Bringing back tcp wrappers

[Saint Michael]

I use iptables, but all my servers have public IPs, for we do
telecommunications. If my firewall is down for any reason and I don't catch
it, they will hack me. I don't know how they do it, for I have password
authentication disabled, but they hack me and it's always via Centos 7
machines. But Openssh in Centos 7 is so old that cannot communicate with
newer machines, they cannot agree on protocols and ciphers, etc. So I am
trying to compile openssh latest in Centos 7, but no libwrap support. The
perfect storm.
They have been installing Bitcoin miners right and left. I think that they
penetrate a single box that is left with password authentication =yes, and
do a lateral infection. The only failsafe solution is to use hosts.allow.
They can take down a powerplant with this technique. To remove libwrap was
a completely irresponsible move.

On Wed, Jun 23, 2021 at 12:19 PM Brian Candler <b.candler at pobox.com> wrote:

> On 23/06/2021 17:03, Saint Michael wrote:
> > I got hacked in 72 servers this week, they installed Bitcoin miners.
>
> Are you saying this happened through opensshd?
>
> What specifically was the cause: do you allow password authentication
> for example?
>
> You can control this by IP address with "Match" clauses in sshd_config.
> For example:
>
> PasswordAuthentication no
>
> Match Address 10.0.0.0/8,fc00::/7
> PasswordAuthentication yes
>
> This will allow passwords only from the 10.0.0.0/8 and fc00::/7
> networks, forcing connections from the Internet to use a proper
> authentication mechanism (e.g. keys)
>
>