Re: configure ssh-access
Hi, On Wed Jul 09, 2003 at 23:16:51 +0200, François TOURDE wrote: > > By allowing connections from only a > > few IP address blocks, you cut out most of the crackers in the world, but > > don't have to mess with dynamic DNS and lack of reverse lookup; A good > > tradeoff between security and convenience. > > Even with fake/forged IP's ? SSH is TCP-based. IP spoofing on the internet is very hard to do. > You can also imagine a knoking (? toc toc toc) mechanism: One ping, > followed by two telnet packets, then 4 ftp or whatever packets, and > then your ip is allowed to try a ssh connection... This is security by obscurity. Approaches like this have been discussed on this list before. It is the somewhat convoluted equivalent of a plaintext password authentication scheme layered on top of SSH. Regards, uLI
Re: configure ssh-access
Le 12242ième jour après Epoch, Peter Cordes écrivait: > On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote: >> Le 12240i?me jour apr?s Epoch, >> Mario Ohnewald ?crivait: >> > I think this problem should not be solved with configuring sshd. >> >> Wrong... You can configure sshd to accept only login from recognized keys, >> and let the firewall open. > > If there is an exploitable bug in that code, you're screwed, and the whole > world can crack your machine. Yes, sure. And if the ip stack has a bug, your machine is open worldwide. And if your door is buggy, then anybody can enter... I think original post is: "Suppose there is no bugs in life, how can authorize access from recognized people" ... And so the good response is "Use keys"... > It's not really a problem to allow ssh access > from the whole world, execpt when there's a problem with ssh. What you > should try to do is limit the chance people have to crack your machine > before you can do something about it. Yes, I agree, but if you want to access a box through network, there is *always* a risk if washi or washa has a hole, and an exploit is published. > By allowing connections from only a > few IP address blocks, you cut out most of the crackers in the world, but > don't have to mess with dynamic DNS and lack of reverse lookup; A good > tradeoff between security and convenience. Even with fake/forged IP's ? Anyway, you can/be paranoid with your machine, but there is always solutions to enter into these kind of machines. Actually, there is no known bug in ssh V2 using key authentification. This is the more easy solution. You can also imagine a knoking (? toc toc toc) mechanism: One ping, followed by two telnet packets, then 4 ftp or whatever packets, and then your ip is allowed to try a ssh connection... Bon courage ;) -- "Jesus saves...but Gretzky gets the rebound!" -- Daniel Hinojosa ([EMAIL PROTECTED]) -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/
Re: configure ssh-access
Hi, On Wed Jul 09, 2003 at 23:16:51 +0200, François TOURDE wrote: > > By allowing connections from only a > > few IP address blocks, you cut out most of the crackers in the world, but > > don't have to mess with dynamic DNS and lack of reverse lookup; A good > > tradeoff between security and convenience. > > Even with fake/forged IP's ? SSH is TCP-based. IP spoofing on the internet is very hard to do. > You can also imagine a knoking (? toc toc toc) mechanism: One ping, > followed by two telnet packets, then 4 ftp or whatever packets, and > then your ip is allowed to try a ssh connection... This is security by obscurity. Approaches like this have been discussed on this list before. It is the somewhat convoluted equivalent of a plaintext password authentication scheme layered on top of SSH. Regards, uLI -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
Le 12242ième jour après Epoch, Peter Cordes écrivait: > On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote: >> Le 12240i?me jour apr?s Epoch, >> Mario Ohnewald ?crivait: >> > I think this problem should not be solved with configuring sshd. >> >> Wrong... You can configure sshd to accept only login from recognized keys, >> and let the firewall open. > > If there is an exploitable bug in that code, you're screwed, and the whole > world can crack your machine. Yes, sure. And if the ip stack has a bug, your machine is open worldwide. And if your door is buggy, then anybody can enter... I think original post is: "Suppose there is no bugs in life, how can authorize access from recognized people" ... And so the good response is "Use keys"... > It's not really a problem to allow ssh access > from the whole world, execpt when there's a problem with ssh. What you > should try to do is limit the chance people have to crack your machine > before you can do something about it. Yes, I agree, but if you want to access a box through network, there is *always* a risk if washi or washa has a hole, and an exploit is published. > By allowing connections from only a > few IP address blocks, you cut out most of the crackers in the world, but > don't have to mess with dynamic DNS and lack of reverse lookup; A good > tradeoff between security and convenience. Even with fake/forged IP's ? Anyway, you can/be paranoid with your machine, but there is always solutions to enter into these kind of machines. Actually, there is no known bug in ssh V2 using key authentification. This is the more easy solution. You can also imagine a knoking (? toc toc toc) mechanism: One ping, followed by two telnet packets, then 4 ftp or whatever packets, and then your ip is allowed to try a ssh connection... Bon courage ;) -- "Jesus saves...but Gretzky gets the rebound!" -- Daniel Hinojosa ([EMAIL PROTECTED]) -- François TOURDE - tourde.org - 23 rue Bernard GANTE - 93250 VILLEMOMBLE Tél: 01 49 35 96 69 - Mob: 06 81 01 81 80 eMail: mailto:[EMAIL PROTECTED] - URL: http://francois.tourde.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote: > Le 12240i?me jour apr?s Epoch, > Mario Ohnewald ?crivait: > > I think this problem should not be solved with configuring sshd. > > Wrong... You can configure sshd to accept only login from recognized keys, > and let the firewall open. If there is an exploitable bug in that code, you're screwed, and the whole world can crack your machine. It's not really a problem to allow ssh access from the whole world, execpt when there's a problem with ssh. What you should try to do is limit the chance people have to crack your machine before you can do something about it. By allowing connections from only a few IP address blocks, you cut out most of the crackers in the world, but don't have to mess with dynamic DNS and lack of reverse lookup; A good tradeoff between security and convenience. I suppose filtering with iptables is really the way to do it, but using ssh's built-in AllowUsers is still at least somewhat useful. I don't know how much code in sshd runs before AllowUsers is checked, but I hope not too much, so as to minimize the risk of bugs. > > I solved it with iptables script which resolv my dynamic host every 5mins, > > and then reload the firewall if needed. > > So, on some case, you must wait 5 mins to connect ? Yeah, I agree that this is going too far, unless you are trying to protect secrets that require armed guards in the real world, to back up the extreme paranoia in the virtual world. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
Re: configure ssh-access
On Mon, Jul 07, 2003 at 11:08:38AM +0200, [EMAIL PROTECTED] wrote: > Hi! > > I want to make ssh-access possible only from a restricted > number of hosts - those that are named in /etc/hosts.allow. > Users who want to login have a DynDNS host-name that shall > be listed in hosts.allow to make it possible for users with > a dial-up internet connection, too. > > BUT: > The problem is that I can only login to the ssh-machine > when I enter the IP-address to the hosts.allow file. > Specifying the hosts DNS-name does not work! > > AND: > I'd prefer to specify the rules for loggin into the machine > in the sshd_config-file, not in hosts.allow/deny. > But the AllowHosts/DenyHosts-options that could be used in > /etc/sshd_config earlier seem to be not any > longer available at the SSH-version I'm using. > It's: openssh-3.4p1-80 on a SuSE 8.1 > > Has anybody ideas in this 2 problems? If you know what ISP the people you want to allow are using, you can find out what IP address blocks they have, and allow those blocks. For example, my sshd allows connections from, among other things, *@:::24.222.*. (It listens on ipv6, so v4 connections are seen as coming from v4-mapped addresses.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC
Re: configure ssh-access
On Mon, Jul 07, 2003 at 07:38:17PM +0200, Fran?ois TOURDE wrote: > Le 12240i?me jour apr?s Epoch, > Mario Ohnewald ?crivait: > > I think this problem should not be solved with configuring sshd. > > Wrong... You can configure sshd to accept only login from recognized keys, > and let the firewall open. If there is an exploitable bug in that code, you're screwed, and the whole world can crack your machine. It's not really a problem to allow ssh access from the whole world, execpt when there's a problem with ssh. What you should try to do is limit the chance people have to crack your machine before you can do something about it. By allowing connections from only a few IP address blocks, you cut out most of the crackers in the world, but don't have to mess with dynamic DNS and lack of reverse lookup; A good tradeoff between security and convenience. I suppose filtering with iptables is really the way to do it, but using ssh's built-in AllowUsers is still at least somewhat useful. I don't know how much code in sshd runs before AllowUsers is checked, but I hope not too much, so as to minimize the risk of bugs. > > I solved it with iptables script which resolv my dynamic host every 5mins, > > and then reload the firewall if needed. > > So, on some case, you must wait 5 mins to connect ? Yeah, I agree that this is going too far, unless you are trying to protect secrets that require armed guards in the real world, to back up the extreme paranoia in the virtual world. -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: configure ssh-access
On Mon, Jul 07, 2003 at 11:08:38AM +0200, [EMAIL PROTECTED] wrote: > Hi! > > I want to make ssh-access possible only from a restricted > number of hosts - those that are named in /etc/hosts.allow. > Users who want to login have a DynDNS host-name that shall > be listed in hosts.allow to make it possible for users with > a dial-up internet connection, too. > > BUT: > The problem is that I can only login to the ssh-machine > when I enter the IP-address to the hosts.allow file. > Specifying the hosts DNS-name does not work! > > AND: > I'd prefer to specify the rules for loggin into the machine > in the sshd_config-file, not in hosts.allow/deny. > But the AllowHosts/DenyHosts-options that could be used in > /etc/sshd_config earlier seem to be not any > longer available at the SSH-version I'm using. > It's: openssh-3.4p1-80 on a SuSE 8.1 > > Has anybody ideas in this 2 problems? If you know what ISP the people you want to allow are using, you can find out what IP address blocks they have, and allow those blocks. For example, my sshd allows connections from, among other things, *@:::24.222.*. (It listens on ipv6, so v4 connections are seen as coming from v4-mapped addresses.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , s.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]