From owner-freebsd-stable@FreeBSD.ORG Tue May 31 15:54:27 2005 Return-Path: X-Original-To: freebsd-stable@FreeBSD.ORG Delivered-To: freebsd-stable@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 468C716A41C for ; Tue, 31 May 2005 15:54:27 +0000 (GMT) (envelope-from freebsd-stable-local@be-well.no-ip.com) Received: from mail21.sea5.speakeasy.net (mail21.sea5.speakeasy.net [69.17.117.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id D223743D1D for ; Tue, 31 May 2005 15:54:26 +0000 (GMT) (envelope-from freebsd-stable-local@be-well.no-ip.com) Received: (qmail 28542 invoked from network); 31 May 2005 15:54:26 -0000 Received: from dsl092-078-145.bos1.dsl.speakeasy.net (HELO be-well.ilk.org) ([66.92.78.145]) (envelope-sender ) by mail21.sea5.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 31 May 2005 15:54:26 -0000 Received: by be-well.ilk.org (Postfix, from userid 1147) id 878E330; Tue, 31 May 2005 11:54:25 -0400 (EDT) Sender: lowell@be-well.ilk.org To: Ivan Voras To: freebsd-stable@FreeBSD.ORG References: <200505311529.j4VFTu9Q024198@lurza.secnetix.de> From: Lowell Gilbert Date: 31 May 2005 11:54:25 -0400 In-Reply-To: <200505311529.j4VFTu9Q024198@lurza.secnetix.de> Message-ID: <44k6lfjsr2.fsf@be-well.ilk.org> Lines: 49 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.3 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Subject: Re: IP Firewalling by DNS name X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-stable@FreeBSD.ORG List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 May 2005 15:54:27 -0000 Oliver Fromme writes: > Ivan Voras wrote: > > As I understand it, sshd actually accepts connections > > prior to checking hosts.allow? > > Yes, the connection is accepted first, because there is > no information available about it before it is accepted. > But if the check fails, the connection will be closed > immediately. Well, that's not necessarily the best way to explain it. When you're working with TCP wrappers, you're running out of inetd(8), so there isn't really any sshd at all until the wrappers have decided to allow the connection. > > In hosts.allow, there's an example for sshd but it contains: > > > > # Wrapping sshd(8) is not normally a good idea, but if you > > # need to do it, here's how > > #sshd : .evil.cracker.example.com : deny > > > > Why it's not a good idea? :) > > There are several reasons. First, it relies on DNS, which > is not necessarily a good idea. If someone can spoof your > DNS (which is not as difficult as many people think it is), > you're toast. > > Second, SSH provides authentication mechanisms which are > much more secure, such as public key authentication. > Also, SSH uses host keys for identification, so you don't > have to rely on DNS. The reason that it's generally considered a bad idea, though, is just that it's *slow*. If you're running inetd anyway, and don't get many ssh connections, you won't notice this issue, but if you get a lot of connections, you really want to run ssh as a daemon rather than starting it from scratch every time a new connection comes in. > However, in your case I think it's OK to use TCP wrapper, > because you want to use that in _addition_ to the usual SSH > authentication (for pre-filtering, so to speak), but not to > replace it. Just keep in mind that DNS results might not > be reliable. Absolutely. In fact, most people trying to wrap sshd are kidding themselves about getting any security benefit at all.