Hi!
I implemented a ssh conection from the outside to my intranet. This ssh requires a username and a password.
In terms of security what is more secure: require authentication (username and password) or having the public key of each user that connects to our intranet in the
authorized public key lists (in this case there is no need for username and password)?
In the second case there is no need of authentication and only the users wich have the public keys in the list are allowed to enter in my intranet.
This second solution is a good solution or that brings other security problems ?
Thanks.
--
Farewell.
"Keep your friends close, but your enemies closer."
"Do or do not. There is no try" - Yoda
João Reis
-------------------------------------------------------
Hi,
>I have just read an Bell Labs anouncement, that they are going to release
>libsafe under GNU licence, and that some major Linux distros are going to
>be using it. SuSE was not amongst them, why is that? I think that libsafe would
>be a good echnacement against buffer overflow.
>
>Anouncement is on:
>http://www.bell-labs.com/news/2000/april/20/1.html
just because something new pops up please be careful with questions like
"when will you implement it?" ;-)
There are several questions to ask:
a) is it STABLE and does it NOT affect the stability of other programs?
b) does it bring additional security problems into the system?
c) is the security protection effective?
Well, of course the SuSE Security Team already reviewed libsafe.
Here are the answers:
a) unsure. it would have to be tested very intensive. this was not done yet.
b) the code might have vulnerabilities, however the protection gained is
higher even if a vulnerability would be present
c) okay, now the tough part:
libsafe is a dynamic library which is set in the environment which checks
several dangerous functions, which can be a security problem.
Because it is a dynamic library, it is NO protection against local
attackers, just against remote attackers on network services. (if an
attacker wants to attack a local suid file, he would just reset his library
path environment). Next thing: it does not check for all known
vulnerabilites. It even doesn't protect against all buffer overflows, It
just protects against *some* overflows. those which happen because of
insecure use of strcat/strcpy etc.
summary:
I can not remember a vulnerability in a network service for the last year
which this tool would have prevented. Therefore: as long as this tool is not
enhanced to also protect open/fopen calls against symlink/hardlink/pipe
attacks, several more buffer overflow types, system/exec* function
protection etc. it is not useful to use this tool.
I would rather propose to use the secumod module which comes with SuSE Linux
since 6.3 and maybe the secure-linux kernel patch from www.openwall.com -
these two tools enhance your security. (and btw, install seccheck,
hardensuse and firewals and use them - then your security is very high)
Greets,
Marc
--
Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: marc(a)suse.de Function: Security Support & Auditing
"lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka"
Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C
I must be able to telnet from a terminal (not a console) as a root without
using su.
In solaris i could do that editing /etc/default/login file,but i can't find
it on this
Operating System.
How can i do ?
Thanks
Dear reader,
I'm looking for a _good_ book on linux system security (something like
one of these "hacker guides"). If you could recommend a book your answer
would greatly be appreciated.
Best regards,
Roman Blöth.
--
gosub communications GbR | Fredersdorferstr. 10 | 10243 Berlin | Germany
phone: [+49] (-30) 29 66 88 81 | fax: [+49] (-30) 29 66 88 84 |
http://www.gosub.de
Hello there,
I feel erroneusly (?) secure after .host.denyed in.telnetd and
in.sshd from everywhere except one pc, which is denying all exept
keyboard. I belive that if i can keep hosts.deny and hosts.allow files
safe, and from time to time patch most actual security holes i`ll be
conditionaly safe. Em i wrong? Probably I do.
I just cant imaginate how system can be cracked in lower stage, so
that is my problem. I heard that inetd is very insecure, and some
peoples using tcpd (or soundlike).
I run harden_suse, but was forced to answer 8/10 to no, as my server
should provide a lot of public services, and have world writible
directories as well. And thats right - this script was developed not
for systems like mine one. However i`ll run SuSE-firewall-3.0 script,
to make my system even stronger. But thats all. I dont know what can i
do else. I should keep folowing services open:
httpd; smptd; pop3d; ftpd; snmpd; named; inetd; sshd; nscd.
So if you know how to keep them at minimal risk, or know some holes at
those, i would be very gratefull for any info and/or tips.
I dont ask to do work for me - link to good manual would be nice too.
By the way i have SuSE 6.3 (2.2.13).
Thanks in advice.
Sincerely Yours,
Gediminas Grigas mailto:gedas@kryptis.lt
Hi!
I've got a little problem with the firewals package. Everything works
fine but now I want to import filesystems from another computer in the
LAN but it seems to me that the firewal is denying all TCP/IP packages
which should be send to the network. So my question is: Which services
must I allow in rc.firewall.conf that NFS packages get through the
firewall? (I'm using SUSE Linux 6.3 with Kernel NFS)
Thanx Benjamin Jungbluth
I have a small server up and running with SuSE 6.4. I wrote a Perl script
that needs to be run suid in /usr/local/bin by a few trusted users, but I keep
getting the following error:
trusted@foo> /usr/local/bin/foobar.pl
Can't do setuid
First of all, what's generating that particular message? I had run the
harden_suse script (with the suggested "server" settings), and have looked over
the /etc/undo_harden_suse script as well, but I can figure out what's
generating that error message, and what controls which suid programs are
allowed to run.
Can someone point me in the right direction?
Jason P. Stanford
Lehigh Univesity
Integrated Product Development
Jason.Stanford(a)pobox.com
__________________________________________________
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/
Hello,
i've got two segments connected with a suse-firewals
packet filter and configured it to redirect ftp-queries
on port 21 to an other port where the ftp-proxy (fwproxy)
is listening. Til that point there's no problem, i can then
even do a login on the machine that the proxy puts the query
to. The logfiles show nothing strange until now.
But when i try to do a 'ls' or any other command that implicates
traffic on the data channel i get no response.
So i on trial enabled the forwarding for all ports in any direction
- but i still didn't get a connection to the data channel.
If i connect with the commandline ftp, the logfiles of the proxy
show nothing when doing a 'ls'.
When connecting with iglooftp, the logfiles show an entry like this:
'can't bind client data to a.b.c.d:xy00-xy50(portrange for passivemode data)
for a.b.c.f(client)'
has anybody an idea what's the problem with that?
thank you!
tobi
Oh boy is this ever driving me insane. Im trying to get IP Masq-ing working on
my server. I have a setup very similar to that of senario 2 in the example in
/usr/doc/packages/firewalEXAMPLES so i added the services mentioned to the
exsisting firewall script and ammended the IP addresses for my local domain.
I set my local machine up to use the server as a a gateway, used the modem to
dial up (its PPP, ip-up script altered to as required), and tried pingning the
outside world , i got nada,nothing zilch! Have i missed something in the
script files? One error appears about not being able to find DNS service ,
thats suggested in the example but i don't have that running on my local server
do i need it or is the example a bit wacked out? I need help!!! Is there an FAQ
or more installation information anywhere as i despratley need to get the
masqing working.
Im hoping to get the ip masq-ing working but for the http browsers to go
through the proxy for extra security.
--
Stuart Hodgkinson
Software Engineer
"When bashing the keyboard into your forehead just isn't enough."
The problem with my perl script, turned out to be Perl itself which apparently
-- unknownst to me before this -- has built in security checks against suid
scripts. So, after checking the 'perlsec' man page, just write a quick'n'dirty
C wrapper much like what's listed in that man page.
Everything's fine now!
:)
__________________________________________________
Do You Yahoo!?
Kick off your party with Yahoo! Invites.
http://invites.yahoo.com/
