MSEC 4 and SSH

[Guest phlewis]

Running MDK 10.1 "Official".

 

Wish to set MSEC at "Higher" level (MSEC 4) and still be able to SSH into the box as a regular user.

 

How can I do this? I've looked at the generic "all about MSEC" documentation. Need specifics.

 

Thank you,

 

P

[DragonMage]

I don't know the exact function of higher setting in msec, but isn't that normal?

 

I think the higher security setting prevents sshing as root (as in ssh -l root xxx.xxx.xxx.xxx). Ssh as normal user is permitted I think. Then you can su after you ssh in.

[Guest phlewis]

Hi,

 

Thanks for the reply.

 

I forgot to mention this is a web server. According to Mandrake, the "higher" (MSEC 4) setting is basically considered secure enough for a server supporting many connections on the Internet. I assume by this Mandrake is suggesting that MSEC 3 is NOT adequately secure for this purpose

 

When I change the setting to MSEC 4 from MSEC 3 (aka "high") I can no longer ssh into the box as a "normal" user. I never ssh as root. I want to use the security level Mandrake recommends for a server (i.e. MSEC 4). I need to be able to ssh into the machine at MSEC 4.

 

At MSEC 3 ssh as a normal user is NOT a problem.

 

Mandrake should offer readily accessible (and reasonably understandable) instructions on how to do this and maybe they do but I have been unable to find them anywhere.

 

Anyhoo, if anyone out there has a suggestion about what to do please post.

 

Regards,

 

P

[ddmcse]

do research on what you want

/etc/hosts.allow to have listed in the file .

 

you can driil down to allowing whatever IP address access to what ever port you want

 

..also check any internal software firewalls that may be used . the firewalls work and will block you from touching the box . i use Webmin for accessing many settings on remote and local servers , i find it works much better than the mandrake wizards found in drakwiz. i 'm pretty sure once you cross the line into "higher" security the "linux firewall " is put into place .. check that .. if all else fails and you are not sure what to add to /etc/hosts.allow you can type in ALL:ALL on it's own line .. WARNING ALL:ALL means just that. all hosts will be allowed access to ALL ports if you are not behind a firewall /router you are asking for trouble .. if you open up ssh on the local box and open ssh on the firewall/router your box will be hammered by ssh login tries all day and night . you might have confidence of the strength of your password but i've seen brute force ssh hacks hammer at a box at rate of around 4 tries per second . i might be off on the 4 in a second but it's alot and you will SH!T your pants the first time you see hundreds of ssh attempts in your logs all coming from china @ 4 am your time. btw the box that got hammered and finally broke into was a fedora core 1 that allowed ssh from root , it wasn't mine but i got called to see why it went down . check your logs

 

not that gettting hit on from anyone from china is a bad thing it's just something you want to watch

[Guest phlewis]

Thanks ddmcse for your suggestions.

 

I will research these ideas further.

 

Is it ok to just leave MSEC at level 3? Or would you strenuously advise against this?

 

P

[ddmcse]

you are behind a router/firewall doing NAT right ?

and this is filtering traffic right ? only allowing traffic to the webserver on certain ports You pick. your webserver is not set as a pc in DMZ right ?

[static]

I have the same problem - as soon as you put it on "Higher" you feel great, because it says "At this security level using it as a server becomes possible" - but it won't serve anything!

 

I too want to run an SSH server at this level, but for now level 3 is working fine and I'm not too worried about it... Any ideas on getting it work anyone?

[adamw]

Three places to look at:

 

/etc/ssh/sshd_config

/etc/hosts.allow

 

firewall configuration

 

sshd_config is well-noted and should be easy to follow. I haven't tested it on level 4 myself but it may be set to disallow password login (only allowing public key login), or something like this.

 

/etc/hosts.allow and /etc/hosts.deny act as filters on incoming connections for most servers. Any server which runs through tcp_wrappers will respect the settings here. On level 4, /etc/hosts.deny is set to ALL:ALL by default, which blocks all incoming connections from anywhere. To allow access to servers which respect these settings, you'll have to edit /etc/hosts.allow to permit access from certain hosts. The format is roughly:

 

processname:IP

 

so a line like this:

 

sshd:192.168.2.1

 

would allow 192.168.2.1 to access the ssh server. You can use ALL on either side to mean either all processes or all hosts. In the IP address, you can use 0 as a wildcard, so:

 

sshd:192.168.0.0

 

would allow 192.168.(anything) to access sshd.

 

Finally, firewall configuration. I believe security level 4 activates the firewall by default. You will need to allow access to port 22 to enable ssh access.

 

For information on exactly what msec does at any given security level, and a way to configure it, run 'draksec' and use the 'help' button.

[static]

Thanks a lot for your reply! I learned a lot...

 

Turns out all you need is to add the following in your /etc/hosts.allow file:

sshd:ALL

 

Now I can run my SSH server at the Higher Security Level setting! Thanks again!

 

<I re-read your post after struggling for a long time... I had put sshd:ANY instead of ALL in /etc/hosts.allow so it still wasn't working! This also solves my problem with users being able to shut the system down!!! AWESOME! >

Edited April 28, 2005 by static

[adamw]

BTW, I'm doing something wrong with IPs - I discovered last night that using .0 as a wildcard isn't actually working. I need to investigate this some more, but for now I'm just using hostnames instead (I forgot to mention you can also specify hostnames in these files rather than IP addresses). It's probably a good idea if you can to restrict ssh access only to hostnames you'll need to access it from, otherwise anyone in the world will be able to have a shot at cracking your passwords...so if you're going to leave it as sshd:ALL, make sure you've got a _very_ secure password :)

[adamw]

oh, I found out where I was wrong - if you use 0s you have to include a netmask too. Instead you can just do it this way:

 

sshd:192.168.

 

will allow access to 192.168.anything .

[static]

Does anyone know the syntax to separate different ranges? (eg to allow for 192.168.anything, 179.23.45.anything or 140.212.123.anything) Do you use a space, semi-colon, comma or what to make a list....?

[adamw]

Well, there's probably a way, but you could just be lazy and use multiple lines :)

 

sshd: 146.123.

sshd: 211.234.

 

would work fine and allow access to both ranges.