rh, version 5.2 with the 2.2.9 kernel is pretty
good and secure......L8tr