From owner-freebsd-security@freebsd.org Fri Feb 14 23:20:02 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id A96F42461AB for ; Fri, 14 Feb 2020 23:20:02 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from marsh.redfishnetworks.com (www.redfishnetworks.com [45.56.101.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48K8VT1y9gz4Qkk for ; Fri, 14 Feb 2020 23:20:00 +0000 (UTC) (envelope-from joey@joeykelly.net) Received: from deborah.localnet (ip68-11-51-163.no.no.cox.net [68.11.51.163]) by marsh.redfishnetworks.com (Postfix) with ESMTPSA id 5480C2733BE for ; Fri, 14 Feb 2020 18:19:59 -0500 (EST) From: Joey Kelly To: freebsd-security@freebsd.org Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd Date: Fri, 14 Feb 2020 17:19:58 -0600 Message-ID: <1997012.9LfIMBbbVL@deborah> User-Agent: KMail/4.14.10 (Linux/4.4.202; KDE/4.14.38; x86_64; ; ) In-Reply-To: References: <4627295.A1yGqSNMk2@deborah> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Rspamd-Queue-Id: 48K8VT1y9gz4Qkk X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of joey@joeykelly.net designates 45.56.101.157 as permitted sender) smtp.mailfrom=joey@joeykelly.net X-Spamd-Result: default: False [-1.56 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; NEURAL_HAM_MEDIUM(-1.00)[-0.995,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[joeykelly.net]; IP_SCORE(-0.27)[asn: 63949(-1.29), country: US(-0.05)]; RECEIVED_SPAMHAUS_PBL(0.00)[163.51.11.68.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.11]; R_DKIM_NA(0.00)[]; CTE_CASE(0.50)[]; ASN(0.00)[asn:63949, ipnet:45.56.96.0/20, country:US]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2020 23:20:02 -0000 On Friday, February 14, 2020 04:16:53 PM Ed Maste wrote: > On Fri, 14 Feb 2020 at 15:27, Joey Kelly wrote: > > On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > > > Upstream OpenSSH-portable removed libwrap support in version 6.7, > > > released in October 2014. We've maintained a patch in our tree to > > > restore it, but it causes friction on each OpenSSH update and may > > > introduce security vulnerabilities not present upstream. It's (past) > > > time to remove it. > > > > So color me ignorant, but how does this affect things like DenyHosts? > > It's independent of denyhosts, fail2ban, blacklistd and similar. TCP > wrappers is configured using /etc/hosts.allow and /etc/hosts.deny. root@marsh:~ # tail -3 /etc/hosts.allow # for denyhosts sshd : /etc/hosts.deniedssh : deny sshd : ALL : allow -- Joey Kelly Minister of the Gospel and Linux Consultant http://joeykelly.net 504-239-6550