Hello Jim, Friday, December 28, 2001, 7:08:07 PM, you textually orated:
JB> I have a question.. Lately openssh has had some security problems. I have JB> been told that all these problems are only in SSH-1 not SSH-2. Well, its' had one problem. Unless lately for you goes back a year. ;) The problem had nothing to do with protocol version. JB> Also there seems to be some who the hell knows if these problems are in ssh JB> only or openssh or both etc. Most of the recent discussions have been about the original SSH product and also the "weaknesses" of protocol 1 against "man-in-the-middle" attacks. JB> Now, if i tell my SSH server only to accept SSH-2 and dont relay X11 would JB> i then tighten my SSH alot? Using only protocol 2 should be more secure. But how certain are you that you won't have a client that only supports version 1? What you tunnel(relay) through ssh has no bearing on the security of the protocol, be it X or something else. It simply redirects from the original port to port 22 (default) for tunneling through ssh. JB> Also, i have been trying with little luck to JB> only allow certain IP's to be allowed into my servers via SSH. Use the tcp wrappers. The RH version is compiled for use with them. Just add the appropriate entries in /etc/hosts.allow & /etc/hosts.deny JB> If anyone has a nice ipchains rule that would allow x.x.x.x ip and NO JB> ONE ELSE i would greatly appreciate it. I personally see this as overkill. But tastes vary. TCP wrappers should be effective. JB> I think im finding a problem the way redhat 7.2 firewall (high) does its JB> firewalling. I think it might be killing ports that are return ports for JB> ssh. Perhaps i need to look at firewall (medium) and perhaps low. All i JB> have are pop3,imap,smtp,ftp(with passive),dns,www,raduisd(lucent). If JB> anyone wants to throw their 2 cents in with a script they may be using, JB> i would appreciate much. You are better off learning and creating your own firewall. The needs of each set-up vary too much to effectively help you. For one, it would seem that you have an "Internet Services" server set-up. What is it that you wish to block? If there are services that are running you don't need, shut them off and remove the packages. Don't try to use a firewall to plug an unnecessary hole. The GUI based firewall tools (IMHO) are more of the "personal firewall" variety. If this is a server figure out what you need to block and what the best tool to do that is (tcp wrappers, ipchains, etc.). If you haven't invested a lot of time in ipchains, start by learning iptables instead. ipchains is on it's way out and only being used by RH right now (in compatibility mode, not native to 2.4.x kernels) to maintain backwards compatibility since 7.0 still had a 2.2.x kernel. Have fun, -- _________________________________________________________________ Brian Ashe CTO [EMAIL PROTECTED] Dee-Web Software Services, LLC. http://www.dee-web.com/ ----------------------------------------------------------------- _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
