From owner-freebsd-security@FreeBSD.ORG Thu Mar 6 00:43:28 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CC077497; Thu, 6 Mar 2014 00:43:28 +0000 (UTC) Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 9305134A; Thu, 6 Mar 2014 00:43:28 +0000 (UTC) Received: by mail-ie0-f182.google.com with SMTP id y20so2003642ier.41 for ; Wed, 05 Mar 2014 16:43:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=rfYVsvOtQTnyF+wkBhWLjftDOyYIReR5MEkgxLbRaII=; b=cwavLJX3xbEuksEOjt55BGlhJYvpM2P6NKlK4cYu4Wc7CQHGbz159ORdKgV66e23tD OBDMyV/T1J3VLB9jzTPM0WffnhsLZ9pRDsavUsU+afCoYhzzY4WnnT6BACGI8LB0LLYU pGUrZsoKPhENTpEYFETykQw4xdaq1BHLnyC/cYVn3msIfspYpGHGGlXgalo5nMQngYND e+PXvsiwKqBy9bhhKznNwL+H1QzmBQYBIRJgAV+m5wMCa3A56rxyQbXvv+O3KkSiDnGb UL9fWe66B0/MVdwWh4HvfNlxHyA2Y9S9CQSlJ2CMnWUE7CH6ed7A8AIY75a5hpMdUG/+ ThcA== MIME-Version: 1.0 X-Received: by 10.43.90.202 with SMTP id bj10mr7267701icc.48.1394066607077; Wed, 05 Mar 2014 16:43:27 -0800 (PST) Received: by 10.50.164.227 with HTTP; Wed, 5 Mar 2014 16:43:27 -0800 (PST) In-Reply-To: <5317B597.5050900@delphij.net> References: <201403052307.s25N7NoD045308@cgiserv.freebsd.org> <5317B597.5050900@delphij.net> Date: Wed, 5 Mar 2014 18:43:27 -0600 Message-ID: Subject: Re: misc/187307: Security vulnerability with FreeBSD Jail From: Scot Hetzel To: freebsd-gnats-submit@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Cc: "freebsd-security@freebsd.org" , Nicola Galante X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 00:43:28 -0000 On Wed, Mar 5, 2014 at 5:39 PM, Xin Li wrote: > So the solution would be to change your configuration such that: > : > 2) Do not make host's sshd to listen on all addresses, instead, only > listen to the designated host IP address. This is not a security > measure but avoids confusion. > You will want to change the hosts sshd_config to only listen on the 10.0.0.100 address: ListenAddress 10.0.0.100 If the host needs to listen on multiple addresses, just add another ListenAddress. http://www.cyberciti.biz/tips/howto-openssh-sshd-listen-multiple-ip-address.html -- DISCLAIMER: No electrons were maimed while sending this message. Only slightly bruised.