IP Firewalling by DNS name

Lowell Gilbert freebsd-stable-local at be-well.no-ip.com
Tue May 31 08:54:27 PDT 2005


Oliver Fromme <olli at lurza.secnetix.de> writes:

> Ivan Voras <ivoras at fer.hr> wrote:

>  > As I understand it, sshd actually accepts connections 
>  > prior to checking hosts.allow?
> 
> Yes, the connection is accepted first, because there is
> no information available about it before it is accepted.
> But if the check fails, the connection will be closed
> immediately.

Well, that's not necessarily the best way to explain it.  When you're
working with TCP wrappers, you're running out of inetd(8), so there
isn't really any sshd at all until the wrappers have decided to allow
the connection.

>  > In hosts.allow, there's an example for sshd but it contains:
>  > 
>  > # Wrapping sshd(8) is not normally a good idea, but if you
>  > # need to do it, here's how
>  > #sshd : .evil.cracker.example.com : deny
>  > 
>  > Why it's not a good idea? :)
> 
> There are several reasons.  First, it relies on DNS, which
> is not necessarily a good idea.  If someone can spoof your
> DNS (which is not as difficult as many people think it is),
> you're toast.
> 
> Second, SSH provides authentication mechanisms which are
> much more secure, such as public key authentication.
> Also, SSH uses host keys for identification, so you don't
> have to rely on DNS.

The reason that it's generally considered a bad idea, though, is just
that it's *slow*.  If you're running inetd anyway, and don't get many
ssh connections, you won't notice this issue, but if you get a lot of
connections, you really want to run ssh as a daemon rather than
starting it from scratch every time a new connection comes in.

> However, in your case I think it's OK to use TCP wrapper,
> because you want to use that in _addition_ to the usual SSH
> authentication (for pre-filtering, so to speak), but not to
> replace it.  Just keep in mind that DNS results might not
> be reliable.

Absolutely.  In fact, most people trying to wrap sshd are kidding
themselves about getting any security benefit at all.


More information about the freebsd-stable mailing list