[ Pobierz całość w formacie PDF ]

# maybe we don't wanna log too much.
PrintMotd yes
# print the message of the day? always nice
KeepAlive yes
# ensures sessions will be properly disconnected
SyslogFacility DAEMON
# who's doing the logging?
RhostsAuthentication no
# allow rhosts to be used for authentication? the default is no
# but nice to say it anyways
RhostsRSAAuthentication no
# is authentication using rhosts or /etc/hosts.equiv sufficient
# not in my mind. the default is yes so lets turn it off.
RSAAuthentication yes
# allow pure RSA authentication? this one is pretty safe
PasswordAuthentication yes
# allow users to use their normal login/passwd? why not.
PermitEmptyPasswords no
# permit accounts with empty password to log in? no
Other useful sshd_config directives include:
AllowGroups - explicitly allow groups (/etc/group) to login using ssh
DenyGroups - explicitly disallows groups (/etc/groups) from logging in
AllowUsers - explicitly allow users to login in using ssh
DenyUsers - explicitly blocks users from logging in
AllowHosts - allow certain hosts, the rest will be denied
DenyHosts - blocks certain hosts, the rest will be allowed
68
IdleTimeout time - time in minutes/hours/days/etc, forces a logout
by SIGHUP'ing the process.
Fresh Free FiSSH
Most of us still have to sit in front of windows workstations, and ssh clients for windows are a
pain to find. Fresh Free FiSSH is a free ssh client for Windows 95/NT 4.0. Although not yet
completed, I would recommend keeping your eye on it if you are like me and have many
Windows workstations. The URL is: http://www.massconfusion.com/ssh/.
Tera Term
Tera Term is a free Telnet client for Windows, and has an add-on DLL to enable ssh support.
Tera Term is available from: http://hp.vector.co.jp/authors/VA002416/teraterm.html. The
add-on DLL for SSH support is available from: http://www.zip.com.au/~roca/ttssh.html.
putty
putty is a Windows SSH client, pretty good, and completely free, and also small (184k
currently). You can download it from:
http://www.chiark.greenend.org.uk/~sgtatham/putty.html.
mindterm
mindterm is a free java ssh client, you can get it at: http://www.mindbright.se/mindterm/.
LSH
LSH is a free implementation of the SSH protocol (both client and server), LSH is GNU
licensed and is starting to look like the alternative (commercially speaking) to SSH (which is
not free anymore). You can download it from: http://www.net.lut.ac.uk/psst/, please note it is
under development.
Secure CRT
A commercial Telnet / SSH client from Vandyke software. You can download / purchase it at:
http://www.vandyke.com/.
69
RSH, REXEC, RCP
R services such as rsh, rcp, rexec and so forth are very insecure. There is simply no other
way to state it. Their basis of security is based on the hostname/IP address of the machine
connecting, which can easily be spoofed or, using techniques such as DNS poisoning,
otherwise compromised. By default they are not all disabled, please do so immediately. Edit
/etc/inetd.conf and look for rexec, rsh and so on, and comment them out, followed by a
"killall -1 inetd" to restart inetd.
If you absolutely must run these services use TCP_WRAPPERS to restrict access, it's not
much but it will help. Also make sure you firewall them as TCP_WRAPPERS will allow an
attacker to see that they are running, which might result in a spoofed attack, something
TCP_WRAPPERS cannot defend against if done properly. Access to the various R services is
controlled via rhosts files, usually each user has their own rhosts file, unfortunately this is
susceptible to packet spoofing. The problem with r services is also that once there is a minor
security breach that can be used to modify files, editing a users (like root's) rhost file makes it
very easy to crack a system wide open.
If you need remote administration tools that are easy to use and similar to rsh/etc I would
recommend nsh (Network SHell) or SSH, they both support encryption, and a much higher
level of security. Alternatively using VPN software will reduce some of the risk as you can
deny packet spoofers the chance to compromise your system(s) (part of IPSec is
authentication of sender and source, which is almost more important then encrypting the data
in some cases).
70
Webmin
Webmin is one of the better remote administration tools for Linux, written primarily in Perl it
is easy to use and easy to setup. You can assign different 'users' (usernames and passwords are
held internally by webmin) varying levels of access, for example you could assign bob access
to shutdown the server only, and give john access to create/delete and manipulate users only.
In addition to this it works on most Linux platforms and a variety of other UNIX platforms.
The main 'problem' with webmin is somewhat poor documentation in some areas of usage,
and the fact that the username/password pair are sent in clear text over the network (this is
minimized slightly by the ability to grant access to only certain hosts(s) and networks). Most
importantly it makes the system more accessible to non-technical people who must administer
systems in such a way that you do not have to grant them actual accounts on the server.
Webmin is available at: http://www.webmin.com/webmin/, and is currently free. Webmin
defaults to running on port 10000 and should be firewalled:
ipfwadm -I -a accept -P tcp -S 10.0.0.0/8 -D 0.0.0.0/0 10000
ipfwadm -I -a accept -P tcp -S some.trusted.host -D 0.0.0.0/0 10000
ipfwadm -I -a deny -P tcp -S 0.0.0.0/0 -D 0.0.0.0/0 10000
or in ipchains:
ipchains -A input -p all -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 10000
ipchains -A input -p all -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 10000
ipchains -A input -p all -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 10000
71
FTP
FTP used to be the most used protocol on the Internet by sheer data traffic until it was
surpassed by HTTP a few years ago (yes, there was a WWW-free Internet once upon a time).
FTP does one thing, and it does it well, transferring of files between systems. The protocol
itself is insecure, passwords, data, etc is transferred in cleartext and can easily be sniffed,
however most ftp usage is 'anonymous', so this isn't a huge problem. One of the main
problems typically encountered with ftp sites is improper permissions on directories that
allow people to use the site to distribute their own data (typically copyrighted material, etc).
Again as with telnet you should use an account for ftping that is not used for administrative
work since the password will be flying around the network in clear text.
Problems with ftp in general include:
" Clear text authentication, username and password.
" Clear text of all commands.
" Password guessing attacks [ Pobierz całość w formacie PDF ]