Minimal Install Option
Pekka Savola
pekkas at netcore.fi
Thu Aug 21 18:23:38 UTC 2003
On Thu, 21 Aug 2003, Chris Ricker wrote:
> On Thu, 21 Aug 2003, Pekka Savola wrote:
>
> > On Thu, 21 Aug 2003, Chris Ricker wrote:
> > > > I'm not sure you are disagreeing with me here. Are you saying don't
> > > > remote log in to a firewall at all, or are you agreeing with me?
> > >
> > > I'm disagreeing. The last thing a fw should do is run a service, let
> > > alone one with the security history of ssh.... Manage over serial.
> >
> > Disagree. Set your access controls in /etc/hosts.allow for sshd and you're
> > done :-)
>
> and then join the OpenSSL / OpenSSH exploit train.... No, thanks!
I'm puzzled by this point. These would be local vulnerabilities. There
will always be those, and it can be mitigated by keeping the system
up-to-date.
If you haven't heard, hosts.allow activates the access controls very, very
early in the process. You really can't exploit OpenSSH using that: 1) no
SSH protocol processing happens before that, and 2) no input is received
or processed before that.
You rely on tcp-wrappers though, but you can reinforce that by a firewall
rule if you want to.
Oh wait, then you join the iptables vulnerability train! :-)
--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
More information about the fedora-test-list
mailing list