SSH problem
Agelmar
ssh in, and I cannot figure out why :( If I try ssh 127.0.0.1 from the local
computer, I can connect to it fine, but if I try to connect to 172.16.0.100
(its address) from another computer, I get a "connection closed by remote
host" error.
Any thoughts?
// Agel
Agelmar
> whatever that one is called and allow remote ssh logins...in 4 and 5
> they are not allowed.
>
> Vox
Yes, I had my security level set to higher :-) I cannot seem to find any
options, I looked around in webmin and everything seems OK there, did a
locate drakperms and nothing came up... I have temporarily set my security
level to standard :( Works now, but I'd like to find this "drakperms"
thing...
Agelmar
OK, I think I found drakperm in the mandrake cpl, but I have no idea how to
change the damned thing. I try to edit the security level 4 but it just
plain old wont let me (and I'm not quite sure what all I need to change)
Agelmar
> files by hand :) I'm sure there's a doc about it somewhere, tho.
>
> Vox
:-) OK, what all needs to be changed? just /usr/bin/ssh, or what?
Also, while I have you... one other question. I'm finally using a router at
home, and it supports dynamic DNS. However, setting up my nix box to play
nice is being a bitch - if I type in a hostname, it just makes its name
that, e.g. if I type in rand as the name, it makes its full name rand and
ignores anything given via dhcp, whereas all the other boxes (windows) take
their hostname and append the dns suffix (wanarb01.mi.comcast.net) thus
making the ddns essentially useless on the nix box. Do you have any tips on
how I can change this?
Agelmar
> On September 1993 plus 3592 days ifette...@comcast.net wrote:
>
>>
>> :-) OK, what all needs to be changed? just /usr/bin/ssh, or what?
>
> ALL in your /etc/hosts.deny when you go to 4 or 5...but if you take
> it out by hand, msec will add it again 15 minutes later, so...you
> need to change msec's configuration so it doesn't change it and then
> get rid of the ALL: ALL :) I know there's a guide about msec
> somwhere...most probably in mandrakesecure.com
AAAARGH! Goddamned mandrake... I mean, it's a nice idea to have something
like msec, it certainly simplifies security a bit, but jeesus, there is
practically no documentation anywhere, it's a pain in the ass, and it's
pissing me off :( I set the security level to 3, I will push it back up once
I understand it a bit more...
>> Also, while I have you... one other question. I'm finally using a
>> router at home, and it supports dynamic DNS. However, setting up my
>> nix box to play
>
> Never played with ddns inside a LAN...never liked the idea, so I
> have no clue how it works :)
>
> Vox
Mmmf, I thought it was kinda cool :-) Anyhow, I just set it to static IP,
solved the problem :P
Agelmar
> On Thu, 03 Jul 2003 14:21:25 -0500, Vox <v...@the-vox.com> wrote:
>
>> On September 1993 plus 3592 days ifette...@comcast.net wrote:
>>
>>>
>>> :-) OK, what all needs to be changed? just /usr/bin/ssh, or what?
>>
>> ALL in your /etc/hosts.deny when you go to 4 or 5...but if you take
>> it out by hand, msec will add it again 15 minutes later, so...you
>> need to change msec's configuration so it doesn't change it and then
>> get rid of the ALL: ALL :) I know there's a guide about msec
>> somwhere...most probably in mandrakesecure.com
>>
>>> router at home, and it supports dynamic DNS. However, setting up my
>>> nix box to play
>>
>> have no clue how it works :)
>
> in Linux..... yet.
Its a bitch. Gah. I am sick and tired of msec.... goddamned /var/www/html
owned by root.root - wtf? ugh... and of course you cannot ftp in as root...
pshaw. I am sick of msec. I just chowned ian.ian /var/www/html, hopefully
msec does not undo that. If it does, I am going to flat out reformat that
computer and throw on slackware. At least I know what the fsck is going on
with Slack...
Nicholas Knight
wrote in <be21lo$fd4v$1...@ID-30799.news.dfncis.de>:
> AAAARGH! Goddamned mandrake... I mean, it's a nice idea to have
> something like msec, it certainly simplifies security a bit, but jeesus,
> there is practically no documentation anywhere, it's a pain in the ass,
> and it's pissing me off :( I set the security level to 3, I will push it
> back up once I understand it a bit more...
What, exactly, are you expecting higher security settings to DO for you?
Unless your password selection sucks or someone else has an account on
your box, you're essentially immune so long as you're not running any
servers with security holes.
--
Nicholas Knight <nkn...@runawaynet.com>
Agelmar
With all the bugs found in php, apache, openssl etc, why take chances? But
honestly, I think I will back off the settings permanantly. It's behind a
router, for gods sake... not even externally accessible :-) I just want to
know how it works though so that on a production machine I dont fsck myself
over.
Nicholas Knight
in <be3v9o$113p2$1...@ID-30799.news.dfncis.de>:
> Nicholas Knight wrote:
>> on Thursday 03 July 2003 12:54 pm, Agelmar <ifette...@comcast.net>
>> wrote in <be21lo$fd4v$1...@ID-30799.news.dfncis.de>:
>>
>>> AAAARGH! Goddamned mandrake... I mean, it's a nice idea to have
>>> something like msec, it certainly simplifies security a bit, but
>>> jeesus, there is practically no documentation anywhere, it's a pain
>>> in the ass, and it's pissing me off :( I set the security level to
>>> 3, I will push it back up once I understand it a bit more...
>>
>> What, exactly, are you expecting higher security settings to DO for
>> you? Unless your password selection sucks or someone else has an
>> account on your box, you're essentially immune so long as you're not
>> running any servers with security holes.
>
> With all the bugs found in php, apache, openssl etc, why take chances?
Why would Apache (and thus php and, indeed, openssl) be running as root or
any other user besides "nobody" or another that it can do no harm as? If
it is, Mandrake has bigger problems than making fine-grained security
control more difficult than would be preferred. Indeed, if I recall
correctly, you have to take steps to /force/ vanilla Apache to run as
root.
Almost nothing runs as root these days, and I'd be *very* hesitant to run
any server software that needed to. The first thing any server does is
drop privileges as soon as possible. There are far better and safer ways
to do things that need elevated privileges than to actually *run* at
those privilege levels. Tight, carefully- and meticulously-constructed
wrapper code that has been thoroughly audited is how these things are
done now. Complex daemons that can recieve unlaundered arbitrary data
from users and are run as root are historic artifacts. Even OpenSSH now
has privilege separation, and it's been on by default for some time now.
> But honestly, I think I will back off the settings permanantly. It's
> behind a router, for gods sake... not even externally accessible :-) I
> just want to know how it works though so that on a production machine I
> dont fsck myself over.
--
Nicholas Knight <nkn...@runawaynet.com>
Dalai Lama
<nkn...@runawaynet.com> wrote:
>Almost nothing runs as root these days, and I'd be *very* hesitant to run
>any server software that needed to.
So the security and privileges are all (or even mostly)
managed/handled by the OS itself?
--
Urk!
Nicholas Knight
in <lmvkgv8gcfba9blih...@4ax.com>:
Not sure what you mean...?
The way modern Apache works, for example, is the child processes that
actually handle the serving run as either user "nobody" or a special
"www", "httpd", or "www-data" user and group, depending on system.
This user can't access anything that isn't set to be readable by everyone
(or owned by their user/group). Similarly, they can't write to anything
that isn't set to be writable by everyone (very little ever is).
There is one "parent" process which runs a much smaller and better-audited
codebase, which they talk to to take care of those few tasks that need
elevated privileges. Most tasks don't; the primary workload for a typical
webserver is just reading world-readable files and sending them across
the network (or running non-privileged CGI scripts that don't do anything
overly special).
When they want to run a script or program that needs special privileges,
the correct way to handle it is to write the script or program VERY
FREAKIN' CAREFULLY, and then make it world-executable and "setuid", which
means that when it's executed, it always runs as the user and group that
own it.
Web servers are actually a rather exceptional case, and their security can
get a little complex.
Mail servers, on the other hand, are relatively simple. They run as user
and group "mail" (or similar) which has write-access to certain files on
the disk. When they start up, they just bind to the privileged port
(ports below 1024 in Unix are considered "privileged"), drop privileges,
and go on their merry way.
--
Nicholas Knight <nkn...@runawaynet.com>
Dalai Lama
<nkn...@runawaynet.com> wrote:
>> So the security and privileges are all (or even mostly)
>> managed/handled by the OS itself?
>Not sure what you mean...?
Just a vague inquiry :-) I've been working with win2k and active
directory, but haven't really done anything in Linux yet. I was
wondering whether the security (permissions/rights) is integral to
the operating system, or is something controlled by an application.
>The way modern Apache works, for example, is the child processes that
>actually handle the serving run as either user "nobody" or a special
>"www", "httpd", or "www-data" user and group, depending on system.
>This user can't access anything that isn't set to be readable by everyone
>(or owned by their user/group). Similarly, they can't write to anything
>that isn't set to be writable by everyone (very little ever is).
So, excepting a few pre-determined processes things are locked down by
default, rather than available to everyone by default?
>There is one "parent" process which runs a much smaller and better-audited
>codebase, which they talk to to take care of those few tasks that need
>elevated privileges. Most tasks don't; the primary workload for a typical
>webserver is just reading world-readable files and sending them across
>the network (or running non-privileged CGI scripts that don't do anything
>overly special).
>When they want to run a script or program that needs special privileges,
>the correct way to handle it is to write the script or program VERY
>FREAKIN' CAREFULLY, and then make it world-executable and "setuid", which
>means that when it's executed, it always runs as the user and group that
>own it.
>Web servers are actually a rather exceptional case, and their security can
>get a little complex.
>Mail servers, on the other hand, are relatively simple. They run as user
>and group "mail" (or similar) which has write-access to certain files on
>the disk. When they start up, they just bind to the privileged port
>(ports below 1024 in Unix are considered "privileged"), drop privileges,
>and go on their merry way.
Thanks for the explanation.
--
Urk!
Sean Keenan
thing is, the
> softened linux is still more hardened than the default windows :)
You mean current, up to date, fully patched and maximum security windows.
No root, no damage. Eh?
--
Sean
"Kompressor does not dance!"
Nicholas Knight
<m265m7l...@isis.the-vox.com>:
> No root, no damage...that's the motto of my life :) I don't give
> root to my clients till their warranty is run out...the day it's
> over, I give them their root password in an envelope, together with
> a list of prices for repairs :)
If only such things worked on family *sigh*.
--
Nicholas Knight <nkn...@runawaynet.com>
Agelmar
> on Saturday 12 July 2003 04:44 pm, Vox <v...@the-vox.com> wrote in
> <m265m7l...@isis.the-vox.com>:
>
>> No root, no damage...that's the motto of my life :) I don't give
>> root to my clients till their warranty is run out...the day it's
>> over, I give them their root password in an envelope, together with
>> a list of prices for repairs :)
>
> If only such things worked on family *sigh*.
In Windows NT (incl. 2000 and xp) you can rename the Administrator account,
and create a new account and call it administrator. It's actually a very
good security measure. When I do work for companies, I **always** do that,
and log the hell out of (and set off major warnings) when anyone tries to
log in as Administrator. and if they do somehow manage to log in, they find
that administrator has *no* privileges :-)
Nicholas Knight
wrote in <beqjam$82h80$1...@ID-30799.news.uni-berlin.de>:
I meant handing them a price list.
--
Nicholas Knight <nkn...@runawaynet.com>
Dalai Lama
<ifette...@comcast.net> wrote:
>Nicholas Knight wrote:
>> on Saturday 12 July 2003 04:44 pm, Vox <v...@the-vox.com> wrote in
>> <m265m7l...@isis.the-vox.com>:
>>
>>> No root, no damage...that's the motto of my life :) I don't give
>>> root to my clients till their warranty is run out...the day it's
>>> over, I give them their root password in an envelope, together with
>>> a list of prices for repairs :)
>>
>> If only such things worked on family *sigh*.
>
>In Windows NT (incl. 2000 and xp) you can rename the Administrator account,
>and create a new account and call it administrator. It's actually a very
>good security measure.
Not a bad idea, so long as there's documentation somewhere for any
admins that come along after you.
>When I do work for companies, I **always** do that,
>and log the hell out of (and set off major warnings) when anyone tries to
>log in as Administrator. and if they do somehow manage to log in, they find
>that administrator has *no* privileges :-)
--
We were all born to fly.