There are options like AllowHosts and DenyHosts in the sshd2_config file as well as other controls to prevent root from being able to ssh. Sam On Fri, 14 Dec 2001, Paul Gear wrote: > > --- Bertrand Lupart <Bertrand.Lupartat_private> wrote: > > > > For my own part, on top of upgrading to the latest versions of SSHd, > > > > I'm recommending that folks utilize IPchains or IPFilter to reinforce > > > > their explicitly-defined AllowHosts directives in sshd_config. These > > > > measure in themselves should greatly mitigate both the present (and > > > > hopefully, future) threat of successful remote attack on SSHd. > > > > > > Are we safe if the attack is run from a host not listed as accepted in > > > access control files, ie: > > > > > > /etc/hosts.deny: > > > ALL: ALL > > > > > > /etc/hosts.allow: > > > sshd: www.xxx.yyy.zzz > > > > > > > Only services that are launched using tcpwrappers will check the > > /etc/hosts.* files for access permissions. > > > > Your can use tcpdchk to analyze your wrapper config: > > That's not strictly true. Anything that uses libwrap uses it, which includes > recent versions of OpenSSH (at least on Red Hat Linux - i believe it's a > compile-time option). > > PDG > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 14 2001 - 09:18:49 PST