From owner-freebsd-security@freebsd.org Fri Feb 14 23:37:32 2020 Return-Path: Delivered-To: freebsd-security@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D4A942468DB; Fri, 14 Feb 2020 23:37:32 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: from mail-ua1-x943.google.com (mail-ua1-x943.google.com [IPv6:2607:f8b0:4864:20::943]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48K8tg4bL8z4Rkx; Fri, 14 Feb 2020 23:37:31 +0000 (UTC) (envelope-from woodsb02@gmail.com) Received: by mail-ua1-x943.google.com with SMTP id p2so4188770uao.9; Fri, 14 Feb 2020 15:37:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=iwvqnj2KiAwcb43Q8lFpFC8guji71ILUFgeQ+QF9z0w=; b=XUrKwQouVmZ5FsDcWrHjW8w7cJ76HVlUJeyPzbVHykQDGxPl/L192yCflBzmsf2ykx LBrjutxd45mo2f8hlfYStB9Thfpe9kQJT8k420R1x5vAGY9kGM6Z9u2GlPYfkximwTk5 rapfn/q4hnBMHMCM+VnUJtAwhC/mtyTKs+HqE2SGkYRkPX6z4fclxDilCmG90TGhnMKf YDxynX51TyxChq4gL9wEK3/JPdy7g58Y1kn7ezi3jnaib3MCEsViD1cYdfeg9pdofEB5 DG8ffKRkhbQpUJGLDgSLfuWUeZuFY/plrBir9AtwOw+LRPcpH2hYHqoPXkuUmf5Z51Lu Os4w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=iwvqnj2KiAwcb43Q8lFpFC8guji71ILUFgeQ+QF9z0w=; b=NVMoEki4NeG7BymNunCE3TFRe7AaiZgXjPdd0YLw34nJ7dCInQsaEFXiC3ncnmPI1k X5aFKjjBQsJiQ8WqEGx31Z8kHOKSeeBhT5Lcir82xy4WqNteUGi0H8PQQDn4HUPDK+fR 2wSBo0RYQob8ePYms8bYZ8yRMPnXmAKOxdueJT5jc3sW8wlsMytrSawyyxB0636wqELT Eifhb3YMRvsSXtqDMm3jQzRwY573I7PYH8HNGHCeSwUpIgfMAejyLrEbRj3nhAo86RR9 FzVaUHUfIDVJMg6bpsJrCZ1S4OGnnNFQlz7n6qz9pRxRWdZ1t4cIJMpAov++KD/0LNnn R/4Q== X-Gm-Message-State: APjAAAVl/BDL4hyD2MWBrpM2SVTWkxJ6xfblT6HOOfkdnw2gDb9vNFj3 BfGrvehi1cbsf8qR9cQx/CkQrvdRplgOhreFF97HhA== X-Google-Smtp-Source: APXvYqzImKzCkMwJD2vuD1+0hAD4C8Ro+JA/h+WNbVusFGNSqI1So90DXBROhc0ap15Wjg2UhbNq1vVhYmVcDMQ1/3s= X-Received: by 2002:ab0:658d:: with SMTP id v13mr2786433uam.71.1581723450490; Fri, 14 Feb 2020 15:37:30 -0800 (PST) MIME-Version: 1.0 References: <4627295.A1yGqSNMk2@deborah> In-Reply-To: <4627295.A1yGqSNMk2@deborah> From: Ben Woods Date: Sat, 15 Feb 2020 07:37:19 +0800 Message-ID: Subject: Re: Early heads-up: plan to remove local patches for TCP Wrappers support in sshd To: Joey Kelly Cc: freebsd-current@freebsd.org, freebsd-security@freebsd.org X-Rspamd-Queue-Id: 48K8tg4bL8z4Rkx X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=XUrKwQou; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of woodsb02@gmail.com designates 2607:f8b0:4864:20::943 as permitted sender) smtp.mailfrom=woodsb02@gmail.com X-Spamd-Result: default: False [-2.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-0.998,0]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36:c]; FREEMAIL_FROM(0.00)[gmail.com]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; IP_SCORE(0.00)[ip: (2.51), ipnet: 2607:f8b0::/32(-1.90), asn: 15169(-1.68), country: US(-0.05)]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_DN_SOME(0.00)[]; URI_COUNT_ODD(1.00)[3]; IP_SCORE_FREEMAIL(0.00)[]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[3.4.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.b.8.f.7.0.6.2.list.dnswl.org : 127.0.5.0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com.dwl.dnswl.org : 127.0.5.0] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Feb 2020 23:37:32 -0000 On Sat, 15 Feb 2020 at 4:27 am, Joey Kelly wrote: > On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: > > Upstream OpenSSH-portable removed libwrap support in version 6.7, > > released in October 2014. We've maintained a patch in our tree to > > restore it, but it causes friction on each OpenSSH update and may > > introduce security vulnerabilities not present upstream. It's (past) > > time to remove it. > > > So color me ignorant, but how does this affect things like DenyHosts? Or > is > there an in-application way to block dictionary attacks? I can't go back > to > having my servers pounded on day and night (and yes, I listed on an > alternative port). DenyHosts can be configured to use PF firewall tables directly, rather than using TCP wrappers: https://github.com/denyhosts/denyhosts/blob/master/denyhosts.conf#L261 ####################################################################### # # On FreeBSD/OpenBSD/TrueOS/PC-BSD/NetBSD/OS X we may want to block incoming # traffic using the PF firewall instead of the hosts.deny file # (aka tcp_wrapper). # The admin can set up a PF table that is persistent # and DenyHost can add new addresses to be blocked to that table. # The TrueOS operating system enables this by default, blocking # all addresses in the "blacklist" table. # # To have DenyHost update the blocking PF table in real time, uncomment # these next two options. Make sure the table name specificed # is one created in the pf.conf file of your operating system. # The PFCTL_PATH variable must point to the pfctl extectuable on your OS. # PFCTL_PATH = /sbin/pfctl # PF_TABLE = blacklist # Note, a good rule to have in your pf.conf file to enable the # blacklist table is: # # table persist file "/etc/blacklist" # block in quick from to any # # Warning: If you are using PF, please make sure to disable the # IPTABLES rule above as these two packet filters should not be # run together on the same operating system. # Note: Even if you decide to run DenyHost with PF filtering # only and no hosts.deny support, please still create an empty # file called /etc/hosts.deny for backward compatibility. # Also, please make sure PF is enabled prior to launching # DenyHosts. To do this run "pfctl -e". # # To write all blocked hosts to a PF table file enable this next option. # This will make hosts added to the PF table persistent across reboots. # PF_TABLE_FILE = /etc/blacklist # ####################################################################### Regards, Ben > -- -- From: Benjamin Woods woodsb02@gmail.com