On Thu, May 21, 2015 at 1:05 AM, Michael Stone <mstone@xxxxxxxxx> wrote:
> On Wed, May 20, 2015 at 03:58:22PM +0200, Stephan von Krawczynski wrote:
>
>> Show me this as an example of your firewall skills and replace this
>> hosts.allow entry:
>>
>> sshd: .... : spawn (echo -e "%u@%h[%a] on `/bin/date`" to %d connected
>> me |
>> /bin/mail -s "hosts.allow entry XYZ" root) & : ALLOW
>>
>>
>> This is only an example code, of course.
>>
>
> It's an example of something really horrible. It might have seemed like a
> good idea in the 90s, but in a modern system that sort of alerting should
> be integrated into log monitoring (and should be much more comprehensive
> than a couple of services linked against wrappers).
>
Note that you can still do that by starting sshd under tcpd+inetd,
something like:
ssh stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sshd -i
or the equivalent in your inetd-alike. For SSHv2 connections it should be
about the same speed (it'll be slower for Protocol 1 connections because
each connection will need to generate a new ephemeral host key, but that's
probably a plus from a security standpoint).
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
