FW: [clug] SSH attack]

Robert Edwards Robert.Edwards at anu.edu.au
Wed Jul 27 03:43:28 GMT 2005

Seems to me that neither TCP wrappers, nor a firewall, can provide what
people really want from a proper SSH access control, namely, to limit
access by arbitrary combinations of:
  - username
  - authentication method (password, keys, pass-phrase etc.)
  - SSH version (1,2 etc.)
  - source IP address (whether or not it reverse-DNS resolves properly)
  - application to be run (in some cases)
  - number of unsuccessful attempts in past X hours

OpenSSH is open-source. Anyone up to speed on where the developers of
OpenSSH are trying to take it in regard to this sort of control?
Otherwise, why don't we have a hack-fest and fix it! I'm keen to be


Bob Edwards.

Andrew Pollock wrote:
> On Tue, Jul 26, 2005 at 04:37:05PM +1000, Tony and Robyn Lewis wrote:
>>Steve Walsh wrote:
>>>but then if a machine is on
>>>the big bad net and not running TCP wrapper ...I don't want to thing about
>>I'll bite.
>>I know TCP wrappers is good for limiting hosts, and limiting services.  
>>Sounds like a well-tuned firewall will do this but better.
>>Apart from redundancy (in case you bork your firewall), what does TCP 
>>wrappers give you?
> A few more sanity-checks that a straight packet-filtering firewall generally
> won't. For example, you can ensure that a host's DNS is consistent, forward
> and reverse, and deny access if it isn't (FWIW). You can also do ident-based
> stuff (and that's not worth anything these days).
> Have a read of hosts_access(5) for further edification.
> regards
> Andrew

More information about the linux mailing list