Jim,
I think that the Red Hat 7.2 rules are only meant as a starting place,
it's better than the old way of leaving just about anything open after
a new install.
I've been using Open-SSH2 since it has been available (a year or so?)
with no problems. I have ipchains set up the way you describe,
allowing connections from only two hosts.
I am using a default policy of DENY. That is a bit harder to
administer because you need to know exactly what you want to open up.
But it gives me a little extra security in case I miss something. I
learned a lot about ipchains from the linux security newsgroups; here
is what I did for my ssh connections after that.
27 ACCEPT tcp ------ sdf.lonestar.org my.host.machine
any -> ssh
As you are no doubt aware, with the default DENY policy the higher
ports are still blocked, so this is how I handle that:
38 ACCEPT udp ------ anywhere my.host.machine
any -> 1025:65535
39 ACCEPT tcp !y---- anywhere my.host.machine
any -> 1025:65535
To allow connections to the higher ports that are *not* syn
connections.
Now, I understand that iptables can handle this type of thing a little
more elegantly. If you are just learning about firewalls, maybe you
would rather learn about iptables and not bother with ipchains. I
mean to switch over to that approach when I have time to learn about
it. If you want to use ipchains, study the man pages (quite helpful)
and look at a program called gfcc (gnome firewall configuration
console(?)) to help you in editing and making your own scripts.
BTW, I really like the command:
/etc/init.d/ipchains save
It is a lot faster and easier than trying to install my own script in
rc.local or the network scripts.
Regards,
Gregg
>>>>> "Jim" == Jim Bija <[EMAIL PROTECTED]> writes:
Jim> I have a question.. Lately openssh has had some security
Jim> problems. I have been told that all these problems are only
Jim> in SSH-1 not SSH-2. Also there seems to be some who the hell
Jim> knows if these problems are in ssh only or openssh or both
Jim> etc. Now, if i tell my SSH server only to accept SSH-2 and
Jim> dont relay X11 would i then tighten my SSH alot? Also, i have
Jim> been trying with little luck to only allow certain IP's to be
Jim> allowed into my servers via SSH. If anyone has a nice
Jim> ipchains rule that would allow x.x.x.x ip and NO ONE ELSE i
Jim> would greatly appreciate it. I think im finding a problem the
Jim> way redhat 7.2 firewall (high) does its firewalling. I think
Jim> it might be killing ports that are return ports for
Jim> ssh. Perhaps i need to look at firewall (medium) and perhaps
Jim> low. All i have are pop3,imap,smtp,ftp(with
Jim> passive),dns,www,raduisd(lucent). If anyone wants to throw
Jim> their 2 cents in with a script they may be using, i would
Jim> appreciate much.
Jim> Jim.
Jim> Absence in love is like water upon fire; a little quickens,
Jim> but much
extinguishes it. -- Hannah More
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
