Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
On 2/14/2020 10:18 AM, Ed Maste wrote: > Upstream OpenSSH-portable removed libwrap support in version 6.7, > released in October 2014. We've maintained a patch in our tree to > restore it, but it causes friction on each OpenSSH update and may > introduce security vulnerabilities not present upstream. It's (past) > time to remove it. > > Although the specific deprecation steps aren't yet fleshed out I'm > sending this as an early notice that I plan to disable libwrap support > from the base system sshd and that FreeBSD 13 will not support it. > We'll probably keep the patch in the tree for some time, to support > MFCs to stable branches; the patch will be removed entirely later on. FYI if you need this feature the port still has it and is at 8.2 now. -- Regards, Bryan Drewery signature.asc Description: OpenPGP digital signature
Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
On 2/21/20 11:49 AM, Ed Maste wrote: > It seems starting sshd from inetd via tcpd is a reasonable approach > for folks who want to use it; also, have folks using libwrap looked at > sshd's Match blocks to see if they provide the desired functionality? While match blocks can disallow a login from anything other than an approved source address, they apparently permit the configured number of failed attempts before throwing the prospective intruder out. With the wrappers, it's an immediate disconnect. They also have no mechanism to recognize a DNS mismatch (forward versus reverse map). imb ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
On Sat, 15 Feb 2020 at 05:03, Bjoern A. Zeeb wrote: > > I am also worried that the change will make a lot of machines > unprotected upon updating to 13 if there is no big red warning flag > before the install. At least having sshd emit a warning is a prerequisite, certainly. I don't yet know if there's a way via libwrap's API to determine if rules are in place; there's a bit of investigation needed here still. > I do understand the burden of maintaining a local patch (we lost the HA > patches from base this way already). Indeed. As you pointed out the libwrap patch is very small and easy to review and reason about. My bigger concern is that libwrap is essentially abandonware, and it has been dropped by just about everyone else. As far as I know Debian is still patching libwrap support into sshd but not anyone else. It seems starting sshd from inetd via tcpd is a reasonable approach for folks who want to use it; also, have folks using libwrap looked at sshd's Match blocks to see if they provide the desired functionality? ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
On 17-2-2020 08:02, Borja Marcos wrote: On 14 Feb 2020, at 19:18, Ed Maste wrote: Upstream OpenSSH-portable removed libwrap support in version 6.7, released in October 2014. We've maintained a patch in our tree to restore it, but it causes friction on each OpenSSH update and may introduce security vulnerabilities not present upstream. It's (past) time to remove it. There’s no way to fight it? I know it’s an old program (first time I used it was back in 1992 or so!) but it’s really convenient and easy to use. I remember porting it to Apollo Domain OS with Wietse Venema when we both worked at Eindhoven University. And Wiestse was complaining that PID were not unique and sequential. So my guess would be that its origin lies somewhere around 1986-1988.. At that time TCPwrappers was a good part of security, since firewall and likes were close to hard to get and/or unavailable. But in current times there usually are better ways to fix things, but I guess that all use something of a firewall be it ipfw of pf. (using both sshguard, fail2ban or portsentry) So it'll be said to see it go, but I guess it has served its purpose. --WjW ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
> On Feb 17, 2020, at 9:02 AM, Borja Marcos wrote: > > > >> On 14 Feb 2020, at 19:18, Ed Maste wrote: >> >> Upstream OpenSSH-portable removed libwrap support in version 6.7, >> released in October 2014. We've maintained a patch in our tree to >> restore it, but it causes friction on each OpenSSH update and may >> introduce security vulnerabilities not present upstream. It's (past) >> time to remove it. > > There’s no way to fight it? I know it’s an old program (first time I used it > was back in 1992 or so!) > but it’s really convenient and easy to use. > > > > > > Borja. > > ___ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org" > run sshd from inetd ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
> On 14 Feb 2020, at 19:18, Ed Maste wrote: > > Upstream OpenSSH-portable removed libwrap support in version 6.7, > released in October 2014. We've maintained a patch in our tree to > restore it, but it causes friction on each OpenSSH update and may > introduce security vulnerabilities not present upstream. It's (past) > time to remove it. There’s no way to fight it? I know it’s an old program (first time I used it was back in 1992 or so!) but it’s really convenient and easy to use. Borja. ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
On 14 Feb 2020, at 18:18, Ed Maste wrote: Hi Ed, Although the specific deprecation steps aren't yet fleshed out I'm sending this as an early notice that I plan to disable libwrap support from the base system sshd and that FreeBSD 13 will not support it. I’ll be sad to run inetd again on systems so that I can run a wrapped sshd. Like others I feel that adding firewalls to a machine simply to filter sshd is not an option and whatever else openssh itself has offered in the past never sufficed. I am also worried that the change will make a lot of machines unprotected upon updating to 13 if there is no big red warning flag before the install. I do understand the burden of maintaining a local patch (we lost the HA patches from base this way already). Given the port already does maintain the patch I am wondering what “security guarantees” we provide for the port compared to the base system (ignoring possible security updates) or why the patch cannot be included in base? Compared to the HA patch, this one seems to be sillily small.. /bz ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
On 2/14/20 6:37 PM, Ben Woods wrote: > On Sat, 15 Feb 2020 at 4:27 am, Joey Kelly wrote: > >> On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: >>> Upstream OpenSSH-portable removed libwrap support in version 6.7, >>> released in October 2014. We've maintained a patch in our tree to >>> restore it, but it causes friction on each OpenSSH update and may >>> introduce security vulnerabilities not present upstream. It's (past) >>> time to remove it. >> >> So color me ignorant, but how does this affect things like DenyHosts? Or >> is >> there an in-application way to block dictionary attacks? I can't go back >> to >> having my servers pounded on day and night (and yes, I listed on an >> alternative port). > > > DenyHosts can be configured to use PF firewall tables directly, rather than > using TCP wrappers: > https://github.com/denyhosts/denyhosts/blob/master/denyhosts.conf#L261 > Requiring the addition of a firewall where there was none before is a significant and potentially error-prone change. I am not about to add this degree of complexity to every machine which only has a single port exposed via NAT. To maintain equivalent functionality, the port version (security/openssh-portable) has the requisite patch as an option or, perhaps better, the base SSHD can be run from INETD and, consequently, TCP-wrapped as it was before, imb ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
In the interest of good logging it may be better to filter ssh attempts with libwrap than with packet filtering. The difference being that libwrap logging, particularly when used with fail2ban, tends to be more readable and parseable. Not having libwrap in sshd is most simply and easily worked around, IMO, by running it from inetd. While less experienced sysadmins may not be familiar with inetd, and some others believe it impacts session setup time, 99.99% of sshd implementations will not see any difference between sshd linked with libwrap vs unlinked and run under inetd. Performance might be an issue is when dozens or hundreds of sessions are received per minute but then those sites are likely to already have load balancing. FreeBSD's inetd also has more instance and rate-limiting options than libwrap or packet filtering. I wouldn't be surprised if this was part of the reason why it is no longer bundled. Roger Marquis Upstream OpenSSH-portable removed libwrap support in version 6.7, released in October 2014. We've maintained a patch in our tree to restore it, but it causes friction on each OpenSSH update and may introduce security vulnerabilities not present upstream. It's (past) time to remove it. So color me ignorant, but how does this affect things like DenyHosts? Or is there an in-application way to block dictionary attacks? I can't go back to having my servers pounded on day and night (and yes, I listed on an alternative port). ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
On Sat, 15 Feb 2020 at 4:27 am, Joey Kelly wrote: > On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > > Upstream OpenSSH-portable removed libwrap support in version 6.7, > > released in October 2014. We've maintained a patch in our tree to > > restore it, but it causes friction on each OpenSSH update and may > > introduce security vulnerabilities not present upstream. It's (past) > > time to remove it. > > > So color me ignorant, but how does this affect things like DenyHosts? Or > is > there an in-application way to block dictionary attacks? I can't go back > to > having my servers pounded on day and night (and yes, I listed on an > alternative port). DenyHosts can be configured to use PF firewall tables directly, rather than using TCP wrappers: https://github.com/denyhosts/denyhosts/blob/master/denyhosts.conf#L261 ### # # On FreeBSD/OpenBSD/TrueOS/PC-BSD/NetBSD/OS X we may want to block incoming # traffic using the PF firewall instead of the hosts.deny file # (aka tcp_wrapper). # The admin can set up a PF table that is persistent # and DenyHost can add new addresses to be blocked to that table. # The TrueOS operating system enables this by default, blocking # all addresses in the "blacklist" table. # # To have DenyHost update the blocking PF table in real time, uncomment # these next two options. Make sure the table name specificed # is one created in the pf.conf file of your operating system. # The PFCTL_PATH variable must point to the pfctl extectuable on your OS. # PFCTL_PATH = /sbin/pfctl # PF_TABLE = blacklist # Note, a good rule to have in your pf.conf file to enable the # blacklist table is: # # table persist file "/etc/blacklist" # block in quick from to any # # Warning: If you are using PF, please make sure to disable the # IPTABLES rule above as these two packet filters should not be # run together on the same operating system. # Note: Even if you decide to run DenyHost with PF filtering # only and no hosts.deny support, please still create an empty # file called /etc/hosts.deny for backward compatibility. # Also, please make sure PF is enabled prior to launching # DenyHosts. To do this run "pfctl -e". # # To write all blocked hosts to a PF table file enable this next option. # This will make hosts added to the PF table persistent across reboots. # PF_TABLE_FILE = /etc/blacklist # ### Regards, Ben > -- -- From: Benjamin Woods woods...@gmail.com ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
On Friday, February 14, 2020 04:16:53 PM Ed Maste wrote: > On Fri, 14 Feb 2020 at 15:27, Joey Kelly wrote: > > On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > > > Upstream OpenSSH-portable removed libwrap support in version 6.7, > > > released in October 2014. We've maintained a patch in our tree to > > > restore it, but it causes friction on each OpenSSH update and may > > > introduce security vulnerabilities not present upstream. It's (past) > > > time to remove it. > > > > So color me ignorant, but how does this affect things like DenyHosts? > > It's independent of denyhosts, fail2ban, blacklistd and similar. TCP > wrappers is configured using /etc/hosts.allow and /etc/hosts.deny. root@marsh:~ # tail -3 /etc/hosts.allow # for denyhosts sshd : /etc/hosts.deniedssh : deny sshd : ALL : allow -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
On Fri, 14 Feb 2020 at 15:27, Joey Kelly wrote: > > On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > > Upstream OpenSSH-portable removed libwrap support in version 6.7, > > released in October 2014. We've maintained a patch in our tree to > > restore it, but it causes friction on each OpenSSH update and may > > introduce security vulnerabilities not present upstream. It's (past) > > time to remove it. > > So color me ignorant, but how does this affect things like DenyHosts? It's independent of denyhosts, fail2ban, blacklistd and similar. TCP wrappers is configured using /etc/hosts.allow and /etc/hosts.deny. ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
security/py-fail2ban in ports is a good alternative. Can be combined with pf and the like to have a similar effect. On Fri, Feb 14, 2020, 3:27 PM Joey Kelly wrote: > On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > > Upstream OpenSSH-portable removed libwrap support in version 6.7, > > released in October 2014. We've maintained a patch in our tree to > > restore it, but it causes friction on each OpenSSH update and may > > introduce security vulnerabilities not present upstream. It's (past) > > time to remove it. > > > So color me ignorant, but how does this affect things like DenyHosts? Or > is > there an in-application way to block dictionary attacks? I can't go back > to > having my servers pounded on day and night (and yes, I listed on an > alternative port). > > -- > Joey Kelly > Minister of the Gospel and Linux Consultant > http://joeykelly.net > 504-239-6550 > ___ > freebsd-security@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org > " > ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > Upstream OpenSSH-portable removed libwrap support in version 6.7, > released in October 2014. We've maintained a patch in our tree to > restore it, but it causes friction on each OpenSSH update and may > introduce security vulnerabilities not present upstream. It's (past) > time to remove it. So color me ignorant, but how does this affect things like DenyHosts? Or is there an in-application way to block dictionary attacks? I can't go back to having my servers pounded on day and night (and yes, I listed on an alternative port). -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550 ___ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"