Re: IP Firewalling by DNS name
From: Lowell Gilbert (freebsd-stable-local_at_be-well.no-ip.com)
Date: 05/31/05
- Previous message: Danny Cooper: "RE: DELL PowerEdge 2850 and FreeBSD 5.4"
- In reply to: Oliver Fromme: "Re: IP Firewalling by DNS name"
- Next in thread: David Wolfskill: "Re: IP Firewalling by DNS name"
- Reply: David Wolfskill: "Re: IP Firewalling by DNS name"
- Reply: Oliver Fromme: "Re: IP Firewalling by DNS name"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: Ivan Voras <ivoras@fer.hr> To: freebsd-stable@FreeBSD.ORG Date: 31 May 2005 11:54:25 -0400
Oliver Fromme <olli@lurza.secnetix.de> writes:
> Ivan Voras <ivoras@fer.hr> wrote:
> > As I understand it, sshd actually accepts connections
> > prior to checking hosts.allow?
>
> Yes, the connection is accepted first, because there is
> no information available about it before it is accepted.
> But if the check fails, the connection will be closed
> immediately.
Well, that's not necessarily the best way to explain it. When you're
working with TCP wrappers, you're running out of inetd(8), so there
isn't really any sshd at all until the wrappers have decided to allow
the connection.
> > In hosts.allow, there's an example for sshd but it contains:
> >
> > # Wrapping sshd(8) is not normally a good idea, but if you
> > # need to do it, here's how
> > #sshd : .evil.cracker.example.com : deny
> >
> > Why it's not a good idea? :)
>
> There are several reasons. First, it relies on DNS, which
> is not necessarily a good idea. If someone can spoof your
> DNS (which is not as difficult as many people think it is),
> you're toast.
>
> Second, SSH provides authentication mechanisms which are
> much more secure, such as public key authentication.
> Also, SSH uses host keys for identification, so you don't
> have to rely on DNS.
The reason that it's generally considered a bad idea, though, is just
that it's *slow*. If you're running inetd anyway, and don't get many
ssh connections, you won't notice this issue, but if you get a lot of
connections, you really want to run ssh as a daemon rather than
starting it from scratch every time a new connection comes in.
> However, in your case I think it's OK to use TCP wrapper,
> because you want to use that in _addition_ to the usual SSH
> authentication (for pre-filtering, so to speak), but not to
> replace it. Just keep in mind that DNS results might not
> be reliable.
Absolutely. In fact, most people trying to wrap sshd are kidding
themselves about getting any security benefit at all.
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
- Previous message: Danny Cooper: "RE: DELL PowerEdge 2850 and FreeBSD 5.4"
- In reply to: Oliver Fromme: "Re: IP Firewalling by DNS name"
- Next in thread: David Wolfskill: "Re: IP Firewalling by DNS name"
- Reply: David Wolfskill: "Re: IP Firewalling by DNS name"
- Reply: Oliver Fromme: "Re: IP Firewalling by DNS name"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
