[LUAU] Excellent SSH advice
Vince Hoang
vince at litrium.com
Wed Jan 12 18:34:41 PST 2005
On Wed, Jan 12, 2005 at 02:27:43PM -1000, Dwight Victor wrote:
> Are you sure about that Vince?
Almost certain, yes.
> The way I understand how tcp_wrappers works is that the wrapper
> is actually listening on the service port and when the attempt
> is successfully authenticated against the /etc/hosts.allow and
> /etc/hosts.deny files, the wrapper passes control to the actual
> service.
To get tcp-wrapper support for an application, you either add the
checks directly to the application or run a process that has been
compiled with libwrap to perform the host checks before handing
off to the application.
> A quick google gives me this from Red Hat:
> http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/ch-tcpwrappers.html
The link you posted lists sshd as a network service that is
compiled with libwrap, which is what I assert.
> The tcpd manpage says this:
> NAME
> tcpd - access control facility for internet services
You list tcpd, but that is only required when you run something
without tcp-wrapper support. I believe most inetd and xinetd
packages ship with libwrap compiled in, so there is no need for
tcpd in this case either.
I doubt you will find tcpd running on a default install of any
current OS. And if you kill all your supersupers (inetd|xinetd)
you should still find sshd running.
I could be wrong about a denied host being able to buffer
overflow sshd, but if sshd is the one providing the tcp-wrapper
support, I think the possibility is very real. Therefore, I tend
to only use tcp-wrappers when firewalling is not an option.
> If I'm wrong, then I'm wrong...but I don't think so.
Ditto. An interesting discussion, nonetheless!
-Vince
More information about the LUAU
mailing list