From owner-freebsd-security@freebsd.org Fri Feb 14 20:27:17 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 41AC22414B3; Fri, 14 Feb 2020 20:27:17 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from marsh.redfishnetworks.com (www.redfishnetworks.com [45.56.101.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48K4g8242Vz4Cp7; Fri, 14 Feb 2020 20:27:15 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from deborah.localnet (ip68-11-51-163.no.no.cox.net [68.11.51.163]) by marsh.redfishnetworks.com (Postfix) with ESMTPSA id E9C77273141; Fri, 14 Feb 2020 15:27:08 -0500 (EST) From: Joey Kelly To: freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd Date: Fri, 14 Feb 2020 14:27:08 -0600 Message-ID: <4627295.A1yGqSNMk2@deborah> User-Agent: KMail/4.14.10 (Linux/4.4.202; KDE/4.14.38; x86_64; ; ) In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Rspamd-Queue-Id: 48K4g8242Vz4Cp7 X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of joey@joeykelly.net designates 45.56.101.157 as permitted sender) smtp.mailfrom=joey@joeykelly.net X-Spamd-Result: default: False [-1.55 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[163.51.11.68.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[joeykelly.net]; NEURAL_HAM_LONG(-1.00)[-0.998,0]; MIME_TRACE(0.00)[0:+]; RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_MEDIUM(-0.99)[-0.988,0]; IP_SCORE(-0.27)[asn: 63949(-1.29), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; CTE_CASE(0.50)[]; ASN(0.00)[asn:63949, ipnet:45.56.96.0/20, country:US]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2020 20:27:17 -0000 On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > Upstream OpenSSH-portable removed libwrap support in version 6.7, > released in October 2014. We've maintained a patch in our tree to > restore it, but it causes friction on each OpenSSH update and may > introduce security vulnerabilities not present upstream. It's (past) > time to remove it. So color me ignorant, but how does this affect things like DenyHosts? Or is there an in-application way to block dictionary attacks? I can't go back to having my servers pounded on day and night (and yes, I listed on an alternative port). -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550