From: Ishida <is...@ma...> - 2005-02-28 15:01:56
|
Hi, Last week we had to check a couple of public and "semi public" ssh servers where we have account and we found that the TCP forwarding is enabled on every systems even though it is not necessary in most cases. IMHO ssh TCP forwarding could be a big security risk because services on other machines (that normally restricted) can be accessed via such ssh servers. Unfortunately generally sysadmins are not careful enough and do not disable this feature or do not filter correctly these traffics. So i think you should disable ssh tcp forwarding by default on DLs. (Sorry for my poor english :)) cheers, Peter |
From: Bruce S. <bw...@ar...> - 2005-02-28 15:10:45
|
I'm really confused. We don't forward any ports by default, SSH or otherwise. There are _commented_out_ examples in the default firewall configs to do port forwarding, but they need to be manually edited to activate any port forwarding. If you're talking about general, non port specific, TCP forwarding (/proc/sys/net/ipv4/ip_forward) then it's turned on in the default firewall rules, but ALL outside access is BLOCKED unless you open up, or forward ports by editing the script. Could you be more specific? - BS > Last week we had to check a couple of public and "semi public" ssh > servers where we have account and we found that the TCP forwarding > is enabled on every systems even though it is not necessary in most > cases. IMHO ssh TCP forwarding could be a big security risk because > services on other machines (that normally restricted) can be accessed > via such ssh servers. Unfortunately generally sysadmins are not careful > enough and do not disable this feature or do not filter correctly > these traffics. > So i think you should disable ssh tcp forwarding by default on DLs. > > (Sorry for my poor english :)) > > cheers, Peter |
From: Alex P. <ap...@ap...> - 2005-02-28 18:21:21
|
I think he means SSH port forwarding, not general port forwarding as we know in iptables. If I'm right it works like this: you configure your ssh client to connect to the ssh server and let it ask the ssh server to setup a connection to another host of your choice. This way your local computer can connect through your ssh client to the ssh server which itself forwards traffic the host of your choice (if SSH Port Forwarding was enabled of course). A practical use of this is to setup a secure tunnel for non-secure applications like telnet, with the help of openssh tools. I think I'm correct, if not just ignore me ;) Alex Bruce Smith wrote: > I'm really confused. We don't forward any ports by default, SSH or > otherwise. There are _commented_out_ examples in the default firewall > configs to do port forwarding, but they need to be manually edited to > activate any port forwarding. > > If you're talking about general, non port specific, TCP forwarding > (/proc/sys/net/ipv4/ip_forward) then it's turned on in the default > firewall rules, but ALL outside access is BLOCKED unless you open up, > or forward ports by editing the script. > > Could you be more specific? > > - BS > > > >>Last week we had to check a couple of public and "semi public" ssh >>servers where we have account and we found that the TCP forwarding >>is enabled on every systems even though it is not necessary in most >>cases. IMHO ssh TCP forwarding could be a big security risk because >>services on other machines (that normally restricted) can be accessed >>via such ssh servers. Unfortunately generally sysadmins are not careful >>enough and do not disable this feature or do not filter correctly >>these traffics. >>So i think you should disable ssh tcp forwarding by default on DLs. >> >>(Sorry for my poor english :)) >> >>cheers, Peter > > > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click > _______________________________________________ > Devil-linux-discuss mailing list > Dev...@li... > https://lists.sourceforge.net/lists/listinfo/devil-linux-discuss |
From: Fred F. <ffr...@lo...> - 2005-02-28 18:49:44
|
Alex Prinsier wrote: > I think he means SSH port forwarding, not general port forwarding as we > know in iptables. If I'm right it works like this: you configure your > ssh client to connect to the ssh server and let it ask the ssh server to > setup a connection to another host of your choice. This way your local > computer can connect through your ssh client to the ssh server which > itself forwards traffic the host of your choice (if SSH Port Forwarding > was enabled of course). > > A practical use of this is to setup a secure tunnel for non-secure > applications like telnet, with the help of openssh tools. > > I think I'm correct, if not just ignore me ;) > > Alex > I think you may be going down the right track. Also X protocol is usually forwarded this way to enable secure X connections. I remember an article that explained how automatic X11 forwarding can allow for certain types of attack but I cannot remember exactly what. |
From: <is...@ma...> - 2005-02-28 19:10:58
|
> I think he means SSH port forwarding, not general port forwarding as we > know in iptables. If I'm right it works like this: you configure your > ssh client to connect to the ssh server and let it ask the ssh server to > setup a connection to another host of your choice. This way your local > computer can connect through your ssh client to the ssh server which > itself forwards traffic the host of your choice (if SSH Port Forwarding > was enabled of course). > > A practical use of this is to setup a secure tunnel for non-secure > applications like telnet, with the help of openssh tools. > > I think I'm correct, if not just ignore me ;) > > Alex Yes, you are right. If you have a firewall that has one or more non privilegized users (not general I know) or you have a machine with ssh server with ssh tcp forwarding enabled, then users that have account on that server(s) can reach every machines in the private network. While you block incoming connections and do not allow (or restrict) forwarded connections, but this is acts as follows: ssh (port 22) enabled then sshd opens an outgoing connection to the given machine and OUTPUT chain generally not too restricted so an attacker can do (if he/she has an account of coz) what he wants. So IMHO the tcp forwardnig should be disabled or OUTPUT should be blocked. So the following should be set in the /etc/ssh/sshd_config AllowTCPForwarding no and left to the sysadmins to enable it if it is really necessary. Try the ssh's -L option and you will see :) Bye > > Bruce Smith wrote: > >I'm really confused. We don't forward any ports by default, SSH or > >otherwise. There are _commented_out_ examples in the default firewall > >configs to do port forwarding, but they need to be manually edited to > >activate any port forwarding. > > > >If you're talking about general, non port specific, TCP forwarding > >(/proc/sys/net/ipv4/ip_forward) then it's turned on in the default > >firewall rules, but ALL outside access is BLOCKED unless you open up, > >or forward ports by editing the script. > > > >Could you be more specific? |
From: Tim <t....@co...> - 2005-02-28 23:16:33
|
is...@ma... wrote: >>I think he means SSH port forwarding, not general port forwarding as we >>know in iptables. If I'm right it works like this: you configure your >>ssh client to connect to the ssh server and let it ask the ssh server to >>setup a connection to another host of your choice. This way your local >>computer can connect through your ssh client to the ssh server which >>itself forwards traffic the host of your choice (if SSH Port Forwarding >>was enabled of course). >> >>A practical use of this is to setup a secure tunnel for non-secure >>applications like telnet, with the help of openssh tools. >> >>I think I'm correct, if not just ignore me ;) >> >>Alex >> >> > >Yes, you are right. If you have a firewall that has one or more non >privilegized users (not general I know) or you have a machine with >ssh server with ssh tcp forwarding enabled, then users that have >account on that server(s) can reach every machines in the >private network. While you block incoming connections and do >not allow (or restrict) forwarded connections, but this is >acts as follows: >ssh (port 22) enabled >then sshd opens an outgoing connection to the given machine >and OUTPUT chain generally not too restricted >so an attacker can do (if he/she has an account of coz) >what he wants. >So IMHO the tcp forwardnig should be disabled or OUTPUT should >be blocked. >So the following should be set in the /etc/ssh/sshd_config >AllowTCPForwarding no > >and left to the sysadmins to enable it if it is really >necessary. > >Try the ssh's -L option and you will see :) > >Bye > > > >>Bruce Smith wrote: >> >> >>>I'm really confused. We don't forward any ports by default, SSH or >>>otherwise. There are _commented_out_ examples in the default firewall >>>configs to do port forwarding, but they need to be manually edited to >>>activate any port forwarding. >>> >>>If you're talking about general, non port specific, TCP forwarding >>>(/proc/sys/net/ipv4/ip_forward) then it's turned on in the default >>>firewall rules, but ALL outside access is BLOCKED unless you open up, >>>or forward ports by editing the script. >>> >>>Could you be more specific? >>> >>> > > > > But the ability to allow port forwarding can be turned off in '/etc/ssh/sshd_config' right? Tim |
From: Heiko Z. <he...@zu...> - 2005-03-01 01:34:40
|
Here's what the man page is saying: ----------------------- AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is ``yes''. Note that disabling TCP forwarding does not improve se- curity unless users are also denied shell access, as they can al- ways install their own forwarders. ----------------------- So what should we do ? Should we just disable it for now? -- Regards Heiko Zuerker http://www.devil-linux.org |
From: Bruce S. <bw...@ar...> - 2005-03-01 02:31:32
|
> Here's what the man page is saying: > ----------------------- > AllowTcpForwarding > Specifies whether TCP forwarding is permitted. The default is > ``yes''. Note that disabling TCP forwarding does not improve se- > curity unless users are also denied shell access, as they can al- > ways install their own forwarders. > ----------------------- > > So what should we do ? Should we just disable it for now? I don't see it as much of a security risk. I vote we leave the SSH settings as the defaults. - BS |
From: Dan S. <str...@dc...> - 2005-03-01 03:16:45
|
On Mon, 2005-02-28 at 21:31 -0500, Bruce Smith wrote: > > Here's what the man page is saying: > > ----------------------- > > AllowTcpForwarding > > Specifies whether TCP forwarding is permitted. The default is > > ``yes''. Note that disabling TCP forwarding does not improve se- > > curity unless users are also denied shell access, as they can al- > > ways install their own forwarders. > > ----------------------- > >=20 > > So what should we do ? Should we just disable it for now? >=20 > I don't see it as much of a security risk. =20 > I vote we leave the SSH settings as the defaults. >=20 > - BS I concur. |
From: Heiko Z. <he...@zu...> - 2005-03-01 14:17:52
|
> On Mon, 2005-02-28 at 21:31 -0500, Bruce Smith wrote: > >>> Here's what the man page is saying: >>> ----------------------- >>> AllowTcpForwarding >>> Specifies whether TCP forwarding is permitted. The default is >>> ``yes''. Note that disabling TCP forwarding does not improve se- >>> curity unless users are also denied shell access, as they can al- ways >>> install their own forwarders. ----------------------- >>> >>> >>> So what should we do ? Should we just disable it for now? >>> >> >> I don't see it as much of a security risk. >> I vote we leave the SSH settings as the defaults. >> >> >> - BS >> > > I concur. Agreed, so lets leave the default setting. -- Regards Heiko Zuerker http://www.devil-linux.org |
From: Doczy P. <pet...@ma...> - 2005-03-01 17:01:28
|
>>So what should we do ? Should we just disable it for now? > > > I don't see it as much of a security risk. > I vote we leave the SSH settings as the defaults. Ok, I give up and I must say you might be right. To change the default behaviour is not a very good thing, but as I mentioned IMHO it is a bit insecure and I can show you easily if you'd like. cheers, Peter |
From: Bruce S. <bw...@ar...> - 2005-03-01 19:34:07
|
> >>So what should we do ? Should we just disable it for now? > > > > I don't see it as much of a security risk. > > I vote we leave the SSH settings as the defaults. > > Ok, I give up and I must say you might be right. > To change the default behaviour is not a very good thing, > but as I mentioned IMHO it is a bit insecure and I can > show you easily if you'd like. The way I see it, if people have SSH/shell access to the DL box, then they have access to the ports on the inside of the firewall that they are forwarding anyway. And when they SSH-forward a port, it's only for their account, it doesn't open the forwarded port up to the world. But I may be missing something, so please explain. - BS |