Date: Sat, 15 Feb 2020 07:37:19 +0800 From: Ben Woods <woodsb02@gmail.com> To: Joey Kelly <joey@joeykelly.net> Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd Message-ID: <CAOc73CCtw2TKhfCQUcaPAri8CTgL2Vnb3UKV0y1dnrYo_iaxTA@mail.gmail.com> In-Reply-To: <4627295.A1yGqSNMk2@deborah> References: <CAPyFy2Die2tynFM3m3-5zBtWAOpHf-QHY-bE2JY7KKGiP8Tz_Q@mail.gmail.com> <4627295.A1yGqSNMk2@deborah>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 15 Feb 2020 at 4:27 am, Joey Kelly <joey@joeykelly.net> wrote: > On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > > Upstream OpenSSH-portable removed libwrap support in version 6.7, > > released in October 2014. We've maintained a patch in our tree to > > restore it, but it causes friction on each OpenSSH update and may > > introduce security vulnerabilities not present upstream. It's (past) > > time to remove it. > > > So color me ignorant, but how does this affect things like DenyHosts? Or > is > there an in-application way to block dictionary attacks? I can't go back > to > having my servers pounded on day and night (and yes, I listed on an > alternative port). DenyHosts can be configured to use PF firewall tables directly, rather than using TCP wrappers: https://github.com/denyhosts/denyhosts/blob/master/denyhosts.conf#L261 ####################################################################### # # On FreeBSD/OpenBSD/TrueOS/PC-BSD/NetBSD/OS X we may want to block incoming # traffic using the PF firewall instead of the hosts.deny file # (aka tcp_wrapper). # The admin can set up a PF table that is persistent # and DenyHost can add new addresses to be blocked to that table. # The TrueOS operating system enables this by default, blocking # all addresses in the "blacklist" table. # # To have DenyHost update the blocking PF table in real time, uncomment # these next two options. Make sure the table name specificed # is one created in the pf.conf file of your operating system. # The PFCTL_PATH variable must point to the pfctl extectuable on your OS. # PFCTL_PATH = /sbin/pfctl # PF_TABLE = blacklist # Note, a good rule to have in your pf.conf file to enable the # blacklist table is: # # table <blacklist> persist file "/etc/blacklist" # block in quick from <blacklist> to any # # Warning: If you are using PF, please make sure to disable the # IPTABLES rule above as these two packet filters should not be # run together on the same operating system. # Note: Even if you decide to run DenyHost with PF filtering # only and no hosts.deny support, please still create an empty # file called /etc/hosts.deny for backward compatibility. # Also, please make sure PF is enabled prior to launching # DenyHosts. To do this run "pfctl -e". # # To write all blocked hosts to a PF table file enable this next option. # This will make hosts added to the PF table persistent across reboots. # PF_TABLE_FILE = /etc/blacklist # ####################################################################### Regards, Ben > -- -- From: Benjamin Woods woodsb02@gmail.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOc73CCtw2TKhfCQUcaPAri8CTgL2Vnb3UKV0y1dnrYo_iaxTA>