From owner-freebsd-security Mon Apr 1 11:31:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 525D637B417 for ; Mon, 1 Apr 2002 11:31:07 -0800 (PST) Received: (qmail 92045 invoked by uid 1001); 1 Apr 2002 19:31:01 -0000 Date: Mon, 1 Apr 2002 14:31:01 -0500 From: "Peter C. Lai" To: Jason Stone Cc: security@FreeBSD.ORG Subject: Re: SSH or Telnet? Message-ID: <20020401143101.A91978@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <004101c1d800$a4a71ee0$6401a8c0@router.unknown.ca> <20020401003026.D2704-100000@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020401003026.D2704-100000@walter>; from jason@shalott.net on Mon, Apr 01, 2002 at 12:32:40AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org And also ipfw is a good habit to pick up because it is preferable for any other services you may be running because not every service supports tcpwrappers. You are only guarenteed tcpwrappers (hosts.allow/deny) functionality if your service is being run by inetd or has been compiled to link to tcpwrappers. On Mon, Apr 01, 2002 at 12:32:40AM -0800, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > I would also recomend that you restrict access to ssh using > > /etc/hosts.allow if you would like some added security to just who all > > can ssh to your box. > > ipfw (or whatever) rules are preferable to /etc/hosts.allow rules, because > if there's a buffer overrun, it can probablly be exploited before > /etc/hosts.allow is even opened, whereas ipfw rules prevent the > exploitative packets from ever reaching the sshd. > > > -Jason > > ----------------------------------------------------------------------- > I worry about my child and the Internet all the time, even though she's > too young to have logged on yet. Here's what I worry about. I worry > that 10 or 15 years from now, she will come to me and say "Daddy, where > were you when they took freedom of the press away from the Internet?" > -- Mike Godwin > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: See https://private.idealab.com/public/jason/jason.gpg > > iD8DBQE8qBszswXMWWtptckRArhtAJ0Z3g8P7iwCdd/0yOoZncXzR8evNQCg9Fmc > ZtOdVrJWMFRAPFBh140o0xY= > =09oC > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message