Close Window
 

NEWS YOU CAN USE FROM VANDYKE SOFTWARE®

A Monthly Newsletter – September 2005

We have plenty of good information this month for system and network administrators. Everyone will be interested in recent maintenance releases of the SecureCRT®, SecureFX®, and CRT™
clients, as well as the VShell® server. This month's tip shows you how to increase tracking of failed authentication attempts to the VShell server. This is one way to head off the kind of threats illustrated in the Whitedust.net piece on recent attacks on Secure Shell servers reviewed in this issue. If you haven't already heard, you'll want to review the recent security advisory for VShell for Windows—for which a fix is provided in version 2.3.6. Finally, for anyone whose security strategies or documentation need updating, we point to a SANS web resource for developing security policy.

-------------
Contents
-------------

1. Tip: Using VShell Triggers To Report Failed Authentication Attempts
2. VanDyke Software 10th Anniversary Drawing Winners
3. Web Resource: SANS Security Policy Project
4. Security Advisory: VShell 2.x Host Key File Permissions Error
5. News: Whitedust.net Article On Secure Shell Attacks
6. Heard on the Forum: Public-Key Authentication To OpenSSH Servers
7. Web Site: New - Searchable Tips And Customer Stories
8. New and Current Releases

-------------------------
Online Resources
-------------------------

------------------------------------------------------------------------------------------------
1. Tip: Using VShell Triggers To Report Failed Authentication Attempts
------------------------------------------------------------------------------------------------

As shown below in the Whitedust article on recent dictionary attacks on Secure Shell servers, ensuring network security is a constant battle. Admins need all the help they can get from their software, and VShell provides ways to monitor connection activity that may identify attacks in time to head them off. In particular, the failed authentication trigger can notify sys admins if authentication attempts exceed a determined threshold.

This tip outlines several steps in using the trigger, from enabling the trigger on the VShell Control Panel to setting the failed attempt limit, handling log file information, and sending e-mail when the trigger fires by using its ability to issue a command. Code samples are included.

To read the entire tip on the failed authentication trigger, visit the VanDyke Software Support section.


Alpha Testers Wanted for VShell 2.5

VShell 2.5 is on the way! If you'd like to be an alpha tester for this new release, we want to hear from you. Testing VShell 2.5 you'll get a first look at new features providing stronger authentication and more choices for the enterprise. New in 2.5 are X.509 support for UNIX and IPV6 support.

To sign-up to be an alpha tester for VShell 2.5, send an e-mail to

 

----------------------------------------------------------------------------
2. VanDyke Software 10th Anniversary Drawing Winners
----------------------------------------------------------------------------

As you may have read in our last issue, August marked VanDyke Software's 10th anniversary. To celebrate, we ran a month-long drawing for VanDyke T-shirts and client application licenses. The free licenses went to a diverse group of people. "David", who works for a defense contractor, selected SecureFX for secure file transfers from his Windows desktop to UNIX servers. His group secured their UNIX servers by shutting down most services and using component level firewalls to block everything but one or two ports from defined servers and workstations. They currently use SecureCRT to access their UNIX servers running OpenSSH/OpenSSL.

"Mike" picked SecureCRT saying, "I'd have to go with SecureCRT, given that it is my most commonly used application and I've been putting off buying my v5 license... I use [SecureCRT] on my last remaining Windows installation for remote administration of BSD server farms. SecureCRT gives me everything I need for remote console support and the addition of tabbed windows in v5 makes it even better!"

"Michael", a SecureCRT user who works for a transportation firm in NYC, picked AbsoluteFTP® since he needed a simple, easy-to-use FTP client.

"Roger", a programmer at a community college, won the grand prize of a lifetime license for SecureFX.

Thank you to everyone who made the anniversary drawing a success.

---------------------------------------------------------------
3. Web Resource: SANS Security Policy Project
---------------------------------------------------------------

For the CIOs, network managers and administrators in the audience, the ever active SANS (SysAdmin, Audit, Network, Security) Institute offers an online resource for creating security policy and strategy. Along with a primer on policy development and specific guidance on policies related to legal requirements such as HIPAA, the Security Policy Project provides template documents that can be used in critical areas such as remote access, encryption, acceptable use, and password protection.

Read more about the SANS Security Policy Project.

--------------------------------------------------------------------------------------
4. Security Advisory: VShell 2.x Host Key File Permissions Error
--------------------------------------------------------------------------------------

VanDyke Software issued a security advisory August 16, 2005 in response to CERT advisory VU#973635 on vulnerabilities in several Secure Shell servers for Windows. Users of VShell 2.3 for Windows and earlier releases should read the advisory postings and upgrade their server software to version 2.3.6. In addition, administrators should check the permissions of any existing host keys.

In versions 2.3.5 and earlier of the VShell for Windows server, when a host key is automatically created by VShell, the host key file inherits the permissions of its parent directory, potentially allowing access to authenticated users. The VShell server release 2.3.6 now only grants privileges to the host key for the System and Administrator groups and does not use the inherited rights of the user installing VShell.

Read our advisory on the vulnerability.

Download the fix for the vulnerability in VShell 2.3.6 for Windows, please visit the following page:

For further information on the security advisory, please contact VanDyke Software Support.

---------------------------------------------------------------------------
5. News: Whitedust.net Article On Secure Shell Attacks
---------------------------------------------------------------------------

An article by Adrian St. Onge published July 16 and updated August 3 on the Whitedust Security web site summarizes attacks on Secure Shell servers beginning in May 2005. These attacks, reported to the SANS intrusions mailing list, consisted of scripted login attempts using common user account names and passwords. The piece includes suggestions on how to recognize and prevent such attacks, starting with identifying patterns in the authentication log and proceeding to disabling root logins. St. Onge also discusses several administrator tools useful in combating dictionary attacks.

To read the complete article, visit the Whitedust Security Portal site.

-------------------------------------------------------------------------------------------------
6. Heard On The Forum: Public-Key Authentication To OpenSSH Servers
-------------------------------------------------------------------------------------------------

Recently forum user Africa asked for step-by-step instructions on how to use public-key authentication to connect to a FreeBSD machine running OpenSSH.

To view this thread and instructions, please follow this link.

User Matt asked a similar question on how to configure VShell to accept keys from users who want to do SFTP transfers using an OpenSSH client application.

---------------------------------------------------------------------------
7. Web Site: New - Sortable Tips And Customer Stories
---------------------------------------------------------------------------

Have you ever read a useful tip and wanted to look at similar tips? Are you curious whether any companies use VanDyke Software products in ways you might want to try? Combo boxes to the rescue!

The tips and customer stories web sections of the VanDyke Software web site can now be sorted by product and type of solution, such as remote access or file transfer. Make your selection on the pages below and see what pops up.

----------------------------------------
8. New and Current Releases
----------------------------------------

A release of VShell 2.3.6 was made August 12, 2005 to address problems including the CERT security advisory VU#973635 on a vulnerability involving host key file permissions. Please see section 3 of this month's newsletter for more information. VShell 2.3.6 now supports FreeBSD 5.3 and 5.4 and AIX 5.3. Maintenance releases of SecureCRT 5.0.3, SecureFX 3.0.3, and CRT 5.0.3 were made available in September 2005. New features for the major upgrades of SecureCRT, SecureFX, and CRT include tabbed windows in SecureCRT, multiple instances for SecureFX, and better integration of shell and file transfer applications.

Here is a list of the latest official product releases:

  SecureCRT 5.0.3
  SecureFX 3.0.3
  Entunnel™ 1.1.2
  CRT 5.0.3
  AbsoluteFTP® 2.2.10
  VShell 2.3.6 Server for Windows
  VShell 2.3.6 Server for UNIX
    Red Hat Linux 7.x
    Red Hat Linux 8.x
    Red Hat Linux 9.x
    Red Hat Enterprise v2.1/v3
    Solaris 8
    FreeBSD 4.8/5.3/5.4
    HP-UX 11
    Mac OS X 10.2
    AIX 4.3/5.2/5.3

All VanDyke Software products may be downloaded and evaluated free for 30 days. Licenses include one year of free upgrades and technical support.


Pass it along! If you find this monthly newsletter helpful and informative, forward it to co-workers or friends, or tell them where to sign up.

     http://www.vandyke.com/support/newsletter.html

RSS Feeds Now Available
-----------------------------------

Links to VanDyke Software pages with RSS feeds:

Subscription Information
----------------------------------

You received this e-mail because you subscribed to VanDyke Software News when you visited our web site or downloaded a VanDyke Software product. Click here to unsubscribe or change your e-mail address.

Don't miss out on important product news. If your ISP or e-mail client filters incoming e-mail, please add the domain @vandyke.com to your list of approved senders to make sure you receive the newsletters and product announcements to which you've subscribed.


Mailing Address
----------------------

  VanDyke Software, Inc.
  4848 Tramway Ridge Drive, NE
  Suite 101
  Albuquerque, NM 87111 USA

Got questions, comments, or ideas? E-mail or use one of the web forms at:
http://www.vandyke.com/feedback.php

VanDyke Software, AbsoluteFTP, CRT, Entunnel, SecureCRT, SecureFX, and VShell are trademarks or registered trademarks of VanDyke Software, Inc.

All other products and services mentioned are trademarks or registered trademarks of their respective companies.

Close Window