Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 14 Feb 2020 18:58:59 -0500
From:      Michael Butler <imb@protected-networks.net>
To:        Ben Woods <woodsb02@gmail.com>
Cc:        freebsd-current@freebsd.org, freebsd-security@freebsd.org
Subject:   Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
Message-ID:  <618e2a2b-4d27-8860-7061-77bdf9e3967a@protected-networks.net>
In-Reply-To: <CAOc73CCtw2TKhfCQUcaPAri8CTgL2Vnb3UKV0y1dnrYo_iaxTA@mail.gmail.com>
References:  <CAPyFy2Die2tynFM3m3-5zBtWAOpHf-QHY-bE2JY7KKGiP8Tz_Q@mail.gmail.com> <4627295.A1yGqSNMk2@deborah> <CAOc73CCtw2TKhfCQUcaPAri8CTgL2Vnb3UKV0y1dnrYo_iaxTA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 2/14/20 6:37 PM, Ben Woods wrote:
> On Sat, 15 Feb 2020 at 4:27 am, Joey Kelly <joey@joeykelly.net> wrote:
>
>> On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote:
>>> Upstream OpenSSH-portable removed libwrap support in version 6.7,
>>> released in October 2014. We've maintained a patch in our tree to
>>> restore it, but it causes friction on each OpenSSH update and may
>>> introduce security vulnerabilities not present upstream. It's (past)
>>> time to remove it.
>>
>> So color me ignorant, but how does this affect things like DenyHosts? Or
>> is
>> there an in-application way to block dictionary attacks? I can't go back
>> to
>> having my servers pounded on day and night (and yes, I listed on an
>> alternative port).
>
>
> DenyHosts can be configured to use PF firewall tables directly, rather than
> using TCP wrappers:
> https://github.com/denyhosts/denyhosts/blob/master/denyhosts.conf#L261
>
Requiring the addition of a firewall where there was none before is a
significant and potentially error-prone change. I am not about to add
this degree of complexity to every machine which only has a single port
exposed via NAT.


To maintain equivalent functionality, the port version
(security/openssh-portable) has the requisite patch as an option or,
perhaps better, the base SSHD can be run from INETD and, consequently,
TCP-wrapped as it was before,


    imb

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?618e2a2b-4d27-8860-7061-77bdf9e3967a>