Hmmm. Okay. I guess using tcpd/libwrap in conjunction with iptables will provide another layer of security. Could use iptables to allow specific IP addresses and tcpd/libwrap to allow specific users.
Dwight... P.S. Ho`ala, did you confirm that the compromise was via the outdated ssh or was that an assumption? On Thu, 13 Jan 2005 15:27:02 -1000 (HST), Ho'ala Greevy <[EMAIL PROTECTED]> wrote: > I agree with Vince on this. About 3 yrs ago I did some consulting for a > client who had initially believed tcp_wrapper was enough to thwart attacks > via ssh. By the time I was allowed shell access to the machine, it had > long been compromised. Mind you, it also had an outdated version of > openssh. But as far as relying on tcp_wrapper to prevent unauthorized > access attempts, that proved to be false. > > We ended up rebuilding the machine and using netfilter instead. It's been > safe since. > > hope that helps, > -ho'ala > > > Vince Hoang said: > > On Wed, Jan 12, 2005 at 10:42:10PM -1000, Dwight Victor wrote: > >> Hmmm. If the wrapper is first to receive data, and finds > >> that the attempt should be denied, whouldn't it drop the > >> connection? Why would it pass the buffered information to > >> the SSH daemon? How can you implement a buffer overflow on > >> a dropped connection? I think the wrapper should work in a > >> similar manner to iptables and drop all subsequent data after > >> determining that the attempt is denied. > > > > If you run lsof or netstat on your system, you should see that > > sshd, and not tcpd, is listening on tcp/22. Tcpd is not invoked, and > does not shield sshd from attacks. > > > > -Vince > > _______________________________________________ > > [email protected] mailing list > > http://lists.hosef.org/cgi-bin/mailman/listinfo/luau > > > > _______________________________________________ > [email protected] mailing list > http://lists.hosef.org/cgi-bin/mailman/listinfo/luau > -- Dwight Victor Resident Mad Scientist and All Around Good Guy [EMAIL PROTECTED]
