[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] RE: problem using SSH-- Help please!!!
Sim, CT (Chee Tong) <[email protected]> wrote: > Sorry me again, just some follow up. I am able to do SSH from the > firewall to the host (100.101.70.90) without problem, there was > something I missed during my installation. But the problem now I > failed to SSH from the host (100.101.70.90) to the firewall Messages > like "Secure connection to FW refused". Get professional help, it seems you don't know what you are doing. You could afford FW-1 software, so you can also afford a consultant, who knows what he's doing. The sshd is probably not running. Do a ps -aux |grep sshd on the firewallmachine and see whether the deamon is running. > Is there something to do > with the FW's inetd.conf file, as I only enable FTP and telnet > there?? You definitely don't want to run services like telnet or ftp on the firewall. Switch off those deamons or even better: Delete the binaries of those deamons. Don't start inetd upon bootup at all, better delete the binary. The sshd is not started from inetd but runs as a standalone deamon and thus has no entry in inetd.conf. You have either to start the sshd manually or have an adequate startscript for the sshd in the runlevel directories, so that sshd is started automatically upon bootup. Besides that you should think at least twice whether you want to have the sshd running at all an thus enable remote logins to the firewall machine. A firewall is a firewall, meaning it should offer only the absolute minimum of services, actually it should not offer any services at all. It should definitely not offer telnet and ftp service. If you allow ssh connections to the firewall, be sure to use host keys for authentification only and not username/password. This can be configured in the ssh config file. The opportunity for remote administration is of course a comfortable feature to have but any service running might be used for an attack. The more services a machine offers, the more possibilities for attacks. And again: If you don't know how to configure all this properly, get professional help. Wolfgang -- Wolfgang Kueter Netzwerkadministration & Security SHLINK Internet Service http://www.shlink.de [email protected] Postfach 1044, 25310 Elmshorn, Fed. Rep. Germany Telefon: +49 4121 269 006 Fax: +49 4121 269 007 ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|