That's the beauty of Linux...more than one way to do any job.
On Sat, 15 Jan 2005 13:21:13 -1000, Vince Hoang [EMAIL PROTECTED] wrote:
On Fri, Jan 14, 2005 at 11:32:45AM -1000, Dwight Victor wrote:
I guess using tcpd/libwrap in conjunction with iptables will
provide another layer of
That's the beauty of Linux...more than one way to do any job.
I thought the beauty of Linux was the Penguin.
-Matt
On Fri, Jan 14, 2005 at 11:32:45AM -1000, Dwight Victor wrote:
I guess using tcpd/libwrap in conjunction with iptables will
provide another layer of security. Could use iptables to allow
specific IP addresses and tcpd/libwrap to allow specific users.
Libwrap provides user access restrictions
On Wed, Jan 12, 2005 at 10:42:10PM -1000, Dwight Victor wrote:
Hmmm. If the wrapper is first to receive data, and finds
that the attempt should be denied, whouldn't it drop the
connection? Why would it pass the buffered information to
the SSH daemon? How can you implement a buffer overflow on
I agree with Vince on this. About 3 yrs ago I did some consulting for a
client who had initially believed tcp_wrapper was enough to thwart attacks
via ssh. By the time I was allowed shell access to the machine, it had
long been compromised. Mind you, it also had an outdated version of
openssh.
If you know the IP addresses of the machines that you'll be SSHing
from...it's best to compile your version of SSH to support
tcp_wrappers and configure your /etc/hosts.allow and /etc/hosts.deny
files to only allow SSH access from your know IP addresses.
This also helps cut down on those
On Wed, Jan 12, 2005 at 09:31:56AM -1000, Dwight Victor wrote:
If you know the IP addresses of the machines that you'll be
SSHing from...it's best to compile your version of SSH to
support tcp_wrappers and configure your /etc/hosts.allow and
/etc/hosts.deny files to only allow SSH access from
Are you sure about that Vince?
The way I understand how tcp_wrappers works is that the wrapper is
actually listening on the service port and when the attempt is
successfully authenticated against the /etc/hosts.allow and
/etc/hosts.deny files, the wrapper passes control to the actual
service.
A
cc
Subject
Re: [LUAU] Excellent SSH advice
Are you sure about that Vince?
The way I understand how tcp_wrappers works is that the wrapper is
actually listening on the service port and when the attempt is
successfully authenticated against the /etc/hosts.allow and
/etc/hosts.deny files
On Wed, Jan 12, 2005 at 02:27:43PM -1000, Dwight Victor wrote:
Are you sure about that Vince?
Almost certain, yes.
The way I understand how tcp_wrappers works is that the wrapper
is actually listening on the service port and when the attempt
is successfully authenticated against the
On Wed, Jan 12, 2005 at 02:45:25PM -1000, Tom_Gordon/RISE/[EMAIL PROTECTED]
wrote:
Isn't libwrap the old way of doing things? Would using iptables
not be faster?
Faster in performance, yes. Faster and simpler in configuration,
generally no.
-Vince
That is matter of opinion, not fact, Obiwan.
Tom
Vince Hoang [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
12/01/2005 04:40 PM
Please respond to
LUAU luau@lists.hosef.org
To
LUAU luau@lists.hosef.org
cc
Subject
Re: [LUAU] Excellent SSH advice
On Wed, Jan 12, 2005 at 02:45:25PM
Yes, an interesting discussion. Almost seems like we need to do an
empirical study.
Vince said:
To get tcp-wrapper support for an application, you either add the
checks directly to the application or run a process that has been
compiled with libwrap to perform the host checks before handing
In monitoring the K12OSN list, the following piece of SSH advice was
eloquently shared by a gentleman by the name of Rob Owens. It is so
good that it *must* be shared.
Quoted from Rob Owens
The topic of ssh security was touched upon in the uh oh thread. I
have a couple comments about it.
14 matches
Mail list logo
