Yesterday I received SuSE 6.2. I just wanted to point out that chapter 18 "Security is a matter of trust" is well worth reading. Quite some questions on this list could simply be answered by reading this chapter. The chapter also mentions "tripwire" and "logsurfer". Here my (poor) translation of "18.4 Allgemeine Hinweise" 18.4 General Notes 1. The user "root" should only be logged in for administrative work. For the every day work at your computer a user account should be created. 2. Avoid using "telnet", "rlogin" or even "rsh". 3. Instead use "ssh", if you have to work remotely. 4. Deactivate all net sevices that you don't need. 5. Keep security relevant packages up-to-date, e.g., the packages "bind", "sendmail" and "ssh". 6. Remove suid and sgid bits from all files in the system that ordinary users don't necessarily need for work. 7. Check the log files on a regular basis. Again, please read this chapter. SuSE: Great idea to put the FAQ on the CD-ROM cover! That might help to reduce traffic on the Linux newsgroups. Thanks!
On Thu, 12 Aug 1999, Mark Lutz wrote:
Here my (poor) translation of "18.4 Allgemeine Hinweise"
2. Avoid using "telnet", "rlogin" or even "rsh". 3. Instead use "ssh", if you have to work remotely.
This prompts a question about getting my security tools to work. I am still having problems with ssh as an alternative to telnet. SuSE installs tcpd (TCP wrappers) as a standard security measure. I edited /etc/hosts.allow to contain just the lines: in.telnetd: 192.168.1.2, my.gateway.myemployer.com sendmail: localhost sshdfwd-ssh: ALL and changed /etc/hosts.deny to be only ALL: ALL This means that telnet works, but ssh connections are being rejected. The only way I found to get ssh to connect (I tested it over PPP from 192.168.1.2 and it worked) was to comment out "ALL: ALL". I think this means getting rid of all my security - not what I wanted. The moment I put ALL: ALL back in, ssh connections are rejected. I read the ssh docs thoroughly, and also tcpd and hosts_access(5) man pages, but maybe I misunderstood something. What should I do to allow ssh connections to be accepted without disabling hosts.deny ? TIA for your suggestions, dproc (p.s. I don't want any other connections from the Internet - the box is a workstation, not really a server. But I do like to serve vnc, httpd and smb to 192.168.1.2 and they work fine with these settings/ SuSE Linux 5.3 International, with ssh downloaded from rpmfind.net . I do not run DNS, Firewall nor Masquerading. Server connections are controlled by inetd)
On Thu, 12 Aug 1999 dproc@dol.net wrote:
sshdfwd-ssh: ALL
Hello, try "sshd: ALL" ! Cheers, Peter -- ******************************************* URL: http://gmv.spm.univ-rennes1.fr/~peter/ *******************************************
participants (3)
-
dproc@dol.net -
Mark Lutz -
Peter Münster