[LUAU] Excellent SSH advice
Dwight Victor
dwight.victor at gmail.com
Fri Jan 14 13:32:45 PST 2005
Hmmm. Okay.
I guess using tcpd/libwrap in conjunction with iptables will provide
another layer of security. Could use iptables to allow specific IP
addresses and tcpd/libwrap to allow specific users.
Dwight...
P.S. Ho`ala, did you confirm that the compromise was via the outdated
ssh or was that an assumption?
On Thu, 13 Jan 2005 15:27:02 -1000 (HST), Ho'ala Greevy
<hoala at secretbonus.com> wrote:
> I agree with Vince on this. About 3 yrs ago I did some consulting for a
> client who had initially believed tcp_wrapper was enough to thwart attacks
> via ssh. By the time I was allowed shell access to the machine, it had
> long been compromised. Mind you, it also had an outdated version of
> openssh. But as far as relying on tcp_wrapper to prevent unauthorized
> access attempts, that proved to be false.
>
> We ended up rebuilding the machine and using netfilter instead. It's been
> safe since.
>
> hope that helps,
> -ho'ala
>
>
> Vince Hoang said:
> > On Wed, Jan 12, 2005 at 10:42:10PM -1000, Dwight Victor wrote:
> >> Hmmm. If the wrapper is first to receive data, and finds
> >> that the attempt should be denied, whouldn't it drop the
> >> connection? Why would it pass the buffered information to
> >> the SSH daemon? How can you implement a buffer overflow on
> >> a dropped connection? I think the wrapper should work in a
> >> similar manner to iptables and drop all subsequent data after
> >> determining that the attempt is denied.
> >
> > If you run lsof or netstat on your system, you should see that
> > sshd, and not tcpd, is listening on tcp/22. Tcpd is not invoked, and
> does not shield sshd from attacks.
> >
> > -Vince
> > _______________________________________________
> > LUAU at lists.hosef.org mailing list
> > http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
> >
>
> _______________________________________________
> LUAU at lists.hosef.org mailing list
> http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
>
--
Dwight Victor
Resident Mad Scientist and All Around Good Guy
dwight.victor at gmail.com
More information about the LUAU
mailing list