Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 12:46:10PM -0500, David Ehle wrote: 1. How to dissallow network connections to this guest account? I don't want anyone ssh'ing in, but I still want to be able to remotely administer the machines. man sshd -- DenyUsers This keyword can be followed by a number of user names, separated by spaces. Login is disallowed for user names that match one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only user names are valid, a numerical user id isn't recognized. By default login is allowed regardless of the username. there are similar DenyGroups, AllowUsers, and AllowGroups directives, too. This is *the* simplest solution. If you're PAM-savvy, there are options there, too (easiest is to use pam_listfile to allow/deny access to people listed in a particular file). However, it's really easy to shoot yourself in the foot with PAM. Plus, you'd certainly want to disable any other network access methods you can (ftp and friends). If all the people need to do is browse the web and ssh out, you can also make a firewall rule that allows traffic to and from any remote hosts port 22, 80, or 443. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: snort 1.8 for demarc
On Sun, Aug 05, 2001 at 07:41:41PM +, Marco Tassinari wrote: /usr/local/lib/libpcap.a(gencode.o): In function `pcap_compile': gencode.o(.text+0x203): undefined reference to `lex_init' /usr/local/lib/libpcap.a(grammar.o): In function `yyparse': grammar.o(.text+0x94): undefined reference to `yylex' grammar.o(.text+0x9ba): undefined reference to `yylex' You have bison installed too? Or just flex? I think yylex calls are frequently references to yacc. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Code Red Worm
Code Red v2 is wreaking havoc already today. It's liquefied our corporate firewall. I've was probed by it 200 times on Sunday as well, vs. maybe 30/day for v1. -B -- Brandon High [EMAIL PROTECTED] Remember that silence is sometimes the best answer. PGP signature
Re: Locking down a guest account - Got Help. THANKS!
Thank all! You help and suggestions have helped me over the current stumbling blocks and its (hopefully) all down hill from here. I finally ditched enlightenment and went with sawmill. A couple menus deep was keybinding and by just disabeling the entry for root_menu, I was able to seal up the desktop interface without crippling the rest of the users. Now all thats left is disabaling all the tty sessions and going over permissions with a fine tooth comb. Thanks again! david. On Mon, 6 Aug 2001, Mike Renfro wrote: On Fri, Aug 03, 2001 at 12:46:10PM -0500, David Ehle wrote: 1. How to dissallow network connections to this guest account? I don't want anyone ssh'ing in, but I still want to be able to remotely administer the machines. man sshd -- DenyUsers This keyword can be followed by a number of user names, separated by spaces. Login is disallowed for user names that match one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only user names are valid, a numerical user id isn't recognized. By default login is allowed regardless of the username. there are similar DenyGroups, AllowUsers, and AllowGroups directives, too. This is *the* simplest solution. If you're PAM-savvy, there are options there, too (easiest is to use pam_listfile to allow/deny access to people listed in a particular file). However, it's really easy to shoot yourself in the foot with PAM. Plus, you'd certainly want to disable any other network access methods you can (ftp and friends). If all the people need to do is browse the web and ssh out, you can also make a firewall rule that allows traffic to and from any remote hosts port 22, 80, or 443. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Locking down a guest account - need help.
On Sat, Aug 04, 2001 at 12:30:20AM +0200, Tobias wrote: Hello! you can disable password login in sshd and only run ssh with public key authentication, just don't forget to put a root owned non-writable folder or file called .ssh and .ssh2 in the accounts you do not wish people to log in to. And I agree with Jim Breton about locking down PAM as much as possible. Umm... Once you deny password login and only key based auth, how are they going to create the file in the first place? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
No local user authentication with openssh2.9
Dear List, I am having a great deal of problem setting up openssh-2.9 in my debian setup. Can anyone tell me why any of my local users don't get authenticated when using openssh. It works fine when I use ssh 3.01 btw. If anyone can help me make the switch it would be greatly appreciated. Here is a snippet of a session I started (daemon + client info) reliant:~# sshd -d -d -d [1] 6845 reliant:~# debug1: Seeding random number generator debug1: sshd version OpenSSH_2.9p2 debug1: private host key: #0 type 0 RSA1 debug3: No RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: No RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 192.168.1.102. Server listening on 192.168.1.102 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.1.101 port 2487 debug1: Client protocol version 1.5; client software version PuTTY debug1: no match: PuTTY debug1: Local version string SSH-1.99-OpenSSH_2.9p2 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: 3des debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Attempting authentication for yussef. Failed password for johnsmith from 192.168.1.101 port 2487 Failed password for johnsmith from 192.168.1.101 port 2487 Failed password for johnsmith from 192.168.1.101 port 2487 Failed password for johnsmith from 192.168.1.101 port 2487 Read from socket failed: Connection reset by peer debug1: Calling cleanup 0x806573c(0x0) [1]+ Exit 255sshd -d -d -d ---client info-- login as: johnsmith Sent username johnsmith [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: Access denied ---client info-- Thanks and Best Regards, Yussef M. ElSirgany Software Engineer Email: [EMAIL PROTECTED] Phone: 631-645-7588 Fax: 516-484-2424 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Locking down a guest account - need help.
On Sat, Aug 04, 2001 at 12:30:20AM +0200, Tobias wrote: Hello! you can disable password login in sshd and only run ssh with public key authentication, just don't forget to put a root owned non-writable folder or file called .ssh and .ssh2 in the accounts you do not wish people to log in to. Putting a root-owned file in a directory owned by a user is not much help against a UNIX savvy-user. The user would still be able to rename the file(s). You could create the .ssh / .ssh2 directories or files (owned by root), and then use the ``chattr +i dirname'' command on each directory or file to protect it. This is for ext2fs only, but other filesystems may have equivalent commands. [FYI, chattr +i sets the immutable flag in the ext2 filesystem, rendering the file unchangable. chattr -i will remove the flag. Read the man page for more info.] Just my $0.02 worth, -- Eli Boaz ([EMAIL PROTECTED]) GNU/Linux: Free your computer from bad software. http://www.debian.org/ pgpLhGggWLlWK.pgp Description: PGP signature
Re: syslog-ng issue
Jeff Coppock, 2001-Aug-05 09:04 -0700:
I'm trying to cleanup my logging using syslog-ng (version
1.5.6-1). The problem at this point is that my firewall
(iptables) logs are showing up in my newly setup firewall log
file, and still in the messages kern.log and syslog files.
I used the default syslog-ng.conf file and added the following
lines to the appropriate sections:
destination firewall { file(/var/log/firewall owner(root)
group(adm) perm\(0640)); };
filter f_firewall { match(Dropped: .*IN=.*OUT=.*); };
log { source(src); filter(f_firewall); destination(firewall); };
My desire is to have all firewall logs go ONLY to the firewall
log file.
Does the order in which these entries occur matter? I just
noticed that the destination entry was at the end of that
section while the filter and log entries are at the beginning.
I moved the destination entry to the beginning of that
section and will watch the logs.
thanks for any help...jc
Well, I figured it out. More time and reading always seems to
make a difference. Basically, I added another filter to not
match the firewall messages and used that filter with the
messages, kern.log and syslog log entries and it works great.
jc
--
Jeff CoppockNortel Networks
Systems Engineerhttp://nortelnetworks.com
Major Accts.Santa Clara, CA
Re: Locking down a guest account - need help.
On Fri, Aug 03, 2001 at 12:46:10PM -0500, David Ehle wrote: 1. How to dissallow network connections to this guest account? I don't want anyone ssh'ing in, but I still want to be able to remotely administer the machines. man sshd -- DenyUsers This keyword can be followed by a number of user names, separated by spaces. Login is disallowed for user names that match one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only user names are valid, a numerical user id isn't recognized. By default login is allowed regardless of the username. there are similar DenyGroups, AllowUsers, and AllowGroups directives, too. This is *the* simplest solution. If you're PAM-savvy, there are options there, too (easiest is to use pam_listfile to allow/deny access to people listed in a particular file). However, it's really easy to shoot yourself in the foot with PAM. Plus, you'd certainly want to disable any other network access methods you can (ftp and friends). If all the people need to do is browse the web and ssh out, you can also make a firewall rule that allows traffic to and from any remote hosts port 22, 80, or 443. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED]
Re: snort 1.8 for demarc
On Sun, Aug 05, 2001 at 07:41:41PM +, Marco Tassinari wrote: /usr/local/lib/libpcap.a(gencode.o): In function `pcap_compile': gencode.o(.text+0x203): undefined reference to `lex_init' /usr/local/lib/libpcap.a(grammar.o): In function `yyparse': grammar.o(.text+0x94): undefined reference to `yylex' grammar.o(.text+0x9ba): undefined reference to `yylex' You have bison installed too? Or just flex? I think yylex calls are frequently references to yacc. -- Mike Renfro / RD Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University -- [EMAIL PROTECTED]
Code Red Worm
Code Red v2 is wreaking havoc already today. It's liquefied our corporate firewall. I've was probed by it 200 times on Sunday as well, vs. maybe 30/day for v1. -B -- Brandon High [EMAIL PROTECTED] Remember that silence is sometimes the best answer. pgprANIiatAeH.pgp Description: PGP signature
Re: Locking down a guest account - Got Help. THANKS!
Thank all! You help and suggestions have helped me over the current stumbling blocks and its (hopefully) all down hill from here. I finally ditched enlightenment and went with sawmill. A couple menus deep was keybinding and by just disabeling the entry for root_menu, I was able to seal up the desktop interface without crippling the rest of the users. Now all thats left is disabaling all the tty sessions and going over permissions with a fine tooth comb. Thanks again! david. On Mon, 6 Aug 2001, Mike Renfro wrote: On Fri, Aug 03, 2001 at 12:46:10PM -0500, David Ehle wrote: 1. How to dissallow network connections to this guest account? I don't want anyone ssh'ing in, but I still want to be able to remotely administer the machines. man sshd -- DenyUsers This keyword can be followed by a number of user names, separated by spaces. Login is disallowed for user names that match one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only user names are valid, a numerical user id isn't recognized. By default login is allowed regardless of the username. there are similar DenyGroups, AllowUsers, and AllowGroups directives, too. This is *the* simplest solution. If you're PAM-savvy, there are options there, too (easiest is to use pam_listfile to allow/deny access to people listed in a particular file). However, it's really easy to shoot yourself in the foot with PAM. Plus, you'd certainly want to disable any other network access methods you can (ftp and friends). If all the people need to do is browse the web and ssh out, you can also make a firewall rule that allows traffic to and from any remote hosts port 22, 80, or 443.
Re: Locking down a guest account - need help.
On Sat, Aug 04, 2001 at 12:30:20AM +0200, Tobias wrote: Hello! you can disable password login in sshd and only run ssh with public key authentication, just don't forget to put a root owned non-writable folder or file called .ssh and .ssh2 in the accounts you do not wish people to log in to. And I agree with Jim Breton about locking down PAM as much as possible. Umm... Once you deny password login and only key based auth, how are they going to create the file in the first place?
No local user authentication with openssh2.9
Dear List, I am having a great deal of problem setting up openssh-2.9 in my debian setup. Can anyone tell me why any of my local users don't get authenticated when using openssh. It works fine when I use ssh 3.01 btw. If anyone can help me make the switch it would be greatly appreciated. Here is a snippet of a session I started (daemon + client info) reliant:~# sshd -d -d -d [1] 6845 reliant:~# debug1: Seeding random number generator debug1: sshd version OpenSSH_2.9p2 debug1: private host key: #0 type 0 RSA1 debug3: No RSA1 key file /usr/local/etc/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: No RSA1 key file /usr/local/etc/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA debug1: Bind to port 22 on 192.168.1.102. Server listening on 192.168.1.102 port 22. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from 192.168.1.101 port 2487 debug1: Client protocol version 1.5; client software version PuTTY debug1: no match: PuTTY debug1: Local version string SSH-1.99-OpenSSH_2.9p2 debug1: Rhosts Authentication disabled, originating port not trusted. debug1: Sent 768 bit server key and 1024 bit host key. debug1: Encryption type: 3des debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug1: Attempting authentication for yussef. Failed password for johnsmith from 192.168.1.101 port 2487 Failed password for johnsmith from 192.168.1.101 port 2487 Failed password for johnsmith from 192.168.1.101 port 2487 Failed password for johnsmith from 192.168.1.101 port 2487 Read from socket failed: Connection reset by peer debug1: Calling cleanup 0x806573c(0x0) [1]+ Exit 255sshd -d -d -d ---client info-- login as: johnsmith Sent username johnsmith [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: Access denied [EMAIL PROTECTED]'s password: Access denied ---client info-- Thanks and Best Regards, Yussef M. ElSirgany Software Engineer Email: [EMAIL PROTECTED] Phone: 631-645-7588 Fax: 516-484-2424
