Minimal Install Option

Pekka Savola pekkas at netcore.fi
Fri Aug 22 04:47:44 UTC 2003


On Thu, 21 Aug 2003, Chris Ricker wrote:
> On Thu, 21 Aug 2003, Pekka Savola wrote:
> 
> > > and then join the OpenSSL / OpenSSH exploit train.... No, thanks!
> > 
> > I'm puzzled by this point.  These would be local vulnerabilities.  There 
> > will always be those, and it can be mitigated by keeping the system 
> > up-to-date.
> 
> Not so. They're remote exploits from anywhere which can connect to OpenSSH.

You really can't "connect to OpenSSH" before hosts.allow kicks in.
 
> > If you haven't heard, hosts.allow activates the access controls very, very 
> > early in the process.  You really can't exploit OpenSSH using that: 1) no 
> > SSH protocol processing happens before that, and 2) no input is received 
> > or processed before that.
> 
> a) tcp wrappers is circumventable. How easily depends on how it's 
> configured....

Users can always misconfigure their systems.  Having IP addresses there is 
pretty bulletproof, and DNS is also OK.

> b) you're still attackable from any place you list in hosts.allow, even if 
> tcp wrappers isn't being bypassed. firewalls can be attacked from inside as 
> well as from out....

Only a fool would allow every internal IP to connect to the firewall.  You 
add your firewall manager workstations or network management hosts there 
and be done with it.  If someone breaks into those first, then you're in 
pretty deep shit anyway.

-- 
Pekka Savola                 "You each name yourselves king, yet the
Netcore Oy                    kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings





More information about the fedora-test-list mailing list