Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] supplied firewall package robustness
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Mon, 21 Aug 2000 13:50:15 +0200 (MEST)
  • Message-id: <Pine.LNX.4.21.0008211344290.26262-100000@xxxxxxxxxxxx>
> Hi
>
> Thomas Biege wrote:
>
> ....
>
> > > Also, everything is deactivated in /etc/inetd.conf. /etc/hosts.deny is set to
> > > ALL: ALL and /etc/hosts.allow is set to sshd: ALL. That's it. Am I pretty safe,
> >
> > uh, if you start sshd as standalone (not via inetd) it isn't protected by
> > tcpd.
>
> But it seems that in recent versions of sshd which is shipped on Suse's CD's that
> libwrap support is linked in, so far sshd itself consults /etc/hosts.allow and/or
> /etc/hosts.deny and decides if he should be called from a given IP adress.
>
> Or am I wrong ?

This is definitely correct.

I think we need to add a small patch to the ssh package that gives a new
tcp-wrapper token: sshdfwd-all. The problem with the libwrap is that you
can't reject everything (hosts.deny: ALL : ALL) without adding a rule for
each port that you want to have forwarded by sshd. This may look like:

sshdfwd-X11: ALL : ALLOW
sshd: ALL : ALLOW
sshdfwd-1000: ALL : ALLOW
sshdfwd-443: ALL : ALLOW

There is no general directive like sshdfwd-all.

Anyway, just a small thing. There are more important issues...

Thanks,
Roman.
--
- -
| Roman Drahtm├╝ller <draht@xxxxxxx> "Caution: Cape does not |
SuSE GmbH - Security enable user to fly."
| N├╝rnberg, Germany (Batman Costume warning label) |
- -


< Previous Next >
References