Re: SSH security

From: Patrick Ohnewein (pohnewein@prodata.it)
Date: 10/22/01


Message-ID: <3BD3EF1B.5060609@prodata.it>
Date: Mon, 22 Oct 2001 12:04:11 +0200
From: Patrick Ohnewein <pohnewein@prodata.it>
To: focus-linux@lists.securityfocus.com
Subject: Re: SSH security

On my RH_7.0 I use xinetd to start the sshd on demand, here my SIMPLE
/etc/xinetd.d/ssh:

service ssh
{
         socket_type = stream
         wait = no
         user = root
         server = /usr/sbin/sshd
         #It's not listed in my /etc/services
         port = 22
         server_args = -i
         log_on_failure = ATTEMPT HOST RECORD
}

My BOX is behind a firewall and therefore I haven't to care much about
security, but xinetd supports a lot interesting options to restrict
access (extracts from man xinetd.conf):
        only_from determines the remote hosts to which the
                         particular service is available. Its
                         value is a list of IP addresses which can
                         be specified in any combination of the
                         following ways:
                        ...
        no_access determines the remote hosts to which the
                         particular service is unavailable. ...

xinetd provides some very usefull logging features.

Are there some disadvantages or security problems in useing xinetd in
place of sshd directly?

byez
Patrick

-- 
+-----------------------------------------------------------------------
|  Save software competition, use Linux and Java!
|
|  Also visit http://www.lugbz.org the Linux User Group in Southtyrol!
|
|  Public PGP KEY: http://www.lugbz.org/PGP_PatrickOhnewein.asc
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

If you put garbage in a computer nothing comes out but garbage. But this garbage, having passed through a very expensive machine, is somehow enobled and none dare criticize it.



Relevant Pages

  • RE: FC4 boot.log no longer being written to
    ... sshd: sshd -TERM succeeded ... xinetd: xinetd -HUP succeeded ... > I checked, out of curiosity, as I have a fresh FC4 install. ... My Installation is an upgrade, ...
    (Fedora)
  • Re: why is xinetd not installed by default in FC6?
    ... sshd: 24.124. ... Now in FC6 I notice that xinetd is not installed and so these host ... of course, I can install xinetd, but I'm ... What does xinetd not being installed have to do with ssh checking ...
    (Fedora)
  • xinetd secondary addresses and ports
    ... separated secondary addresses with their original port numbers ... 172.16.1.1:80 httpd www.whitehouse.gov) on the same machine, ... by themselves (sshd -sshd_config ListenAddress-) between addresses? ... Is xinetd able to make the distinction for these apps? ...
    (Debian-User)
  • Re: Advice on dealing with scripted SSH attacks?
    ... service ssh ... Shutdown sshd itself and bounce xinetd. ... script hits a tcp wrapped ssh, ...
    (SSH)
  • why is xinetd not installed by default in FC6?
    ... sshd: 24.124. ... Now in FC6 I notice that xinetd is not installed and so these host ... of course, I can install xinetd, but I'm ... suspecting that the FC6 designers want me to do something else in ...
    (Fedora)