[LUAU] Excellent SSH advice

Dwight Victor dwight.victor at gmail.com
Fri Jan 14 13:32:45 PST 2005


Hmmm.  Okay.

I guess using tcpd/libwrap in conjunction with iptables will provide
another layer of security.  Could use iptables to allow specific IP
addresses and tcpd/libwrap to allow specific users.

Dwight...

P.S. Ho`ala, did you confirm that the compromise was via the outdated
ssh or was that an assumption?


On Thu, 13 Jan 2005 15:27:02 -1000 (HST), Ho'ala Greevy
<hoala at secretbonus.com> wrote:
> I agree with Vince on this.  About 3 yrs ago I did some consulting for a
> client who had initially believed tcp_wrapper was enough to thwart attacks
> via ssh.  By the time I was allowed shell access to the machine, it had
> long been compromised.  Mind you, it also had an outdated version of
> openssh.  But as far as relying on tcp_wrapper to prevent unauthorized
> access attempts, that proved to be false.
> 
> We ended up rebuilding the machine and using netfilter instead.  It's been
> safe since.
> 
> hope that helps,
> -ho'ala
> 
> 
> Vince Hoang said:
> > On Wed, Jan 12, 2005 at 10:42:10PM -1000, Dwight Victor wrote:
> >> Hmmm. If the wrapper is first to receive data, and finds
> >> that the attempt should be denied, whouldn't it drop the
> >> connection? Why would it pass the buffered information to
> >> the SSH daemon? How can you implement a buffer overflow on
> >> a dropped connection? I think the wrapper should work in a
> >> similar manner to iptables and drop all subsequent data after
> >> determining that the attempt is denied.
> >
> > If you run lsof or netstat on your system, you should see that
> > sshd, and not tcpd, is listening on tcp/22. Tcpd is not invoked, and
> does not shield sshd from attacks.
> >
> > -Vince
> > _______________________________________________
> > LUAU at lists.hosef.org mailing list
> > http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
> >
> 
> _______________________________________________
> LUAU at lists.hosef.org mailing list
> http://lists.hosef.org/cgi-bin/mailman/listinfo/luau
> 


-- 
Dwight Victor
Resident Mad Scientist and All Around Good Guy
dwight.victor at gmail.com



More information about the LUAU mailing list