SSH and msec level 4

gabedude · 09-21-2004, 11:27 AM

man mseclib

authorize_services(arg)
Authorize all services controlled by tcp_wrappers (see
hosts.deny(5)) if arg = ALL. Only local ones if arg = LOCAL and
none if arg = NONE. To authorize the services you need, use
/etc/hosts.allow (see hosts.allow(5)).

hehe finally found it... took forever. was mad cause msec kept killing my hosts.allow. sshd needs to be a listsed service in hosts.allow

root@widmer msec]# cat /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
sshd:ALL

[root@widmer msec]# cat /etc/security/msec/level.local
allow_root_login (no)
authorize_services (ALL)

Now msec will not overwrite /etc/hosts.allow

-gabe w
screw the caps!

joshtt · 09-13-2005, 08:18 AM

Hi there!

Thank you so much for this info. At last I was able to ssh again to my machine with msec at 4.

I'm using Mdk 10.0 and I still have another issue I like to see resolved.
I want to stay at level 4 (server), but also want to be able to su to root from any user.
Right now I get the message: Incorrect password. And I'm sure the pass is correct, since I can login as root from the login menu.

This is my level.4 file:

accept_bogus_error_responses no
accept_broadcasted_icmp_echo no
accept_icmp_echo no
allow_autologin no
allow_issues LOCAL
allow_reboot no
allow_remote_root_login without_password
allow_root_login yes
allow_user_list no
allow_x_connections NONE
allow_xserver_to_listen no
authorize_services LOCAL
enable_at_crontab no
enable_console_log yes
enable_dns_spoofing_protection yes
enable_ip_spoofing_protection yes
enable_log_strange_packets yes
enable_msec_cron yes
enable_pam_wheel_for_su yes
enable_password yes
enable_promisc_check yes
enable_security_check yes
enable_sulogin yes
password_aging 60 30
password_history 0
password_length 6 1 1
set_root_umask 022
set_secure_level 4
set_security_conf CHECK_OPEN_PORT yes
set_security_conf CHECK_PASSWD yes
set_security_conf CHECK_PERMS yes
set_security_conf CHECK_PROMISC yes
set_security_conf CHECK_SECURITY yes
set_security_conf CHECK_SGID yes
set_security_conf CHECK_SHADOW yes
set_security_conf CHECK_SUID_MD5 yes
set_security_conf CHECK_SUID_ROOT yes
set_security_conf CHECK_UNOWNED yes
set_security_conf CHECK_WRITABLE yes
set_security_conf CHKROOTKIT_CHECK yes
set_security_conf MAIL_EMPTY_CONTENT yes
set_security_conf MAIL_WARN yes
set_security_conf RPM_CHECK yes
set_security_conf SYSLOG_WARN yes
set_security_conf TTY_WARN yes
set_shell_history_size 10
set_shell_timeout 3600
set_user_umask 077

And this is my level.local file:

enable_pam_wheel_for_su (yes)
allow_root_login (yes)
enable_at_crontab (yes)

Oh yeah, when I use tcsh, no command is recognized anymore. Using bash, everything works ....

Any help to get su working agin is very much appreciated!!!

Josh (noob)