Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] RE: problem using SSH-- Help please!!!

To: CP-FW-1 <[email protected]>
Subject: Re: [FW1] RE: problem using SSH-- Help please!!!
From: Wolfgang Kueter <[email protected]>
Date: Sun, 9 Sep 2001 16:26:37 +0200
In-reply-to: <1E8992B3CD28D4119D5B00508B08EC5601F7B44A@sinxsn02.ap.rabobank.com>
Organization: SHLINK Internet Service
References: <1E8992B3CD28D4119D5B00508B08EC5601F7B44A@sinxsn02.ap.rabobank.com>
Sender: [email protected]

Sim, CT (Chee Tong) <[email protected]> wrote:

> Sorry me again, just some follow up.  I am able to do SSH from the
> firewall to the host (100.101.70.90) without problem, there was
> something I missed during my installation.  But the problem  now I
> failed to SSH from the host (100.101.70.90) to the firewall  Messages
> like "Secure connection to FW refused".

Get professional help, it seems you don't know what you are doing. You 
could afford FW-1 software, so you can also afford a consultant, who 
knows what he's doing.

The sshd is probably not running. Do a 

ps -aux |grep sshd 

on the firewallmachine and see whether the deamon is running.

> Is there something to do
> with the FW's inetd.conf file, as I only enable FTP and telnet
> there??   

You definitely don't want to run services like telnet or ftp on the 
firewall. Switch off those deamons or even better: Delete the binaries 
of those deamons. Don't start inetd upon bootup at all, better delete 
the binary. 

The sshd is not started from inetd but runs as a standalone deamon and 
thus has no entry in inetd.conf.  You have either to start the sshd 
manually or have an adequate startscript for the sshd in the runlevel 
directories, so that sshd is started automatically upon bootup.

Besides that you should think at least twice whether you want to have 
the sshd running at all an thus enable remote logins to the firewall 
machine. A firewall is a firewall, meaning it should offer only the 
absolute minimum of services, actually it should not offer any services 
at all. It should definitely not offer telnet and ftp service. If you 
allow ssh connections to the firewall, be sure to use host keys for 
authentification only and not username/password. This can be configured 
in the ssh config file. The opportunity for remote administration is of 
course a comfortable feature to have but any service running might be 
used for an attack. The more services a machine offers, the more 
possibilities for attacks.

And again: If you don't know how to configure all this properly, get 
professional help.

Wolfgang
-- 
Wolfgang Kueter Netzwerkadministration & Security
SHLINK Internet Service http://www.shlink.de [email protected]
Postfach 1044, 25310 Elmshorn, Fed. Rep. Germany
Telefon: +49 4121 269 006 Fax: +49 4121 269 007

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- RE: [FW1] RE: problem using SSH-- Help please!!!
  - From: David Phillips <[email protected]>

References:
- [FW1] RE: problem using SSH-- Help please!!!
  - From: "Sim, CT (Chee Tong)" <[email protected]>

Prev by Date: RE: [FW1] IPSO3.4/SSH
Next by Date: RE: [FW1] Metaframe TCP Hangs, ICA connections lost...
Previous by thread: [FW1] RE: problem using SSH-- Help please!!!
Next by thread: RE: [FW1] RE: problem using SSH-- Help please!!!
Index(es):
- Date
- Thread