Date: 31 May 2005 11:54:25 -0400 From: Lowell Gilbert <freebsd-stable-local@be-well.no-ip.com> To: freebsd-stable@FreeBSD.ORG Subject: Re: IP Firewalling by DNS name Message-ID: <44k6lfjsr2.fsf@be-well.ilk.org> In-Reply-To: <200505311529.j4VFTu9Q024198@lurza.secnetix.de> References: <200505311529.j4VFTu9Q024198@lurza.secnetix.de>
next in thread | previous in thread | raw e-mail | index | archive | help
Oliver Fromme <olli@lurza.secnetix.de> writes: > Ivan Voras <ivoras@fer.hr> wrote: > > As I understand it, sshd actually accepts connections > > prior to checking hosts.allow? > > Yes, the connection is accepted first, because there is > no information available about it before it is accepted. > But if the check fails, the connection will be closed > immediately. Well, that's not necessarily the best way to explain it. When you're working with TCP wrappers, you're running out of inetd(8), so there isn't really any sshd at all until the wrappers have decided to allow the connection. > > In hosts.allow, there's an example for sshd but it contains: > > > > # Wrapping sshd(8) is not normally a good idea, but if you > > # need to do it, here's how > > #sshd : .evil.cracker.example.com : deny > > > > Why it's not a good idea? :) > > There are several reasons. First, it relies on DNS, which > is not necessarily a good idea. If someone can spoof your > DNS (which is not as difficult as many people think it is), > you're toast. > > Second, SSH provides authentication mechanisms which are > much more secure, such as public key authentication. > Also, SSH uses host keys for identification, so you don't > have to rely on DNS. The reason that it's generally considered a bad idea, though, is just that it's *slow*. If you're running inetd anyway, and don't get many ssh connections, you won't notice this issue, but if you get a lot of connections, you really want to run ssh as a daemon rather than starting it from scratch every time a new connection comes in. > However, in your case I think it's OK to use TCP wrapper, > because you want to use that in _addition_ to the usual SSH > authentication (for pre-filtering, so to speak), but not to > replace it. Just keep in mind that DNS results might not > be reliable. Absolutely. In fact, most people trying to wrap sshd are kidding themselves about getting any security benefit at all.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44k6lfjsr2.fsf>