Re: IP Firewalling by DNS name

From: Oliver Fromme (olli_at_lurza.secnetix.de)
Date: 05/31/05

  • Next message: Skylar Thompson: "Re: Weird NFS problems" 
    Date: Tue, 31 May 2005 17:29:56 +0200 (CEST)
To: freebsd-stable@FreeBSD.ORG

    Ivan Voras <ivoras@fer.hr> wrote:
    > Igor Robul wrote:
    > > Ivan Voras wrote:
    > > > What I need it for: I'd like to allow ssh logins only from a specific
    > > > TLD (by reverse lookup...) - maybe there's another way?
    > >
    > > /etc/hosts.allow
    > > man 5 hosts_access
    >
    > How safe is it?

    It works in userland, so it only kicks in after the TCP
    connection has already been established. IPFW works in
    the kernel on a packet level, so it kicks in much earlier.

    Whether it's safe enough for you is up to you to decide.

    > As I understand it, sshd actually accepts connections
    > prior to checking hosts.allow?

    Yes, the connection is accepted first, because there is
    no information available about it before it is accepted.
    But if the check fails, the connection will be closed
    immediately.

    > In hosts.allow, there's an example for sshd but it contains:
    >
    > # Wrapping sshd(8) is not normally a good idea, but if you
    > # need to do it, here's how
    > #sshd : .evil.cracker.example.com : deny
    >
    > Why it's not a good idea? :)

    There are several reasons. First, it relies on DNS, which
    is not necessarily a good idea. If someone can spoof your
    DNS (which is not as difficult as many people think it is),
    you're toast.

    Second, SSH provides authentication mechanisms which are
    much more secure, such as public key authentication.
    Also, SSH uses host keys for identification, so you don't
    have to rely on DNS.

    However, in your case I think it's OK to use TCP wrapper,
    because you want to use that in _addition_ to the usual SSH
    authentication (for pre-filtering, so to speak), but not to
    replace it. Just keep in mind that DNS results might not
    be reliable.

    Best regards
       Oliver 

    -- 
Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.
"I made up the term 'object-oriented', and I can tell you
I didn't have C++ in mind."
        -- Alan Kay, OOPSLA '97
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
  • Next message: Skylar Thompson: "Re: Weird NFS problems"

    Relevant Pages