[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] It's nice
- Subject: Re: [cobalt-security] It's nice
- From: "Zeffie" <cobalt-secur@xxxxxxxx>
- Date: Fri, 29 Jun 2001 03:58:50 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> Here's something that I posted a while back on the user's list.
> Zeffie had a number of problems with it, but when I asked him for more
> specifics he didn't respond (he gets swamped with emails).
Actually I did.... I wrote this big long "carrie style" response in outlook
and at the bottom when I was finishing.... it crashed and I lost
everything... so I satarted again... this time it was shorter... and that
one did make it to the list... well so a couple "customers" reported...
anyway this stuff is always changing so here is an update with more
explanations
> Get SSH2:
> #wget
> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/rpm/RH62/
lot's of good files yes... however the package on http://pkg.nl.cobalt.com
is the best way I feel to get the "general" security level higher... and
it's a package... so it's easy
> Locate the config file sshd_config which usually resides in /etc/ssh
> you will see in the
> first few lines something like :
>
> Port 22
> Protocol 1,2
>
> change it to something like :
>
> Port 52
it's important to point out that this is picking the port number it will run
on and that they will need to adjust their "local computer software
settings" to go to port 52 in this example.... I would also reccomend they
use a port below 1024 and look at /etc/services and pick a number that is
not currently in use (either no service is assigned or the assigned one is
not running)
> Protocol 2
yep I like it....
> Locate the start script in /etc/rc.d/rc3.d
> and type something like ./S55sshd restart
yuck.... /etc/rc.d/init.d/sshd2 restart
This can suck when your logged in via ssh so have fun... I like to start a
second instance and kill the old one after I have "re-logged in" using the
new port... then I useally "kill" the original process...
> Make sure you can login using the new port and protocol (don't forget
> configure client) and
> assuming everything is fine logout of your old session, that's it. If
> in
> doubt leave it alone.
>
> ----------------------------
> Change MySQL default cobalt-mysql password:
> # mysqladmin -uroot -pcobalt-mysql password newpassword
this is so bad..... ok this is the way it works.... you go and run this
from the command line and all is well so you think... but wait... guess
what... depending on the length of your bash_history you just recored the
password there... and depending on bash history sizes (varies between
cobalts) your password is right there for the hac*er to get right in without
a problem.....
I reccomend you set the password using the "SET PASSWORD root newpasswd" (I
think off the top of my head.... ohhh.....) anyway it works out to
something like.....