From owner-freebsd-stable@FreeBSD.ORG Tue May 31 15:29:58 2005 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CBF116A41C for ; Tue, 31 May 2005 15:29:58 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (lurza.secnetix.de [83.120.8.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4F3843D1D for ; Tue, 31 May 2005 15:29:57 +0000 (GMT) (envelope-from olli@lurza.secnetix.de) Received: from lurza.secnetix.de (kbczgz@localhost [127.0.0.1]) by lurza.secnetix.de (8.13.1/8.13.1) with ESMTP id j4VFTuTB024199 for ; Tue, 31 May 2005 17:29:56 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Received: (from olli@localhost) by lurza.secnetix.de (8.13.1/8.13.1/Submit) id j4VFTu9Q024198; Tue, 31 May 2005 17:29:56 +0200 (CEST) (envelope-from olli) Date: Tue, 31 May 2005 17:29:56 +0200 (CEST) Message-Id: <200505311529.j4VFTu9Q024198@lurza.secnetix.de> From: Oliver Fromme To: freebsd-stable@FreeBSD.ORG In-Reply-To: <429C7AEC.6060807@fer.hr> X-Newsgroups: list.freebsd-stable User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.11-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: Subject: Re: IP Firewalling by DNS name X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 15:29:58 -0000 Ivan Voras wrote: > Igor Robul wrote: > > Ivan Voras wrote: > > > What I need it for: I'd like to allow ssh logins only from a specific > > > TLD (by reverse lookup...) - maybe there's another way? > > > > /etc/hosts.allow > > man 5 hosts_access > > How safe is it? It works in userland, so it only kicks in after the TCP connection has already been established. IPFW works in the kernel on a packet level, so it kicks in much earlier. Whether it's safe enough for you is up to you to decide. > As I understand it, sshd actually accepts connections > prior to checking hosts.allow? Yes, the connection is accepted first, because there is no information available about it before it is accepted. But if the check fails, the connection will be closed immediately. > In hosts.allow, there's an example for sshd but it contains: > > # Wrapping sshd(8) is not normally a good idea, but if you > # need to do it, here's how > #sshd : .evil.cracker.example.com : deny > > Why it's not a good idea? :) There are several reasons. First, it relies on DNS, which is not necessarily a good idea. If someone can spoof your DNS (which is not as difficult as many people think it is), you're toast. Second, SSH provides authentication mechanisms which are much more secure, such as public key authentication. Also, SSH uses host keys for identification, so you don't have to rely on DNS. However, in your case I think it's OK to use TCP wrapper, because you want to use that in _addition_ to the usual SSH authentication (for pre-filtering, so to speak), but not to replace it. Just keep in mind that DNS results might not be reliable. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "I made up the term 'object-oriented', and I can tell you I didn't have C++ in mind." -- Alan Kay, OOPSLA '97