I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
I feel erroneusly (?) secure after .host.denyed in.telnetd and
in.sshd from everywhere except one pc, which is denying all exept
keyboard. I belive that if i can keep hosts.deny and hosts.allow files
safe, and from time to time patch most actual security holes i`ll be
conditionaly safe. Em i wrong? Probably I do.
I just cant imaginate how system can be cracked in lower stage, so
that is my problem. I heard that inetd is very insecure, and some
peoples using tcpd (or soundlike).
I run harden_suse, but was forced to answer 8/10 to no, as my server
should provide a lot of public services, and have world writible
directories as well. And thats right - this script was developed not
for systems like mine one. However i`ll run SuSE-firewall-3.0 script,
to make my system even stronger. But thats all. I dont know what can i
do else. I should keep folowing services open:
httpd; smptd; pop3d; ftpd; snmpd; named; inetd; sshd; nscd.
So if you know how to keep them at minimal risk, or know some holes at
those, i would be very gratefull for any info and/or tips.
I dont ask to do work for me - link to good manual would be nice too.
By the way i have SuSE 6.3 (2.2.13).
Thanks in advice.
Gediminas Grigas mailto:firstname.lastname@example.org
i installed Suse 6.3 with firewall 1.4. I want to permit the following
access through the firewall: www, domain, ftp, smtp and ssh. Then i
made some adjustments in "rc.firewall" like :
FW_TCP_SERVICES_EXTERNAL="smtp www domain ftp"
FW_UDP_SERVICES_EXTERNAL="domain smtp ftp"
After starting of firewall i have full access from internal network to
internet but there isn't any access from Internet and no mail....
Could someone tell me what should i do?
-----BEGIN PGP SIGNED MESSAGE-----
On Mon, 14 Feb 2000, Thomas Biege wrote:
> The reason is simple:
> The bug wasn't known to the public and only the vendors got
> notified by me right after I found it. To give other linux
> ditributors the time to fix their stuff I wait some days
> before releasing our announcement.
> Hope that explains everything.
The respect of your competition is more important then the security of
".. I used to get in more fights with SCO than I did my girlfriend, but
now, thanks to Linux, she has more than happily accepted her place back at
number one antagonist in my life.. "
(Jason Stiefel, krypto(a)s30.nmex.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
I would like to connect to my FTP Server wich is running on my Linux
The Ftp server can only be reached via SSH Tunnel cause the firewall
doesn't permit the packets through. The FTP server is ony for emergeny
I can connect to the FTP server if I do a port forward of port 21, but I
the ftp server can't send me the file list cause I need an second
port. How I can configure these ports? I use wu.ftpd and for example
CuteFTP or FTP Voyager on Windows Machine.
the FTP-server error message:
500 Illegal PORT Command
500 Can't build data connection: no PORT specified
Please help me..
How I can define static ports for ftp ?
are there any plans to provide T.Rex
(http://www.opensourcefirewall.com/index.html) for SuSE? it sounds all
very interesting ... just doesn't currently support my favoured
*greetz* from Vienna
Johann Georg Hautzinger, email: trema(a)eic.at, Tel.: 531 00 1907
Erste Bank AG - OE 0423 - Orga./Entw. Treasury u. Orga.Wertpapier
Boersegasse 14, 1010 Wien http://treasury.erstebank.at
will be there an update by SuSE?
~> rpm -q htdig
> Date: Fri, 25 Feb 2000 18:52:44 -0600
> To: lwn(a)lwn.net
> From: Geoff Hutchison <ghutchis(a)wso.williams.edu>
> Subject: [SECURITY] Security hole in ht://Dig's htsearch
> (What follows was sent to the htdig, htdig3-announce and htdig3-dev
> mailing lists earlier today.)
> I'm sending this message out essentially twice. The contents are
> included in the ht://Dig 3.1.5 release notes at
> <http://www.htdig.org/RELEASE.html>;, but I wanted to make sure
> everyone got the message. There is a security hole in all versions of
> the htsearch CGI prior to version 3.1.5 (just released).
> This hole can allow remote users to read any file on your system that
> the UID running your webserver can read.
> It is *strongly* recommended that you upgrade to 3.1.5 ASAP. Anyone
> upgrading from a 3.1.x stable release will find the process fairly
> painless and to fix the hole, they can simply drop in the new CGI.
> The databases themselves are not affected. You may also wish to look
> at the new default templates as they make use of new features and
> generate cleaner HTML output.
> Anyone using version 3.2.0b1 is suggested to upgrade to the latest
> development snapshot. The next beta version, 3.2.0b2, will be
> released shortly to address this issue and other bugs.
> More detailed information will be posted to the BugTraq mailing list
> in a day or two.
> -Geoff Hutchison
> Williams Students Online
>If I were to just uncomment the firewall rules in /etc/ppp/ip-up
>would it make a good generic firewall for dialup or would I >have to
>change parts of it ? From my own point of view it looks as >though
>it's a bit too simple and I need to add something to it.
I have had much the same discussion. IMHO, regardless of the quality if the
generic script, I would create something new, or modify it - to help
understand the workings of firewalling :-)
FREE Personalized Email at Mail.com
Sign up at http://www.mail.com?sr=mc.mk.mcm.tag001
I jist tried to update our smtp to 8.9.3-55. I downloaded from sendmail.org
and.. guess what ... it didn't work :-(
The system tells me:
libc.so.6(GLIBC_2.0) is needed by sendmail-8.9.3-55
libc.so.6(GLIBC_2.1) is needed by sendmail-8.9.3-55
libdb.so.2(GLIBC_2.0) is needed by sendmail-8.9.3-55
libnsl.so.1(GLIBC_2.0) is needed by sendmail-8.9.3-55
libnsl.so.1(GLIBC_2.1) is needed by sendmail-8.9.3-55
libresolv.so.2(GLIBC_2.0) is needed by sendmail-8.9.3-55
Hmm, did I forgot to install something or do I have to upgrade another
package before updating sendmail ?
Okay, I know, some of you will say "What does this have to do with
security", but I tried to update in order to to close relaying, to fix some
DoS-attacks, and so on. Is this security-related enough ? Thanks :-))
Thanks in advance for your help.
Oh, please no RTFM-replies. If I knew where to look, I would ! :-)
Stephan M. Ott // OKDesign oHG
Internetproviding und Netzwerkmanagement
http://www.okdesign.de // smo(a)okdesign.de
tel. +49 961 3814139 ... fax. +49 961 3814140
mobil. 0171-8351130 ...oder... 0171-7858064
I have a question about the SuSE Firewall 2.0 script.
I use this script for my firewall cause it's easy and I thing there are
I'm connected to the internet through a cable modem.
But I get some entrys in the messages log.. (/var/log/messages)
like the following line..
kernel: martian destination 00ffffff from 0200e6ba, dev eth0
These lines are very often..
What can I do against this? What's this line?
Thanks for you help,