Very Computer

Is there any easy way to setup SSH (and eliminate unencrypted telnet logins
completely) in Red Hat 6.2?  I was hoping for a "point and click" (so to
speak) solution...

My server is going to be for mild usage (5-10 users max, probably no more
then 1 or 2 at any given time), but I want to make sure that it's as secure
as possible and rock solid...

Was RH 6.2 a bad choice?  If it is, I'd like to know now, rather then 6
months down the line when everyone is setup and configured... I know alot of
people have balked when I say that I'm using Red Hat and toss out
suggestions like FreeBSD and other distros of linux like Mandrake, Caldera,
Suse, etc...

 >Is there any easy way to setup SSH (and eliminate unencrypted telnet logins
 >completely) in Red Hat 6.2?  I was hoping for a "point and click" (so to
 >speak) solution...
 >
 >My server is going to be for mild usage (5-10 users max, probably no more
 >then 1 or 2 at any given time), but I want to make sure that it's as secure
 >as possible and rock solid...
 >
 >Was RH 6.2 a bad choice?  If it is, I'd like to know now, rather then 6
 >months down the line when everyone is setup and configured... I know alot of
 >people have balked when I say that I'm using Red Hat and toss out
 >suggestions like FreeBSD and other distros of linux like Mandrake, Caldera,
 >Suse, etc...

OpenBSD is usually most highly regarded as far as security is concerned,
but any of the Linux distributions can be set up fairly securely as long as
you apply all of the relevant updates and don't install services you
don't need.  RedHat 7 (due imminently) is supposed to be more secure
"out of the box" than the default installs of earlier versions and
there are derived distributions (Bastille Linux IIRC) that would do
most of the security configuration for you.  Definitely install
portsentry and openssh, and read some of the readily available howtos
on security. As far as stability is concerned, you need have no fear.

Bob T.

I'm using ssh with all the patches using RPMs. Works great, lasts a long time.

--
          http://www.pricegrabber.com | Dog is my co-pilot.

]Is there any easy way to setup SSH (and eliminate unencrypted telnet logins
]completely) in Red Hat 6.2?  I was hoping for a "point and click" (so to
]speak) solution...

Yes.
get the openssh and openssl rpms from Mandrake (eg
ftp.sunet.se/pub/Linux/distributions/mandrake-crypto/RPMS
install them . Go into /etc/inetd.conf and comment out the lines with
ftp and telnet and rologin and rsh.. in them. And there you are.

]My server is going to be for mild usage (5-10 users max, probably no more
]then 1 or 2 at any given time), but I want to make sure that it's as secure
]as possible and rock solid...

Make sure you keep up with all the security updates which have and will
come out for your system.

]Was RH 6.2 a bad choice?  If it is, I'd like to know now, rather then 6
]months down the line when everyone is setup and configured... I know alot of
]people have balked when I say that I'm using Red Hat and toss out
]suggestions like FreeBSD and other distros of linux like Mandrake, Caldera,
]Suse, etc...

I have not used it but suspect it is as fine as any other. Youwill with
all of them have to put in work to keep them up to date  and secure.

Hi Ethan:

Installing/configuring ssh on a vanilla RH 6.2 distro:

1/ get from rpm.find.net the following packages:
openssl-0.9.5a-3.i386.rpm
openssh-2.2.0p1-2.i386.rpm
openssh-server-2.2.0p1-2.i386.rpm
openssh-clients-2.2.0p1-2.i386.rpm

2/ run the following command as root:
rpm -Uhvv openssl-0.9.5a-3.i386.rpm openssh-2.2.0p1-2.i386.rpm
openssh-server-2.2.0p1-2.i386.rpm openssh-clients-2.2.0p1-2.i386.rpm

3/ Start the SSH daemon (as root):
/etc/rc.d/init.d/sshd

4/ Test if (from your user account):
ssh -l root localhost

That's all (hope you don't find this too complex instructions ;^)

Quote:> My server is going to be for mild usage (5-10 users max, probably no more
> then 1 or 2 at any given time), but I want to make sure that it's as secure
> as possible and rock solid...

Then, try the Excalibur trick: turn it off and cover it with fresh
cement.  Wait for it to dry, and that's it.

Quote:> Was RH 6.2 a bad choice?  If it is, I'd like to know now, rather then 6
> months down the line when everyone is setup and configured... I know alot of
> people have balked when I say that I'm using Red Hat and toss out
> suggestions like FreeBSD and other distros of linux like Mandrake, Caldera,
> Suse, etc...

Probably FreeBSD is the most secure non-specialized Un*x out-of-the-box
over there.  On the long run there's not too many differences among
distros, anyway, since it all deppends on the abilies of the sysadmin.
Anyway, if you find comfortable on RH I would suggest having a look at
trustix (www.trustix.com).  Their aim is to build a "strongified"
RH-based distro.
--
SALUD,
Jess
***

***

Oh! by the way, I don't really think you really want an "as secure as
possible and rock solid" system but due to your ignorance:  You can't
get it on a point-and-click way (are you *rrrrrreally* ready to confy
your system to a program compiled by you-don't-know-who?)  The only rock
solid, as secure as possible way to build a system is building yourself,
controlling both software and hardware, having a policy in place on how
the system is going to be used, and enforcing it, obviously having all
the needed knowlegde on how to achieve this, and time and resources to
maintain that stuff running on.  Even then you will find your system is
pretty unusable due to any commodities being ripped off from it, and
finding that even the most simple tasks need an awfull amount of work to
get them done: let's take for instance what my three steps guide for
installing ssl/ssh becomes:

*Get the command from the SCM department to get this service in place
(you are the SCM department, but even then you will have to consider why
you need ssh, what the alternatives are, what the objectives are to be
reached when this new service is in place, and how are you going to
measure that those goals are indeed flawlessly acomplished, etc.)
*Review how this new service will interact with all the other services
in place.
*Get the source code.
*Review the source code.
*Get the RPM source code. (it includes pre and post install scripts that
must be reviewed).
*Compile the source RPM (not to mention how are you going to be
confident on gcc and other tools you need just to compile the SRPM)
*distribute it on a secure way (you don't have compiling/configuring
tools on a rock-solid box, do you?)
*Install it
*Test-case it
*Teach your users the proper way to use the new tool.  Look for the way
to enforce that proper way (probably you will need further tools that
will go through this whole process too)
*Roll out the new service
*Track and monitorize how the system is running once it's on the
production environment
...

Now you know why so many systems (even sensible systems) become cracked.
--
SALUD,
Jess
***

***