Date: Tue, 31 May 2005 17:29:56 +0200 (CEST) From: Oliver Fromme <olli@lurza.secnetix.de> To: freebsd-stable@FreeBSD.ORG Subject: Re: IP Firewalling by DNS name Message-ID: <200505311529.j4VFTu9Q024198@lurza.secnetix.de> In-Reply-To: <429C7AEC.6060807@fer.hr>
next in thread | previous in thread | raw e-mail | index | archive | help
Ivan Voras <ivoras@fer.hr> wrote: > Igor Robul wrote: > > Ivan Voras wrote: > > > What I need it for: I'd like to allow ssh logins only from a specific > > > TLD (by reverse lookup...) - maybe there's another way? > > > > /etc/hosts.allow > > man 5 hosts_access > > How safe is it? It works in userland, so it only kicks in after the TCP connection has already been established. IPFW works in the kernel on a packet level, so it kicks in much earlier. Whether it's safe enough for you is up to you to decide. > As I understand it, sshd actually accepts connections > prior to checking hosts.allow? Yes, the connection is accepted first, because there is no information available about it before it is accepted. But if the check fails, the connection will be closed immediately. > In hosts.allow, there's an example for sshd but it contains: > > # Wrapping sshd(8) is not normally a good idea, but if you > # need to do it, here's how > #sshd : .evil.cracker.example.com : deny > > Why it's not a good idea? :) There are several reasons. First, it relies on DNS, which is not necessarily a good idea. If someone can spoof your DNS (which is not as difficult as many people think it is), you're toast. Second, SSH provides authentication mechanisms which are much more secure, such as public key authentication. Also, SSH uses host keys for identification, so you don't have to rely on DNS. However, in your case I think it's OK to use TCP wrapper, because you want to use that in _addition_ to the usual SSH authentication (for pre-filtering, so to speak), but not to replace it. Just keep in mind that DNS results might not be reliable. Best regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "I made up the term 'object-oriented', and I can tell you I didn't have C++ in mind." -- Alan Kay, OOPSLA '97
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200505311529.j4VFTu9Q024198>