Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
Michael Butler
imb at protected-networks.net
Fri Feb 14 23:59:09 UTC 2020
On 2/14/20 6:37 PM, Ben Woods wrote:
> On Sat, 15 Feb 2020 at 4:27 am, Joey Kelly <joey at joeykelly.net> wrote:
>
>> On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote:
>>> Upstream OpenSSH-portable removed libwrap support in version 6.7,
>>> released in October 2014. We've maintained a patch in our tree to
>>> restore it, but it causes friction on each OpenSSH update and may
>>> introduce security vulnerabilities not present upstream. It's (past)
>>> time to remove it.
>>
>> So color me ignorant, but how does this affect things like DenyHosts? Or
>> is
>> there an in-application way to block dictionary attacks? I can't go back
>> to
>> having my servers pounded on day and night (and yes, I listed on an
>> alternative port).
>
>
> DenyHosts can be configured to use PF firewall tables directly, rather than
> using TCP wrappers:
> https://github.com/denyhosts/denyhosts/blob/master/denyhosts.conf#L261
>
Requiring the addition of a firewall where there was none before is a
significant and potentially error-prone change. I am not about to add
this degree of complexity to every machine which only has a single port
exposed via NAT.
To maintain equivalent functionality, the port version
(security/openssh-portable) has the requisite patch as an option or,
perhaps better, the base SSHD can be run from INETD and, consequently,
TCP-wrapped as it was before,
imb
More information about the freebsd-security
mailing list