Re: Re-install libwrap in OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, May 21, 2015 at 1:05 AM, Michael Stone <mstone@xxxxxxxxx> wrote:

> On Wed, May 20, 2015 at 03:58:22PM +0200, Stephan von Krawczynski wrote:
>
>> Show me this as an example of your firewall skills and replace this
>> hosts.allow entry:
>>
>> sshd: .... : spawn (echo -e "%u@%h[%a] on `/bin/date`" to %d connected
>> me |
>> /bin/mail -s "hosts.allow entry XYZ" root) & : ALLOW
>>
>>
>> This is only an example code, of course.
>>
>
> It's an example of something really horrible. It might have seemed like a
> good idea in the 90s, but in a modern system that sort of alerting should
> be integrated into log monitoring (and should be much more comprehensive
> than a couple of services linked against wrappers).
>

Note that you can still do that by starting sshd under tcpd+inetd,
something like:

ssh stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sshd -i

or the equivalent in your inetd-alike.  For SSHv2 connections it should be
about the same speed (it'll be slower for Protocol 1 connections because
each connection will need to generate a new ephemeral host key, but that's
probably a plus from a security standpoint).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux