Bringing back tcp wrappers

Jochen Bern Jochen.Bern at binect.de
Thu Jun 24 03:58:00 AEST 2021


On 23.06.21 18:27, Saint Michael wrote:
> I use iptables, but all my servers have public IPs, for we do
> telecommunications. If my firewall is down for any reason and I don't catch
> it, they will hack me.

1. You want to start doing that thing called "monitoring".

2. If by "firewall", you mean a unit *other* than the target machines,
from the moment it is "down", it should *NOT* allow any through traffic
to the targets (unless necessary to let an admin remote in to fix the
firewall problem).

3. Otherwise, i.e., all you have is the iptables on the target machines
themselves, you IMHO want to
-- have the sshd listen on a nonstandard port,
-- make the iptables, *if they are up and working*, NAT connection
attempts to port 22 to the real port, and
-- hand a "port cheat sheet" to the admins so that *they* can remote
into some machine to fix the iptables being "down".

I shall stop here with the details, though, because if you don't know
how you get (re)hacked, you don't know whether it's done *through SSH*
in the first place, either (and, if so, whether it's by weak passwords,
an authorized key hidden someplace during the first hack, etc. etc.).

> But Openssh in Centos 7 is so old that cannot communicate with
> newer machines, they cannot agree on protocols and ciphers, etc.

... out of interest, what's your reference standard there, since it
apparently surpasses even hardening guides like
https://www.ssh-audit.com/hardening_guides.html#rhel7 ... ?

Regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210623/2b7e6c4d/attachment.p7s>


More information about the openssh-unix-dev mailing list