openssh && hardensuse problem
Hi, I'm using SuSE 7.0 Professional to build a firewall. I've installed the necessary packages, upgraded to latest release and after running "harden_suse yes" opensshd just refuses to accept connections, the following message appears on the logs: Jan 27 15:53:32 maestro sshd[887]: refused connect from 192.168.0.100 (192.168.0.100) sshd is running, of course. Last week the same problem occurred on another machine and it was "solved" (?) uninstalling openssh-2.3.0p1-0 and installing openssh-2.1.1p1-43 (vulnerable) :( Versions: SuSE 7.0 openssh-2.3.0p1-0 hardensuse-2.6-1 rgrds, Bráulio Gergull
At 12:36 AM 29/01/2001, you wrote:
Hi,
I'm using SuSE 7.0 Professional to build a firewall. I've installed the necessary packages, upgraded to latest release and after running "harden_suse yes" opensshd just refuses to accept connections, the following message appears on the logs:
Jan 27 15:53:32 maestro sshd[887]: refused connect from 192.168.0.100 (192.168.0.100)
sshd is running, of course.
Last week the same problem occurred on another machine and it was "solved" (?) uninstalling openssh-2.3.0p1-0 and installing openssh-2.1.1p1-43 (vulnerable) :(
Versions:
SuSE 7.0 openssh-2.3.0p1-0 hardensuse-2.6-1
http://www.susesecurity.com/faq/index.html#sshd_cant_connect Quote: I can't connect to my server using SSH Check you have enabled access to SSHD in /etc/hosts.allow SuSE's version of OpenSSH all come with libwrap support compiled in by default. That is, they honour the /etc/hosts.allow and /etc/hosts.deny If you have previously run harden_suse you will now have a line at the bottom of /etc/hosts.deny that looks like: ALL : ALL If this is what's causing your connection to be refused, you should will to see it in the /var/log/warn logfile. This can be checked by using the command tail -f /var/log/warn To enable access from your IP address, simple add the line: SSHD : x.x.x.x to /etc/hosts.allow (where x.x.x.x is the IP that you are connecting FROM.) You can also use the format x.x.x.x/y.y.y.y where y.y.y.y is the subnet mask of an entire network (ie. Your LAN) that you wish to allow. If you wish to allow SSH access from anywhere, you can replace x.x.x.x with the word ALL. This is not recommended. SSHD also has the possibility of denying root access. Look at /etc/sshd_config and see if PermitRootlogin is yes (or try connecting as another user). Finally, you could be having a problem with different ssh versions. Openssh 2.3 supports both SSH1 and SSH2 and should work, and you should upgrade to it anyway, since earlier versions have some security problems. Hope this helps :-) --- Nix - nix@susesecurity.com http://www.susesecurity.com
Hi, Thank you Nix and Armin, That was the problem, I added my host to hosts.allow and it's running fine now! :)
Quote:
I can't connect to my server using SSH Check you have enabled access to SSHD in /etc/hosts.allow SuSE's version of OpenSSH all come with libwrap support compiled in by default.
And congratulations to the security team @ SuSE, you're doing a nice job! By the way, is there a (beta or alfa) version of the SuSE firewals script built for iptables? rgrds, Bráulio Gergull
participants (2)
-
Br�ulio Gergull -
Nix