IP Firewalling by DNS name

Oliver Fromme olli at lurza.secnetix.de
Tue May 31 09:31:53 PDT 2005

Lowell Gilbert <freebsd-stable-local at be-well.no-ip.com> wrote:
 > Oliver Fromme <olli at lurza.secnetix.de> writes:
 > > Ivan Voras <ivoras at fer.hr> wrote:
 > > > As I understand it, sshd actually accepts connections 
 > > > prior to checking hosts.allow?
 > > 
 > > Yes, the connection is accepted first, because there is
 > > no information available about it before it is accepted.
 > > But if the check fails, the connection will be closed
 > > immediately.
 > Well, that's not necessarily the best way to explain it.  When you're
 > working with TCP wrappers, you're running out of inetd(8), so there
 > isn't really any sshd at all until the wrappers have decided to allow
 > the connection.

I assume he's not using inetd(8) for ssh (which is not a
good ide ain general, and it's not the default anyway).
Note that sshd(8) supports hosts_access(3) directly without
the help of inetd(8).

 > > > In hosts.allow, there's an example for sshd but it contains:
 > > > 
 > > > # Wrapping sshd(8) is not normally a good idea, but if you
 > > > # need to do it, here's how
 > > > #sshd : .evil.cracker.example.com : deny
 > > > 
 > > > Why it's not a good idea? :)
 > > 
 > > There are several reasons.  First, it relies on DNS, which
 > > is not necessarily a good idea.  If someone can spoof your
 > > DNS (which is not as difficult as many people think it is),
 > > you're toast.
 > > 
 > > Second, SSH provides authentication mechanisms which are
 > > much more secure, such as public key authentication.
 > > Also, SSH uses host keys for identification, so you don't
 > > have to rely on DNS.
 > The reason that it's generally considered a bad idea, though, is just
 > that it's *slow*.

No.  If you're not running it via inetd(8), then it's
actually pretty fast (except for the DNS lookups which
can take a while, buth that's not an issue in this
particular case).

Best regards

Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München
Any opinions expressed in this message may be personal to the author
and may not necessarily reflect the opinions of secnetix in any way.

"I have stopped reading Stephen King novels.
Now I just read C code instead."
        -- Richard A. O'Keefe

More information about the freebsd-stable mailing list