Re: Questions on some wierd /var/log entries
- From: Douglas Mayne <doug@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 16 Jan 2007 09:43:21 -0700
On Tue, 16 Jan 2007 07:37:53 -0800, sk8terg1rl wrote:
Hi Douglas,
Jan 15 21:40:23 college sshd[22669]: refused connect fromAre you running on an ipv6 network?
::ffff:81.209.167.239 (::ffff:81.209.167.239)
Are those IPs above likely to be proxies?
How do I find out if I'm on an ipv6 network?
Ask the network provider? Probably, you are not on an ip6 network.
I am guessing that you are seeing some error message related to ip6,
because most distributions are currently using a combination of ip4 and
ip6. The error messages from ip6 are confusing, if ip4 is working
normally. I am not familiar enough with ip6 to advise you why you are
seeing this error.
I don't know the specifics about adding firewall rules using Suse's
firewall. That is because I prefer using iptables directly. If you are
sticking with Suse, then you should start learning about its firewall
interface to iptables. You can then add a rate-limit rule to limit ssh
attacks. But even before that, you should setup sshd securely.
What's the difference between SuSE's firewall, hosts.allow/deny and
iptables?
The hosts.allow and hosts.deny are service level restrictions. That is,
the service decides how to treat packets which are queued for service.
iptables restricts at a higher level: restricted packets never make it
into the queue for service. One big advantage of iptables is that it is a
"stateful" firewall. Packets are categorized by whether they are for a
"NEW" or "ESTABLISHED" connection, for example. You are already using an
iptables firewall, therefore, it makes sense to me to use it to its full
potential.
I hardly changed SuSE's firewall, except to turn off the pings with it
via
/etc/sysconfig/SuSEfirewall2
FW_ALLOW_PING_FW="no"
Disabling root logins I did in the /etc/ssh/sshd_config: LoginGraceTime
1m
PermitRootLogin no
StrictModes yes
MaxAuthTries 3
ssh authentication...
Another important restriction for ssh is to authenticate by certificate
only; passwords are not accepted. Here is a tutorial for doing that:
http://pkeck.myweb.uga.edu/ssh/
There are a lot of tutorials on the web. The above is one I found which
covers the basics. The sections 1 through 4 of "Getting started" are
the most important. There is one thing not mentioned in the above
tutorial: since this is for your computer, you can modify the file,
/etc/ssh/sshd_config, not to accept passwords and restart sshd.
# Some lines from /etc/sshd_config
PasswordAuthentication no
AlloweUsers sk8
oops. Misspelled keyword.
AllowUsers sk8
Note: comments inline.# End listing
Refer to the manual for all options: man sshd_config
Also, I assume that you will be setting up between two of your boxes:
Laptop (at variable ip) <-> Desktop (at fixed ip)
Presumably, you setup keys on each device as explained in the article.
That way, you can network between the two computers. And it is obvious
that both devices would benefit from using an iptables firewall for
protection.
Yes, using ssh with keys instead of passwords was something on my to-do
list after being recommended that I do so from General Schvantzkoph. I
almost forgot and haven't gotten around to that yet as I have been very
busy with other stuff :-(
One question before I start though: does this ssh keys technique work in
Windows -> Linux logins? I tend to use Putty/WinSCP as my terminal/file
transfer apps respectively.
I looked at the help file for putty on a Windows box. Section 8 of the
help file is about certificates. Section 9 is about the agent (which
allows you to prove your identity on the local login, and then it will
provide your credentials on other remote ssh connections. The ageant is
called pageant on putty and ssh-agent on OpenSSH. The putty manual is
fairly comprehensive. Also, the puttygen program appears to be part of the
process. It can import open ssh keys into the ppk format required by ssh.
Going offtopic...
I try to avoid using Windows whenever possible. Windows under VMWare is my
first choice whenever I need an unsupported applications, such as Lotus
Notes. VMWare allows me to have "two" computers with me: a real computer
running GNU/Linux and a virtual computer for use only when necessary. The
host computer is running an iptables firewall which protects the Windows
box (running in a Window.) When the Windows box is not needed, it can be
suspended, just like a real laptop. VMWare is becoming quite a popular
choice...and it is rock-solid stable.
One last thing, which I think is important with mobile platforms: total
disc encryption. The device mapper facility which is built into the Linux
kernel can be used for an added level of protection. Losing an unencrypted
laptop seems to be as big of risk to me as losing your purse/wallet. I
wrote this project to take advantage of device mapper's encryption
facility:
http://www.xmission.com/~ddmayne2/erf-dm
The nice thing about GNU/Linux is that you don't keep getting charged for
annual subscriptions for every component. The only thing the platform
requires is some dedication to learning how to do it for yourself.
--
Douglas Mayne
.
- Follow-Ups:
- Re: Questions on some wierd /var/log entries
- From: Al Phi
- Re: Questions on some wierd /var/log entries
- References:
- Re: Questions on some wierd /var/log entries
- From: Douglas Mayne
- Re: Questions on some wierd /var/log entries
- Prev by Date: PDF Bookmarks in OpenOffice documents
- Next by Date: Re: eth1394 and IP over firewire
- Previous by thread: Re: Questions on some wierd /var/log entries
- Next by thread: Re: Questions on some wierd /var/log entries
- Index(es):
Relevant Pages
|
