Bringing back tcp wrappers
Jochen Bern
Jochen.Bern at binect.de
Thu Jun 24 04:29:06 AEST 2021
On 23.06.21 20:12, Saint Michael wrote:
> I use a non-standard port and they apparently broke a server in an
> external datacenter, analyzed history, used the same ssh command with
> ad-hoc port number. The box was connected paswordlessly to all my important
> boxes and Zas!, Bitcoin miners all over the company.
Well, if you got hacked through some legitimately *trusted* external
machine that is *required* to be able to do unattended logins, I don't
quite see how TCP Wrappers could have prevented that ...
(In the meantime, I remembered that there's a "traditional" way to put
some service under TCP Wrappers, as long as it can run under an inetd;
CentOS 7's repos offer a package tcp_wrappers that contains the required
/usr/sbin/tcpd . But I suppose that OpenSSH sshd doesn't have inetd mode
support, either, even if someone were willing to sacrifice the builtin
rate limiting etc. in favor of TCP Wrappers ... ?)
Regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210623/537471cf/attachment.p7s>
More information about the openssh-unix-dev
mailing list