I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
I feel erroneusly (?) secure after .host.denyed in.telnetd and
in.sshd from everywhere except one pc, which is denying all exept
keyboard. I belive that if i can keep hosts.deny and hosts.allow files
safe, and from time to time patch most actual security holes i`ll be
conditionaly safe. Em i wrong? Probably I do.
I just cant imaginate how system can be cracked in lower stage, so
that is my problem. I heard that inetd is very insecure, and some
peoples using tcpd (or soundlike).
I run harden_suse, but was forced to answer 8/10 to no, as my server
should provide a lot of public services, and have world writible
directories as well. And thats right - this script was developed not
for systems like mine one. However i`ll run SuSE-firewall-3.0 script,
to make my system even stronger. But thats all. I dont know what can i
do else. I should keep folowing services open:
httpd; smptd; pop3d; ftpd; snmpd; named; inetd; sshd; nscd.
So if you know how to keep them at minimal risk, or know some holes at
those, i would be very gratefull for any info and/or tips.
I dont ask to do work for me - link to good manual would be nice too.
By the way i have SuSE 6.3 (2.2.13).
Thanks in advice.
Gediminas Grigas mailto:firstname.lastname@example.org
umm, I have a small problem.
When setting up our server, I tried to get the best security as possible.
Maybe I changed some config-file to fit our needs to allow ssh-logins only
from specified users.(But I have no idea which file this was :-(( )
Now I want to allow another user to login using ssh.
I made ssh-keygen for this user, entered the password, copied identity.pub
to authorized_keys in the .ssh-directory.
But when trying to login via ssh, servers sends permission denied.
What else must be done ?
Does anyone know if PGP works with Netscape's Messenger? I was at
the pgp site and it listed a lot of mail clients, no Netscape.
On the side of the software box, in the "System requirements section",
it said "Requires Windows 95 or better." So I installed Linux.
Gerhard Sittig <Gerhard.Sittig(a)gmx.net> writes:
> This is usually referenced from the remote host back to you when
> you relay mail there. Is there smtp traffic in company with these
> events? You might want to log them for investigation.
It happens when I open a ssh connection to the web server. Then, the
server tries to connect back to my workstations port 113.
But I guess it's not wise just to open external connects to port 113
of all workstations I do ssh from?
Also, another thing: ssh worked not until I permitted connects from
the servers ssh port to my workstations. First, I just permitted
traffic from my workstations' ssh port to the server (as does the
SuSE firewall script), but then it won't connect. Is this normal
*** Linux BBS: Die deutsche Website fuer Linux-News und -Infos ***
Has anyone been able to use masquerading & firewalling scripts that
appeared on suse 6.2 (6.1??). I've configure MSQ_* variables on yast and
then issued /etc/rc.d/masquerade the script runs, but NO masquerading is
active. (for example /etc/rc.d/masquerade status shows empty masquerading
I don't want start learning ipchains now, since it will be once again
discontinueted (SP?) on kernel 2.4 :-)
Tiago Pascoal (l41484(a)alfa.ist.utl.pt) FAX : +351-1-7273394
Politicamente incorrecto, e membro (nao muito) proeminente da geracao rasca.
Recem empossado (engajado) cidadao da republica das bananas.
Stewart's Law of Retroaction:
It is easier to get forgiveness than permission.
Scenario: I have set Port Sentry up to determine when I am being
scanned (I find it more sensitive to some scans than scanlogd).
In addition to logging the port scan, it is set up to drop the
route between myself and the scanner via
"/sbin/route add -host [IP address] reject".
I have no problem with this, -except-, when I go to add the
route again (as I had to do recently with my ISP when they
scanned this IP block for open servers), I get a double entry
in the routing table (see below).
I re-add the address using route add -host [IP Address] eth0 and
it is added back to the table and mark as being up and
accessable. However, the original rejected route is still there.
When I go to delete this, it deletes the address I just entered,
and then give an error if I attempt to delete it again. This is
not causing any problems, but I would like to remove the
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
ch1.hfxcable.co * 255.255.255.255 UH 0 0 0 eth0
ch1.hfxcable.co - 255.255.255.255 !H 0 - 0 -
u25n100.hfx.and * 255.255.255.255 UH 0 0 0 eth0
u25n100.hfx.and - 255.255.255.255 !H 0 - 0 -
gconron(a)hfx.andara.com - email
(902) 443-4562 - voicemail
I have a Red Hat 5.2 firewall between my Mediaone/Roadrunner cablemodem
and my hme network hub. I would like to convert it to Suse. Does Suse
6.2 come with the proper packages/kernel for two nics, especially if
they are the same model? Does it include ipfwadm or ipchains? If not,
can I use regular RPM's from RPMFIND for that? Does it use dhcpcd or
pump (heard there were some problems with Mediaone and pump)?
Can anyone point me towards a good site on how to do this with Suse? I
use http://rlz.ne.mediaone.net to set up Red hat, but some of the stuff
may be different. For instance, are all the DHCP scripts in the same
place and named the same thing?
Thanks in advance.
DDDD David Kramer david(a)kramer.ne.mediaone.net
DK KD http://kramer.ne.mediaone.net
DK KD HYDROGEN: A colorless, odorless gas which,
DDDD given enough time, turns into people.
i can not ping broadcast or network addresses: getting return
code -1: permission denied.
i thought it was me (my setup) but yesterday my coworker did a new install
of 6.1 and he was not able to ping these addresses either.
Moreover, there is another bad problem with "ping": sometimes (when i ping
some real address including localhost) it pings only once then hangs
indefinitely. When i ^C it reports that 1 packet was transmitted and 1
packet recieved 0% packet loss.
other communications are quite well.
kernel is 2.2.12 if it is relevant, but i started seeing it since 2.2.x
I use /bin/false as shell and /dev/null as home directory
INTERACTIVE Online Services I.O.S. GmbH
Kedenburgstrasse 44 - 22041 Hamburg - Germany
E-Mail: mailto:email@example.com RIPE-Handle : MB1
URL : http://www.interact.de/ INTERNIC-Handle: MB16858
phone : +49.40.65699045
fax : +49.40.65699040
Reinventing Today's Communication
> -----Original Message-----
> From: Uwe Pilz [SMTP:U.Pilz@HTW-Zittau.DE]
> Sent: Wednesday, September 29, 1999 3:58 PM
> Cc: suse-security(a)suse.com
> Subject: Re: [suse-security] Permissions for Mail-only Users
> Holger Will schrieb:
> > Hello,
> > I have set up a box which will act as our Mail-Server.
> > How should I set up the permissions for user which only are allowed to
> > use mail on this System.
> > (Sending by SMTP getting via popper)
> > Which shell should I give them? Which would be the best home-directory?
> > --
> > Holger Will
> > --
> > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
> > For additional commands, e-mail: suse-security-help(a)suse.com
> I used /bin/passwd (or a script with /bin/passwd; sleep 5 inside) as
> shell and no home dir.
> Uwe Pilz mailto:U.Pilz@HTW-Zittau.DE
> Tel.(+49)3583 61 1375
> Hochschule Zittau/Goerlitz (FH), Hochschulrechenzentrum
> Th.-Koerner-Allee 16, D 02763 Zittau
> To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com
> For additional commands, e-mail: suse-security-help(a)suse.com