Re: Call for testing: OpenSSH 6.7

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Going to throw in my $.02 here (late) but I really think this is a bad
move.  AIX doesn't natively do tcp wrappers (yes there is a *shudder* rpm
for it), but I literally just today stopped a minor syslog DoS caused by
some "monitoring" software slamming at my sshd process every second and
causing auth.log to grow like nobody's business, making it unparseable and
full of useless noise.

How did I stop it quickly? Created a /etc/hosts.deny file and threw this
into it ... knowing that sshd would process it and silently drop the
connections:
sshd : ip.add.re.ss : severity debug : deny

Yes, I could have run genfilt, if the server had ipsec4 filtering already
configured and running (it didn't).  But I could write out a one-line file,
bounce sshd, and voila!  Silent droppage of unwanted connections (except
into the separate debug log I was using for evidence).

I know it's a moot point at this juncture, but I disagree with the decision.



On Mon, Aug 18, 2014 at 5:11 PM, Iain Morgan <imorgan@xxxxxxxxxxxx> wrote:

> On Mon, Aug 18, 2014 at 11:23:41 +1000, Damien Miller wrote:
> > Hi,
> >
> > OpenSSH 6.7 is almost ready for release, so we would appreciate testing
> > on as many platforms and systems as possible. This is a big release
> > containing a number of features, a lot of internal refactoring and some
> > potentially-incompatible changes.
> >
>
> The 20140819 snapshot successfully builds and passes the tests on RHEL
> 6.5/x86_64 w/OpenSSL 1.0.1i.
>
> Regarding the removal of TCP wrapper support, it would be good to remove
> references to it in the contrib/*/openssh.spec files:
>
> % egrep -i 'netkit|wrapper|tcpd' */openssh.spec
> caldera/openssh.spec:            --with-tcp-wrappers \
> redhat/openssh.spec:BuildRequires: perl, openssl-devel, tcp_wrappers
> redhat/openssh.spec:    --with-tcp-wrappers \
> suse/openssh.spec:#   TCP Wrappers (tcpd-devel),
> suse/openssh.spec:BuildPrereq:  tcpd-devel
> suse/openssh.spec:- Added flag to configure daemon with TCP Wrappers
> support
> suse/openssh.spec:              --with-tcp-wrappers \
>
> There are also references to tcpd or libwrap in INSTALL and
> contrib/cygwin/README that should probably be removed or revised.
>
> --
> Iain Morgan
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott@xxxxxxxxx> */
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux