Re: Firewall security: Re: Problems with simple Samba file share

From: Tony Lawrence (foo_at_pcunix.com)
Date: 05/08/05 

Date: Sun, 08 May 2005 13:47:09 -0400

Peter T. Breuer wrote:
> Tony Lawrence <foo@pcunix.com> wrote:
>
>>Peter T. Breuer wrote:
>>
>>>(I am trying to get you to name a scenario against which it protects,
>>>instead of mouthing vague generalities that may or may not be true!).
>
>
>>I have given examples, and so have other people. It hasn't been vague
>
>
> Please quote. I have seen only fuzzy generalities.
>
>
>>I have a server that accepts ssh connections, but only from a specific
>>set of IP's.
>
>
> Ah good! An example!
>
> Why restrict ssh? There's no point in restricting ssh. Nobody can log
> in through it without your password and/or digital key, no matter where
> they try from. And the whole idea is to give you access wherever you
> are calling from, securely.

You are presuming a use for ssh that does not exist in this situation.

The point of ssh is not just to give access from wherever I am. As I
said, this server only allows access from specific ip's. Why do you
presume to tell me what purpose I have?

>
>
>
>>Additionally, ssh is configured only to accept specific
>>users,
>
>
> Nobody unauthorised can log in. If you don't want somebody in
> particular to log in through ssh, why have you given him a password on
> your machine?

Local users have local access through telnet and are allowed to log in.
Only a few users have a need and therefor the ability to log in remotely.

>
>>and additionally only allows public key authentication.
>
>
> Why do you think that he has kept his private key secure? Or do you
> mean that the client must present a certificate? (normally we do not
> care WHERE we are logging in from! The point of ssh is to allow you to
> log in from unexpected places, or expected places, securely, with
> authetication).

Again, you presume to tell me what the point of MY connections are.

No, in this case I don't go the extra extent of a certificate. So yes,
if the private keys are stolen, ssh would accept the connection -
except, as already noted, both the iptables and the hardware firewall
are also restricting this to specific ip's.

>
>>Beyond
>>that, it's configured to lock out after two incorrect passwords - which
>
>
> No point - there's a 6 second delay anyway, and I type badly. And it
> helps somebody steal the password by using a fake ssh frontend that
> aborts the connect after stealing the password.

There is a point. If it becomes necessary to momentarily allow password
logins, the lockout protection from pam is already in place. It also
helps protect against some unknown exploit that manages to get to a
shell and now wants to become root.

>
>
>>of course can't be given because it doesn't accept passwords. That
>>server is also protected by a hardware firewall and iptables. Most of
>>this is completely redundant,
>
>
> It worse - it does nothing. You don't want to restrict ssh entries,
> because the point of ssh is to allow _secure_ entries from anywhere. You
> try logging in from your laptop on an internet cafe otherwise!

The presumption on your part is that I want to allow logins to this
server from an internet cafe. I don't. I allow logins from specific,
known ip's only.

>
> (I knew this would be the case - any example of a server that needs
> restriction is likely to be an example of a server that is prevented
> from doing what it is supposed to be doing; and it would do that
> safely, if left to itself; because that's what it is supposed to do).
>

Who are you to say what my server is supposed to be doing???? 

-- 
Tony Lawrence
Unix/Linux/Mac OS X  resources: http://aplawrence.com

Relevant Pages

  • Re: Trouble with X11 over SSH on Mandriva 2010.0
    ... If next clean install/update causes ssh to break, ... installed the sshd daemon/service package (OpenSSH Server) on the server. ... correct values for client and server. ...
    (comp.os.linux.networking)
  • Re: Apache Software Foundation Server compromised, resecured. (fwd)
    ... this was one "result" of the comromised ssh binary at sourceforge. ... a public server of the Apache Software Foundation ... > (ASF) was illegally accessed by unknown crackers. ... > exhaustive audit of all Apache source code and binary distributions ...
    (FreeBSD-Security)
  • Re: FreeBSD Crash without Errors, Warnings, or Panics
    ... I suppose I could run on stable until the driver is fixed in a release branch, but I need this box up and online, and I've always read that the stable branch is not the place for production servers. ... I'm running 6.0-RELEASE-p5 on a Toshiba built server: dual Xeon Intel motherboard with a LSILogic MegaRAID controller. ... Also, some network ports still respond, like a telnet to port 22 to test SSH will yield an SSH banner, but trying to connect with SSH just hangs. ... The box runs a web-based app and connects to a local Postgres DB which seemed to be unable to start new connections being requested by the PHP scripts. ...
    (freebsd-hackers)
  • Re: restrict ssh access
    ... > We have one ssh server which receives about 6000 failed attempts to ... > unsuccessful login attempts per client IP address? ... the remote server is also running OpenSSH. ...
    (comp.security.ssh)
  • Re: SSH as root
    ... Subject: SSH as root ... but it doesn't require having a key on the server that could be ... If they compromise a server, and the passphrase, etc. is there, they only ... private key to anyone. ...
    (SSH)