Early heads-up: plan to remove local patches for TCP Wrappers support in sshd
Michael Butler
imb at protected-networks.net
Sat Feb 22 16:21:57 UTC 2020
On 2/21/20 11:49 AM, Ed Maste wrote:
> It seems starting sshd from inetd via tcpd is a reasonable approach
> for folks who want to use it; also, have folks using libwrap looked at
> sshd's Match blocks to see if they provide the desired functionality?
While match blocks can disallow a login from anything other than an
approved source address, they apparently permit the configured number of
failed attempts before throwing the prospective intruder out. With the
wrappers, it's an immediate disconnect.
They also have no mechanism to recognize a DNS mismatch (forward versus
reverse map).
imb
More information about the freebsd-security
mailing list