VanDyke Software Forums

Go Back   VanDyke Software Forums > SecureCRT 5.1/SecureFX 3.1/VShell 2.6 Beta
User Name
Password
Register FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
 
Thread Tools Display Modes
  #1  
Old 02-07-2006, 11:54 AM
res's Avatar
res res is offline
VanDyke Project Manager
 
Join Date: Feb 2004
Location: VanDyke Software
Posts: 12
VShell 2.6 Beta

Welcome to the VShell 2.6 Beta test. The major new features for 2.6 are:
  • FIPS -- VShell for Windows can now be installed in "FIPS Mode", which uses a FIPS 140-2 validated cryptographic library and only allow FIPS-approved algorithms.
  • RADIUS -- VShell for Windows allows authentication to RADIUS servers using SecurID or other methods. RADIUS support is implemented through keyboard-interactive authentication.
  • VShellConfig -- A Windows command-line utility that allows editing of SFTP roots and access control lists (ACLs).
  • Deny Host File -- This feature has been added to reduce the impact of a dictionary attack. VShell for Windows now tracks failed authentications by IP address and can add these addresses to the Deny Host file after the specified threshold has been reached. Once an IP address has been added to the Deny Host file, VShell will not allow future connections from that address.
Although the new features have been decided for 2.6, you can still post feature requests and they will be considered for future versions of VShell

Please feel free to start new threads and to post polls. I'm looking forward to some good discussion about the betas. Thanks for joining us!
__________________
Robert Stehwien
VanDyke Software
Software Developer
  #2  
Old 02-07-2006, 01:35 PM
toloughlin's Avatar
toloughlin toloughlin is offline
Senior Member
 
Join Date: Feb 2004
Location: Nashua, NH
Posts: 377
Quote:
Deny Host File -- This feature has been added to reduce the impact of a dictionary attack. VShell for Windows now tracks failed authentications by IP address and can add these addresses to the Deny Host file after the specified threshold has been reached. Once an IP address has been added to the Deny Host file, VShell will not allow future connections from that address.
Is this planned for Linux?
__________________
----------------------------------------------
Tom O'Loughlin
  #3  
Old 02-07-2006, 05:08 PM
jpv jpv is offline
Weekend Programmer and CEO
 
Join Date: Nov 2003
Location: VanDyke Software
Posts: 54
Quote:
Originally Posted by toloughlin
Is this planned for Linux?
Not currently. If there is sufficient interest in this feature under Linux, Solaris, etc., it could be added.

--Jeff
  #4  
Old 02-08-2006, 07:41 AM
Ken Ken is offline
Registered User
 
Join Date: Mar 2004
Posts: 8
AllowHosts file too??

DenyHosts file is great. But how about adding an AllowHosts file or specify entries in the AllowHosts file that do NOT get denied.
I'd be hesitant to turn this function on as it could deny connections from a VALID ip. Especially if port forwarding from another machine.
  #5  
Old 02-08-2006, 10:13 PM
jpv jpv is offline
Weekend Programmer and CEO
 
Join Date: Nov 2003
Location: VanDyke Software
Posts: 54
Quote:
Originally Posted by Ken
DenyHosts file is great. But how about adding an AllowHosts file or specify entries in the AllowHosts file that do NOT get denied.
I'd be hesitant to turn this function on as it could deny connections from a VALID ip. Especially if port forwarding from another machine.
This is something we had considered.

If we added this functionality, would you prefer to see this in the same file, a separate file, or configurable through the control panel?

--Jeff
  #6  
Old 02-09-2006, 04:22 AM
kelli.burki's Avatar
kelli.burki kelli.burki is offline
Registered User
 
Join Date: Jan 2004
Location: VanDyke Software
Posts: 33
i'll put one vote in for the Mac ;-)

Quote:
Originally Posted by jpv
Not currently. If there is sufficient interest in this feature under Linux, Solaris, etc., it could be added.

--Jeff
I'll put a vote in for supporting on *nix -- mac specifically. I also like Ken's suggestion for the allow host config option. You might at least consider revising the announcement from:

Deny Host File -- This feature has been added to reduce...

to

...has been added to VShell for Windows...

In my haste (and excitement) i read the announce and quickly downloaded 2.6 for the Mac expecting it to be in *nix without reading the next sentance.

--kelli
  #7  
Old 02-09-2006, 06:17 AM
Ken Ken is offline
Registered User
 
Join Date: Mar 2004
Posts: 8
One way of doing it would be to allow Any Connection Filter of type IP Address would never be entered into the Deny Host file.

If your Connection Filter was Allow/0.0.0.0 then everything would be suspect to the Deny Host if enabled.

If your Connection Filter was Allow/1.2.3.4, Allow/0.0.0.0 then everything other than IP 1.2.3.4 would be suspect to the Deny Host if enabled.

And of course..If your Connection Filter was Allow/1.2.3.4, Deny/0.0.0.0 then there is no reason to even use the "Deny Host" function since ony that 1.2.3.4 will be allowed.

Ken
  #8  
Old 02-09-2006, 01:41 PM
toloughlin's Avatar
toloughlin toloughlin is offline
Senior Member
 
Join Date: Feb 2004
Location: Nashua, NH
Posts: 377
Quote:
Originally Posted by kelli.burki
I'll put a vote in for supporting on *nix
I'm all for a Linux version.
I had to change my ssh port to over 24000 to stop the brute dictionary attacks.
__________________
----------------------------------------------
Tom O'Loughlin
  #9  
Old 02-14-2006, 03:10 PM
Chris Chris is offline
VanDyke Developer
 
Join Date: May 2004
Location: Albuquerque, NM
Posts: 13
Quote:
Originally Posted by Ken
One way of doing it would be to allow Any Connection Filter of type IP Address would never be entered into the Deny Host file.
Ken,

This functionality has been added to VShell. If you would like to try a pre-release version, please send a request via e-mail to support@vandyke.com with a subject of "Vandyke Forum thread 1262"

Thanks,
Chris
  #10  
Old 02-14-2006, 03:57 PM
toloughlin's Avatar
toloughlin toloughlin is offline
Senior Member
 
Join Date: Feb 2004
Location: Nashua, NH
Posts: 377
Have there been any config file parameters added to the Linux (3AS) version, from version 2.3.5?
I noticed some naming changes (ListenAddresses / ListenV4Addresses etc.), but other than that, is the config file pretty much the same?
__________________
----------------------------------------------
Tom O'Loughlin
  #11  
Old 02-16-2006, 12:10 PM
tnygren's Avatar
tnygren tnygren is offline
Registered User
 
Join Date: May 2005
Posts: 1,408
Hi Toloughlin,

There were a couple additions to the config file in VShell 2.6

Here are the new additions from VShell 2.3.5 to 2.6 that were made to the config file:

Code:
#IdleNOOPTimeout 0  # Idle NOOP timeout is disabled by default. 
#SFTPDownloadCommand #Defines the command to be triggered when an SFTP file is downloaded.
#FireFileTriggersOnError true #Defines whether or not to fire file transfer triggers on error.

################################################################################
# The following parameters are for X.509 (digital certificate) authentication.
#
# Note: X.509 authentication is not currently supported on FreeBSD or OS X.
################################################################################
#
#CertificateTrustedRootsDirectory #Specifies a directory that contains trusted root certificates (and CRLs).
#CertificateIntermediatesDirectory #Specifies a directory that contains intermediate certificates (and CRLs).
#CertificatePathPKIXLevel 2 #Specifies the PKIX level used when attempting to validate a certificate chain.
#CertificateUsernameMapFilename #Specifies a file that maps certificate thumbprints to usernames.
#CRLCheckingEnabled true #Specifies whether to check client certificates against CRLs.
There were other options that had their name changed slightly.

Did you also want a list of those?
__________________
Thanks,

Teresa

Teresa Nygren
  #12  
Old 02-17-2006, 03:01 PM
toloughlin's Avatar
toloughlin toloughlin is offline
Senior Member
 
Join Date: Feb 2004
Location: Nashua, NH
Posts: 377
No thanks, I know the name changes. Thanks!
__________________
----------------------------------------------
Tom O'Loughlin
 


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 08:13 PM.


copyright 1995-2017 VanDyke Software, Inc.