LinHES Forums :: View topic - using ssh to secure tunnel

Compare the ssh and sshd config in /etc/ssh/ for the two machines. IMO the policy that the non-KM debian box is using is probably the wiser. Using unprivileged ports isn't really a burden and can also reduce your script kiddy exposure(*).

(*) A friend in IT recently told me that moving their incoming SSH from the standard port 22 to something else made the difference between the log files filling up with cracking attempts and nearly zero. This is less a matter of security through obscurity than not leaving unattended valuables "in plain sight".

Author:	graysky [ Thu Jan 01, 2009 6:32 am ]
Post subject:	using ssh to secure tunnel - permissions error
Ever since posting this guide showing how and why to use ssh to tunnel stuff like vnc, http, etc. I have been doing it to secure my mythweb. I have some Debian/Lenny boxes setup with vnc and I'd like to secure it as well with ssh tunnels on them. My question: when I attempt to setup a tunnel ON MY DEBIAN BOX to another debian box, I get this error: Code: $ ssh 192.168.1.3 -L 222/localhost/5900 Privileged ports can only be forwarded by root. What's odd is that I do NOT get this error when I try the exact same thing from my KM R5.5 box. What is the difference? I know I can run the command as root or add an entry to /etc/sudoers but again, it works without the need to do either on R5.5 and I'd like to know what setting I need to change on my Debian boxes to make it work as well. Thanks!

Author:	tjc [ Thu Jan 01, 2009 11:19 am ]
Post subject:
Compare the ssh and sshd config in /etc/ssh/ for the two machines. IMO the policy that the non-KM debian box is using is probably the wiser. Using unprivileged ports isn't really a burden and can also reduce your script kiddy exposure(). () A friend in IT recently told me that moving their incoming SSH from the standard port 22 to something else made the difference between the log files filling up with cracking attempts and nearly zero. This is less a matter of security through obscurity than not leaving unattended valuables "in plain sight".

Author:	graysky [ Thu Jan 01, 2009 11:23 am ]
Post subject:
tjc wrote: Compare the ssh and sshd config in /etc/ssh/ for the two machines. IMO the policy that the non-KM debian box is using is probably the wiser. Using unprivileged ports isn't really a burden and can also reduce your script kiddy exposure(). () A friend in IT recently told me that moving their incoming SSH from the standard port 22 to something else made the difference between the log files filling up with cracking attempts and nearly zero. This is less a matter of security through obscurity than not leaving unattended valuables "in plain sight". Thanks for the suggestion, tjc. I literally went line-by-line through both the files and found zero differences (with the exception of DenyUser root and mythtv). There has to be a setting somewhere I missed.

Author:	tjc [ Thu Jan 01, 2009 11:25 am ]
Post subject:
Try the ssl ones... Hmmm... The ssh man page says "Only the superuser can forward privileged ports." KM must be running it as root somehow...

Author:	khrusher [ Thu Jan 01, 2009 6:56 pm ]
Post subject:
is the 'privilege' due to ssh or port < 1024? try a higher port.

LinHES Forums http://forum.linhes.org/

using ssh to secure tunnel - permissions error http://forum.linhes.org/viewtopic.php?f=6&t=19384	Page 1 of 1

Author:	tjc [ Thu Jan 01, 2009 8:19 pm ]
Post subject:
In general the ports below 1024 are privileged and can only be listened to by root. This is to prevent Joe Malicious User from setting up bogus "standard" services on a reserved port.

Page 1 of 1	All times are UTC - 6 hours
Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/