FW: [clug] SSH attack]
Robert Edwards
Robert.Edwards at anu.edu.au
Wed Jul 27 03:43:28 GMT 2005
Seems to me that neither TCP wrappers, nor a firewall, can provide what
people really want from a proper SSH access control, namely, to limit
access by arbitrary combinations of:
- username
- authentication method (password, keys, pass-phrase etc.)
- SSH version (1,2 etc.)
- source IP address (whether or not it reverse-DNS resolves properly)
- application to be run (in some cases)
- number of unsuccessful attempts in past X hours
OpenSSH is open-source. Anyone up to speed on where the developers of
OpenSSH are trying to take it in regard to this sort of control?
Otherwise, why don't we have a hack-fest and fix it! I'm keen to be
involved.
Cheers,
Bob Edwards.
Andrew Pollock wrote:
> On Tue, Jul 26, 2005 at 04:37:05PM +1000, Tony and Robyn Lewis wrote:
>
>>Steve Walsh wrote:
>>
>>
>>>but then if a machine is on
>>>the big bad net and not running TCP wrapper ...I don't want to thing about
>>>that.
>>>
>>>
>>
>>I'll bite.
>>
>>I know TCP wrappers is good for limiting hosts, and limiting services.
>>Sounds like a well-tuned firewall will do this but better.
>>
>>Apart from redundancy (in case you bork your firewall), what does TCP
>>wrappers give you?
>>
>
>
> A few more sanity-checks that a straight packet-filtering firewall generally
> won't. For example, you can ensure that a host's DNS is consistent, forward
> and reverse, and deny access if it isn't (FWIW). You can also do ident-based
> stuff (and that's not worth anything these days).
>
> Have a read of hosts_access(5) for further edification.
>
> regards
>
> Andrew
More information about the linux
mailing list