Re: sshd on netbsd---fix so only one external machine can get in?

• Previous message: athoren_at_sandiegobloodbank.org: "Re: sshd on netbsd---fix so only one external machine can get in?"
• In reply to: athoren_at_sandiegobloodbank.org: "Re: sshd on netbsd---fix so only one external machine can get in?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: 10 Dec 2004 20:52:25 +0100

athoren@sandiegobloodbank.org wrote:
> You may also wish to look up the HOST_ACCESS man info and read about
> the hosts.allow and hosts.deny files. These files can be configured to
> allow only the traffic you specify to access only the processes you
> want that traffic to be able to access.

But it works only on binaries compiled with TCP Wrappers support.
If sshd(8) does not support TCP Wrappers ---OTOH, I doubt that this
feature is missing in the listener--- IP Filter is another good
alternative. I recall reading something on the changes list between
NetBSD 2.0 and 3.0 about IP filter being replaced with pf(4). Packet
filter is mostly compatible with ipf; migration of rules should not be
too difficult.

I run TCP Wrappers on Linux Slackware since mid-90's. It is a powerful
tool, but sometimes I am a bit worried about how this wrapper works.
It seems that connection to the daemon is established just before
being dropped for unauthorized machines. I do not know if this fact
is a risk that must be considered and if it happens in the *BSDs.

Wietse Venema did a nice work with TCP Wrappers but, perhaps,
a packet filtering tool must be seriously considered today.

Cheers,
Igor.

• Previous message: athoren_at_sandiegobloodbank.org: "Re: sshd on netbsd---fix so only one external machine can get in?"
• In reply to: athoren_at_sandiegobloodbank.org: "Re: sshd on netbsd---fix so only one external machine can get in?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]