Re: Security

[Philip Ching (605.734.71) <pching aplcenMP apl jhu edu>]

Hi, Michael,

Thanks for your explanation on security issues, and sorry 
for interrupting your conversation.

I am serious thinking to install the ssh package. I have 
questions on ssh and hope you can shade some lights on it:

1) You are in the US (and me too), but the ssh packages you 
   indicated in your e-mail seems to be the international 
   version.  Should they be the US version or am I missing 
   something?

2) I heard that installing ssh packages is tricky, and a 
   friend warned me that I should know what I am doing.
   Since many times I don't know what I am doing (until I
   bump into the wall), do you have any tips for (first
   timers) installing the ssh packges? Can I assume that

   # rpm -i <ssh package name>

   will work?

3) If the ssh is installed on a server with RedHat5.2,
   must client with ssh also be in RedHat5.2 (i.e., can
   the client be RedHat5.0)?

Thanks!

Philip
 
 
> Quoting Amanda Owens (amowens radonc duke edu):
> > My question is, what services are standard, but are simply security
> > risks waiting to happen? 
> 
> It depends on your needs.  Turn off anything that you aren't actively
> using.  If you're not sure, turn it off anyway and see if anything
> breaks.  :-)
> 
> Usually on the UNIX boxes I administer I turn off everything but ftp,
> telnet, auth (identd) and maybe time.  I make sure that all of these
> services are protected by tcp_wrappers (denying everything by default and
> adding trusted hosts to the /etc/hosts.allow file).  On machines that are
> not protected by a firewall I have been known to disable EVERYTHING except
> for Sendmail and sshd.  It's better to be safe than sorry!
> 
> > We have 3 linux boxes and a SUN in a lab environment.  We telnet/ftp
> > between them frequently, but only have 2 of the disks on the SUN
> > exported to be mountable on all 4 machines.  And our home directories
> > are mounted from still another fileserver that serves the whole
> > department.
> 
> If these boxes are visible from the Internet, I would strongly suggest
> putting them behind a firewall.  If you need to run samba, NFS, or
> anything like that you should protect the services with a well-configured
> firewall.  Restrict all access to these servers by default, and allow only
> a few needed exceptions, such as SMTP (tcp/25), HTTP (tcp/80), etc.  
> 
> The most important thing to do is keep on top of product upgrades.  Apply patches
> and upgrades when they are released, especially when they are security-related.
> 
> I talk to sites almost on a daily basis who get hacked who are still
> running older, unpatched operating systems.  A common target nowadays is
> exploiting the IMAP and portmap services.  The vulnerabilities were
> discovered (and upgrades made available) MONTHS ago...but there are sites
> out there who neglect to stay current, and then wonder why they get
> hacked.
> 
> > I'm looking at installing ssh to do things with instead of
> > telnet/rsh/rlogin/etc.  I've done some web serches and dejanews serches
> > on the topic, but haven't come up with anything really helpful. 
> 
> SSH is the greatest thing since sliced bread, IMHO.  I don't like version
> 2.x though, so I'm sticking to version 1.2.26 until I'm convinced
> otherwise.  You can get SSH RPMs from replay.com.  The ones I prefer are
> located at:
> 
> ftp://ftp.replay.com/pub/replay/linux/redhat/i386/ssh-1.2.26-3i.i386.rpm
> ftp://ftp.replay.com/pub/replay/linux/redhat/i386/ssh-clients-1.2.26-3i.i386.rpm
> ftp://ftp.replay.com/pub/replay/linux/redhat/i386/ssh-extras-1.2.26-3i.i386.rpm
> ftp://ftp.replay.com/pub/replay/linux/redhat/i386/ssh-server-1.2.26-3i.i386.rpm
> 
> A lot of people resist SSH because they are using a Windoze machine and
> don't have a good SSH client.  If you have users who are accessing these
> boxes from Windoze machines, I recommend getting the SecureCRT client
> from Van Dyke Technologies.  It's really nice, and you can download a
> 30-day evaluation copy, (if you're in the USA).  Their URL is 
> http://www.vandyke.com/. 
> 
> Good luck...I hope this helps.
> 
>                                               -michael
> -- 
> Michael A. Jarvis, Senior Technology Consultant
> Insource Technology, Houston, TX  USA http://www.insource.com
> Email:  michaelj "at" insource.com   Telephone:  281.774.4096
> RSA PGP Key:  0x1F1D5425             DSS PGP Key:  0x44D20912
>