3/12 sshd has got vulnerabilities, fixes, and potential future
vulnerabilities. If I TCP wrap and use hosts.allow/deny for sshd
and other apps, so only listed hosts can connect, does that prevent
intruders from exploiting future holes?
That is, as long as it's TCP-wrapped or restricted by hosts.* files,
even if I was running an exploitable version of sshd, nobody can
break in via sshd, true?
Same with all inetd.conf daemons, right? I only run one.
(This assumes the hosts in my hosts.allow file are secure)
\_ Here is a thought. Run sshd on a high number port as sshd rather
than root. Then use your fw/nat/pat box redir 22 to the high
number port. This way even if there is a breakin, they don't
get root (assuming root can't login via ssh).
\_ Assuming no holes in tcpwrappers, probably. ssh uses libwrap,
which is a little different than being wrapped in inetd.conf,
and possibly is less secure. -tom
\_ why dont you just upgrade/patch ssh?
\_ "potential future vulnerabilities", i.e. undiscovered bugs.
\_ well then, why dont you jsut remove ssh. even safer,
unplug your machine from the net. Nothing safer from network
attacks than an airwall.
\_ You're an idiot. -tom
\_ No s/he has a point. If the OP is so afraid of being on
the net that they want to be 'safe' from the future,
they're on the wrong net. They need to power down and
idiot." because that requires no thought or effort.
go read a book in a park if they want that level of
safety. No one can protect your net from unknown future
bugs. If it was that easy everyone would be doing it.
Of course it's much easier to just post "You're an
idiot." because that requires no thought or effort. -i2
\_ Oh, and posting "disconnect from the net if you
want to feel safe" requires effort? Guess what--
you're an idiot, too. -tom
\_ i don't give a rats ass about this thread,
i'm just going to point out that tom has
proven himself to be a total idiot about
a hundred times over on the motd.
\_ Does that include his anonymous postings?
\_ clearly you're dead to sarcasm.
\_ "Sarcasm is hard! Let's go shopping!"
\_ The post above by "i2" is not sarcasm. If you
are i2 then you are a liar, if you are not
then, Guess what -- -!tom
\_ Wow... let it go. Time to move on. Try
Prozac or Ritalin or something.
\_ IP Spoofing isn't that hard and you will also need to ensure
all of the hosts in your list are never compromised. If you are
concerned about security you need to set up your network in
a manner that is secure.
\_ Isn't the known hole in ssh quite hard to exploit?
\_ Yes, and that too only if you have a local account
with a valid passwd and shell. |
http://csua.com/feed/