|
|
Local SSH only
|
|
|
|
Addicted to MacNN
Join Date: Jan 2000
Location: Stoneham, MA, USA
Status:
Offline
|
|
Does anyone know about configuring SSH? Right now I have it turned off for saftey, but the problem is I use it all the time to configure my web server. Can I mimic my mail server setting and make SSH only accept connections from local IP address ranges?
|
|
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Jul 2002
Location: Leiden, Netherlands
Status:
Offline
|
|
Originally posted by l008com:
Does anyone know about configuring SSH? Right now I have it turned off for saftey, but the problem is I use it all the time to configure my web server. Can I mimic my mail server setting and make SSH only accept connections from local IP address ranges?
SSH is secure enough, you should not worry abouot incoming IP (if you reaaly are then, you need to configure OS X's built-in firwall).
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2000
Location: Stoneham, MA, USA
Status:
Offline
|
|
SSH is about as secure as hotline, if someone is able to get your username and password.
|
|
|
|
|
|
|
|
|
Occasionally Useful
Join Date: Jun 2001
Location: Liverpool, UK
Status:
Offline
|
|
Originally posted by l008com:
SSH is about as secure as hotline, if someone is able to get your username and password.
so, maybe, and this might sound crazy... don't tell people your password?
|
"Have sharp knives. Be creative. Cook to music" ~ maxelson
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Jan 2000
Location: Stoneham, MA, USA
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Fresh-Faced Recruit
Join Date: May 2001
Status:
Offline
|
|
You could use tcp wrappers, and specify what traffic is okay from what servers/domains.
This URL will help:
http://www.hmug.org/HowTos/tcpwrappers.html
The Right Way would probably involve tcp wrappers and key-based authentication. See your other thread for information about key authentication.
|
|
|
|
|
|
|
|
|
Junior Member
Join Date: Sep 2000
Status:
Offline
|
|
Originally posted by l008com:
Does anyone know about configuring SSH? Right now I have it turned off for saftey, but the problem is I use it all the time to configure my web server. Can I mimic my mail server setting and make SSH only accept connections from local IP address ranges?
I'd suggest configuring SSH to use public private keys for authentication. I use this on my laptop and webserver - the public key is on the web server in $HOME/.ssh/ and the private key is on my laptop. When I ssh in the two machines talk turkey and sort out that I am authorised without any need for a username and password.
This makes using scp for sending files much more convenient, and avoids the problem of passwords.
|
Nobody made a greater mistake than
he who did nothing because he could only
do a little. Edmund Burke
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Dec 2001
Location: Atlanta, GA, USA
Status:
Offline
|
|
The best solution is to buy a router with a built-in firewall. You can get a cheap LinkSys for about $35 now that will do this. Then, just don't forward port 22.
It's much easier, more secure, and less complicated than trying to solve the problem in software.
|
Mac Pro 2x 2.66 GHz Dual core, Apple TV 160GB, two Windows XP PCs
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2000
Location: Edmond, OK USA
Status:
Offline
|
|
Originally posted by l008com:
SSH is about as secure as hotline, if someone is able to get your username and password.
Then just about every system in the world is vulnerable since nearly all use username/password authentication. You might as well say that OpenBSD/BSD/Solaris/IRIX/Linux/Windows Y/... are as secure as DOS if someone has access to your username/password.
Even if you use a router more than likely the router will have a special access port (like 80) with password protection too - so you are back to square one.
By the way, I think you could use the .ssh/known_hosts file to register the key of the local machine and then configure ssh not to accept connections using password authentication.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status:
Offline
|
|
Originally posted by l008com:
Does anyone know about configuring SSH? Right now I have it turned off for saftey, but the problem is I use it all the time to configure my web server. Can I mimic my mail server setting and make SSH only accept connections from local IP address ranges?
Simply edit your /etc/hosts.deny file:
sshd: ALL
and your /etc/hosts.allow file:
sshd: some.ip.address
Restart sshd.
That will deny connections too sshd from any host except some.ip.address. However, that address could be spoofed or even just used by someone else.
If you are really interested in secure logins and command execution you should read up on the documentation at http://www.openssh.com there are quite a few things you can do to make your system MORE secure and at the same time EASIER for you to use.
One way to think about security and authentication is that it is basically made up of three things:
1. Something you know - your userid.password
2. Something you have - a key (either data or hardware)
3. Something you are - biometrics (retinal scan, fingerprint, DNA, etc.)
Most authentication schemes are made up of item 1. only.
The level of security is increased as you require more items. for instance, if logging in required that you enter userid and password and a retinal scan and, say, a keycard with some datakey on it.... such a scheme would be pretty secure by any reasonable standard... it would also be a bit unwieldy.
Other problem is... how easy it would be to spoof, mimic, guess, sniff, or steal one of the above items. Stealing your eyeball might be pretty difficult but spoofing your IP address would not. While limiting ssh sessions to certain IPs would add another hurdle to a would be cracker it would not be a significant one that is why I didn't include it in items 1., 2. or 3.
|
-DU-...etc...
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2000
Location: Edmond, OK USA
Status:
Offline
|
|
No, but remember that this is a discussion, not a help desk, and many posts of this nature are reactionary rather than rational. Members of this forum are not obliged to answer your question without asking "why" unless of course they want to.
Most people who are really concerned about security, when asked a question that reveals a lack of understanding, will clarify rather than simply answer because real security is gained through knowledge not blindly shutting doors.
At any rate, this is what I gleaned from that thread:
1 - You initially ruled out hackers because it was too improbable.
2 - You later conclude that it must have been a hacker since no other conclusion was forthcoming.
3 - You will never know since the OS's have been restored.
So, in the end, you didn't ever figure out what the real problem was, so you might very well be locking down SSH and leaving some gaping hole somewhere else.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: May 2001
Location: Hilbert space
Status:
Offline
|
|
What do you mean by local, local like local on that machine or local like local on your home network.
In the first case, ssh is useless, simply do a `su [username]' and login as someone else. In the second case, download Brickwall to configure the MacOS X firewall (ipfw) and set a rule to deny all traffic on the ssh ports (22 or 23 I think) except for traffic on your home network.
In any case, ssh is safe enough to use `publicly'. If someone has your username and password, you'll be in trouble anyway. But everything is encrypted (including the transmission of username and password), so I wouldn't worry about it. Just in case you are nuts about security, change the ssh port to something that someone wouldn't directly guess (don't forget to open it in your firewall).
|
I don't suffer from insanity, I enjoy every minute of it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|