Question about file permissions
in [Suse]
|
From: Vahis on 11 Apr 2010 11:12 On 2010-04-11, houghi <houghi(a)houghi.org.invalid> wrote: > Vahis wrote: >>> Other people have other ways which I do not like for different reasons. >>> I mention them just to be complete: >>> 1) Change the port from 22 to something different >> >> I did that some months ago. No more invalids. As you brought up >> blockhosts I must admit that moving the ssh port is so effective that >> I had forgotten to install blockhosts in my current setup which I installed >> several weeks ago. > > I have has several times that I could not ssh to high number ports. Use low ports then :) > Also > it is easier to not need to type the port number each time. I have a file called ~/.ssh/config It looks like this: Host server1 HostName server1.example.com Port xxxx Host server2 HostName server2.example.net Port xxxx Host server3.example.org HostName 192.168.0.90 Port xxxx I also have key pairs for all servers, so I just 'ssh server1' or whatever. Also sftp, rsync fish and anything that uses ssh picks the same config. > So what port > number are you on, just so I can check if your logs work. ;-) Scan me, you ;) > >> If the configurations are made correctly and the passwords are strong >> there's not much point in blocking ssh. It's just the logs they affect >> and they are rotated, so... > > Yep, that is what I have as well. Vahis -- http://waxborg.servepics.com openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default 18:03pm up 16 days 21:21, 14 users, load average: 0.20, 0.20, 0.29
From: Vahis on 11 Apr 2010 11:14 On 2010-04-11, houghi <houghi(a)houghi.org.invalid> wrote: > houghi wrote: >> I have has several times that I could not ssh to high number ports. Also >> it is easier to not need to type the port number each time. So what port >> number are you on, just so I can check if your logs work. ;-) > > Forgot one very importand part: security. Now why would chaning > portnumbers be a bad thing? Because more and more people start to see it > as a good thing. I have had at least three different ssh servers and > ports that I need to rememer. > > So what did I start doing? Writing it down, next to my multitude of > passwords. It looked like this: > > ssh.example.org port 2222 > user : login1 > pass : Pa55 > > ssh.example.net port 8080 > user : L0g!n2 > pass : Pa55 Put those in ~/.ssh/config The syntax is in my other reply. Vahis -- http://waxborg.servepics.com openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default 18:12pm up 16 days 21:30, 14 users, load average: 0.08, 0.13, 0.19
From: Vahis on 11 Apr 2010 11:53 On 2010-04-11, houghi <houghi(a)houghi.org.invalid> wrote: > Vahis wrote: >>> I have has several times that I could not ssh to high number ports. >> >> Use low ports then :) > > I do: 22. :-D > >>> Also >>> it is easier to not need to type the port number each time. >> >> I have a file called ~/.ssh/config >> It looks like this: > > The places where I ssh from are not always Linux machines and are not > always my machines. e.g. I am at a friend and ask to check my email. > Launch putty or ssh if it is a Linux machine and am done. OK. I hear you. I don't have that problem cos I have PuTTY on my phone. And if friends don't have ssh they probably have key loggers anyway :) > > The same at offices. Need access to another server (e.g. xs4all.nl(1)) > just ssh to it. No need to remember ports. > > Port 22 is ssh and if you can not run it on that port, then don't run > it. The sole exeption is if your provider blocks ports under e.g. 1024. > Otherwise just run it on the port it is intended to run. > > (1) They run ssh not only on port 22, but also on port 80, 443 and some > others. This so people can connect to them, even if their work blocks > them. Many won't block port 80 and/or 443 so that is often an option. > > It is very well possible to run both a webserver and a ssh server on the > same port . Did it and it works. That does not mean I would remove the > standard port 22. It means I might add other ports. > You're quite right. I was referring to my own use. I have that config file in my laptop and none of my machines listen in 22. I have just one real machine, rest is virtual. The virtual ones have ddclients as well so I connect with names to all of them. Vahis -- http://waxborg.servepics.com openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default 18:46pm up 16 days 22:04, 14 users, load average: 0.06, 0.16, 0.19
From: Vahis on 11 Apr 2010 11:58 On 2010-04-11, houghi <houghi(a)houghi.org.invalid> wrote: > Vahis wrote: >> Put those in ~/.ssh/config > > And what if I connect from other peoples computer? Put this on a USB stick (you know what): "Boot from within a host operating system (that's right, it can run *inside* Windows)" Vahis -- http://waxborg.servepics.com openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default 18:53pm up 16 days 22:11, 14 users, load average: 0.07, 0.13, 0.16
From: JT on 12 Apr 2010 08:44
On 12/04/10 14:08, houghi wrote: > Will Honea wrote: > >> I've been giving this some thought. Around here Qwest, Comcast, and >> Verizon/ATT are the big boys. There are a few one-off type ISPs but the >> three big players account for nearly all the services I have any real need >> to accommodate (just watch - 3 of the pastors will use one of the oddballs >> and complain within minutes of being filtered out). Running the numbers >> make this look a lot better since I can fairly easily filter address blocks >> without bogging down the poor little MIPS processor in the router. >> > Not sure what you are getting at here. > > >> That, >> BTW, is a limitation on BlockHosts solution - too many Windows machines >> inside the router firewall and the router runs out of both memory and CPU >> cycles pretty quickly. >> > Huh? I have no idea why you would think that. Have you actually tried > blockhosts? It should take less then 5 minutes to install and even less > time to remove. And you should be able to test it pretty quickly. > > But hey, if you just don't want to try it, fine by me. I am not the one > complaining about my logfiles. I am just the one giving a solution. > > >> That is not really a consideration in this particular situation. Virtually >> all the access will be from homes (or maybe internet-enabled coffee shops). >> At least in this context, the demographics are on my side. >> > And you select one port, somebody else selects another port and people > will start to get confused. To me it is like those 'security measures' > that hang around and where people start to copy each others security > measures while not thinking what it means in the global way of things. > Hear, hear: obfuscation != security. A simple ip-scan will show up the 'secure' port anywayz... > What you see is people first do it at home as it is only for them. Then > they do it at home, as it is only ther server. The next step is clearly > doing it at the office and before you know it, everybody is using a > different port. That then means many places will not give you the access > you need. > Actually they will ;-) But on a non-expected port. But you might indeed need the port to be right as well, in which case you would be right. ;-) > houghi > -- Kind regards, JT |