[LUAU] Excellent SSH advice
Ho'ala Greevy
hoala at secretbonus.com
Thu Jan 13 17:27:02 PST 2005
I agree with Vince on this. About 3 yrs ago I did some consulting for a
client who had initially believed tcp_wrapper was enough to thwart attacks
via ssh. By the time I was allowed shell access to the machine, it had
long been compromised. Mind you, it also had an outdated version of
openssh. But as far as relying on tcp_wrapper to prevent unauthorized
access attempts, that proved to be false.
We ended up rebuilding the machine and using netfilter instead. It's been
safe since.
hope that helps,
-ho'ala
Vince Hoang said:
> On Wed, Jan 12, 2005 at 10:42:10PM -1000, Dwight Victor wrote:
>> Hmmm. If the wrapper is first to receive data, and finds
>> that the attempt should be denied, whouldn't it drop the
>> connection? Why would it pass the buffered information to
>> the SSH daemon? How can you implement a buffer overflow on
>> a dropped connection? I think the wrapper should work in a
>> similar manner to iptables and drop all subsequent data after
>> determining that the attempt is denied.
>
> If you run lsof or netstat on your system, you should see that
> sshd, and not tcpd, is listening on tcp/22. Tcpd is not invoked, and
does not shield sshd from attacks.
>
> -Vince
> _______________________________________________
> LUAU at lists.hosef.org mailing list
> http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
>
More information about the LUAU
mailing list