Hi Jim,
> I have a question.. Lately openssh has had some security problems. I have
> been told that all these problems are only in SSH-1 not SSH-2.
There are occuring multiple vulnerabilities over time, so this depends on to
which vulnerabiltiy you are referring. The latest OpenSSH vulnerability for
which a patch was released by RH has something to do with manipulation of
environment variables, so this has nothing to do with the protocol version.
The previous vulnerability that I heard of indeed only applied to protocol 1,
but iirc this was only a problem with the commercial SSH.
In short, keeping up to date is probably the best answer. Personally I want
to be in control over my machine, so I do not like using services like
up2date. I prefer subscribing to the Red Hat watch list
(https://listman.redhat.com/mailman/listinfo/redhat-watch-list) and applying
the updates by hand.
> Also there seems to be some who the hell knows if these problems are in ssh
> only or openssh or both etc.
This indeed can be confusing. Just ask on the list if in doubt.
> Now, if i tell my SSH server only to accept SSH-2 and dont relay X11 would i
> then tighten my SSH alot?
I believe in general there are some weaknesses in protocol 1, so I would say
yes. At least I seem to be only using protocol 2 on my machines. Must be for
some reason :).
In regard to relaying X sessions, it depends where you want to relay them. If
you don't want to relay X sessions currently, than disable it.
> Also, i have been trying with little luck to only
> allow certain IP's to be allowed into my servers via SSH. If anyone has a nice
> ipchains rule that would allow x.x.x.x ip and NO ONE ELSE i would greatly
> appreciate it.
I did not investigate into iptables very much as of yet, but for ipchains I
use something like:
ipchains -A i_e1_tcp -p 6 -y -s SOURCEIP -d YOURIP 22 -j ACCEPT
I believe the syntax for iptables is very similar as for iptables. Since I am
using an interface (and protocol) specific chain (i_e1_tcp) in your case you
might want to add an interface ("-i"). I think iptables needs you to specify a
traffic type as well (ESTABLISHED, RELATED etc), but see the man page for
details.
I think im finding a problem the way redhat 7.2 firewall (high)
> does its firewalling. I think it might be killing ports that are return ports
> for ssh.
In iptables this is handled differently. With ipchains I seem to be accepting
non connection tcp traffic to all ports and logging traffic to reserved ports
(0:1023) coming from all but trusted addresses (mind you, I have not been
looking at these rules for a while, so I might not be entirely accurate here).
But with iptables this should be handled with a "RELATED" traffic type, or
something like that.
Side note: This logging of non connection traffic to reserved ports shows an
occassional burst of packets from a few dozen addresses, all directed to my
port 53 (yeah, running caching only nameserver). Still not sure if this is an
exploitation attempt. Why would 30 different addresses all be talking to bind
at the same time? Maybe bind is refreshing it's cache? Answers to this
fenomenon are appreciated.
Bye,
Leonard.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
