> --- Bertrand Lupart <Bertrand.Lupartat_private> wrote: > > > For my own part, on top of upgrading to the latest versions of SSHd, > > > I'm recommending that folks utilize IPchains or IPFilter to reinforce > > > their explicitly-defined AllowHosts directives in sshd_config. These > > > measure in themselves should greatly mitigate both the present (and > > > hopefully, future) threat of successful remote attack on SSHd. > > > > Are we safe if the attack is run from a host not listed as accepted in > > access control files, ie: > > > > /etc/hosts.deny: > > ALL: ALL > > > > /etc/hosts.allow: > > sshd: www.xxx.yyy.zzz > > > > Only services that are launched using tcpwrappers will check the > /etc/hosts.* files for access permissions. > > Your can use tcpdchk to analyze your wrapper config: That's not strictly true. Anything that uses libwrap uses it, which includes recent versions of OpenSSH (at least on Red Hat Linux - i believe it's a compile-time option). PDG ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 13 2001 - 13:11:49 PST