Mailinglist Archive: opensuse-security (601 mails)
| < Previous | Next > |
Re: [suse-security] supplied firewall package robustness
- From: Roman Drahtmueller <draht@xxxxxxx>
- Date: Mon, 21 Aug 2000 13:50:15 +0200 (MEST)
- Message-id: <Pine.LNX.4.21.0008211344290.26262-100000@xxxxxxxxxxxx>
> Hi
>
> Thomas Biege wrote:
>
> ....
>
> > > Also, everything is deactivated in /etc/inetd.conf. /etc/hosts.deny is set to
> > > ALL: ALL and /etc/hosts.allow is set to sshd: ALL. That's it. Am I pretty safe,
> >
> > uh, if you start sshd as standalone (not via inetd) it isn't protected by
> > tcpd.
>
> But it seems that in recent versions of sshd which is shipped on Suse's CD's that
> libwrap support is linked in, so far sshd itself consults /etc/hosts.allow and/or
> /etc/hosts.deny and decides if he should be called from a given IP adress.
>
> Or am I wrong ?
This is definitely correct.
I think we need to add a small patch to the ssh package that gives a new
tcp-wrapper token: sshdfwd-all. The problem with the libwrap is that you
can't reject everything (hosts.deny: ALL : ALL) without adding a rule for
each port that you want to have forwarded by sshd. This may look like:
sshdfwd-X11: ALL : ALLOW
sshd: ALL : ALLOW
sshdfwd-1000: ALL : ALLOW
sshdfwd-443: ALL : ALLOW
There is no general directive like sshdfwd-all.
Anyway, just a small thing. There are more important issues...
Thanks,
Roman.
--
- -
| Roman Drahtmüller <draht@xxxxxxx> "Caution: Cape does not |
SuSE GmbH - Security enable user to fly."
| Nürnberg, Germany (Batman Costume warning label) |
- -
>
> Thomas Biege wrote:
>
> ....
>
> > > Also, everything is deactivated in /etc/inetd.conf. /etc/hosts.deny is set to
> > > ALL: ALL and /etc/hosts.allow is set to sshd: ALL. That's it. Am I pretty safe,
> >
> > uh, if you start sshd as standalone (not via inetd) it isn't protected by
> > tcpd.
>
> But it seems that in recent versions of sshd which is shipped on Suse's CD's that
> libwrap support is linked in, so far sshd itself consults /etc/hosts.allow and/or
> /etc/hosts.deny and decides if he should be called from a given IP adress.
>
> Or am I wrong ?
This is definitely correct.
I think we need to add a small patch to the ssh package that gives a new
tcp-wrapper token: sshdfwd-all. The problem with the libwrap is that you
can't reject everything (hosts.deny: ALL : ALL) without adding a rule for
each port that you want to have forwarded by sshd. This may look like:
sshdfwd-X11: ALL : ALLOW
sshd: ALL : ALLOW
sshdfwd-1000: ALL : ALLOW
sshdfwd-443: ALL : ALLOW
There is no general directive like sshdfwd-all.
Anyway, just a small thing. There are more important issues...
Thanks,
Roman.
--
- -
| Roman Drahtmüller <draht@xxxxxxx> "Caution: Cape does not |
SuSE GmbH - Security enable user to fly."
| Nürnberg, Germany (Batman Costume warning label) |
- -
| < Previous | Next > |