OpenSSH 6.7 will bring socket forwarding and more

Posted Aug 28, 2014 15:35 UTC (Thu) by RobSeace (subscriber, #4435)
Parent article: OpenSSH 6.7 will bring socket forwarding and more

The problem with removing libwrap support is that effectively makes things like DenyHosts useless... Unless it's changed to now modify sshd_config instead of hosts.deny, or you have to run some other thing that copies the new entries from hosts.deny into the sshd_config... And, wouldn't you need to hit sshd with SIGHUP after every change to get it to reload its config?

There's really something to be said for the simplicity and centralization of having everything check "/etc/hosts.{allow,deny}" without every server needing their own separate way of blocking hosts... Sure, they can still have their own more flexible and superior methods too, if they like, but I see no reason to remove support for libwrap in addition to those...

OpenSSH 6.7 will bring socket forwarding and more

Posted Aug 28, 2014 16:00 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

I would suggest replacing denyhosts with things like fail2ban.

OpenSSH 6.7 will bring socket forwarding and more

Posted Aug 28, 2014 16:02 UTC (Thu) by cortana (subscriber, #24596) [Link]

OTOH there is something to be said for less code--it means fewer bugs/vulnerability, and easier maintenance. Particularly when it comes to a feature that is redundant to what you get from pam_access, iptables, systemd and probably others.

OpenSSH 6.7 will bring socket forwarding and more

Posted Aug 28, 2014 17:26 UTC (Thu) by raven667 (subscriber, #5198) [Link] (5 responses)

I would say that libwrap is useless for modern systems, it was a great stopgap in the early '90s but there are better protocols these days that make more sense. For SSH there is no reason it can't be open to the world as long as your authentication infrastructure is up to the task, elsewhere in LWN there is an article about how kernel.org implemented two-factor authentication for SSH and Git repos which are open to the world. kernel.org has to defend itself against well-funded nation-state attackers, and have notoriously cantankerous developers, their security is probably good enough for your use case.

I think we need to design any new systems to be connected to the whole Internet and think through what that means for security, without relying on crutches like IP-address whitelists and PTR/A record matches.

OpenSSH 6.7 will bring socket forwarding and more

Posted Aug 28, 2014 18:14 UTC (Thu) by RobSeace (subscriber, #4435) [Link] (4 responses)

As anyone who has run a wide open SSH server knows, it's going to get regularly pounded on by automated password-guessing worms who try various common user names... Sure, if you aren't even allowing password-based logins, you're safe in that they'll never succeed in getting in... But, what they CAN do is effectively DOS you, by tying up all of sshd's configured outstanding unauthed connections, so no legit users can get in until the worm is finished (or if they're lucky enough to squeeze in between the time one worm connection closes and another one can start up)... Plus, they just waste your bandwidth... Better to nip them in the bud ASAP and send them packing than to let them keep hammering futilely on the server, IMHO... That's why I've always liked DenyHosts... Fail2ban would probably be a good replacement, using iptables instead of hosts.deny, but I'm just more familiar with DenyHosts having used it for years, and rather like the simple hosts.deny approach over firewall rules... But, I suppose I'll get over it if and when I ever need to use a system running a libwrap-less sshd...

OpenSSH 6.7 will bring socket forwarding and more

Posted Aug 28, 2014 18:54 UTC (Thu) by raven667 (subscriber, #5198) [Link] (1 responses)

You can do rate-limiting at the IPTables level but even that wouldn't work against a dedicated DDoS, but then nothing you do on your end could work against a DDoS, they need to be blocked upstream of your network anyway. There is probably not much value in worrying excessively about possibilities which aren't likely and widespread, there are far more password guessing bots driven by organized crime or nation-states than drive-by DoS'ers and hooligans anymore.

OpenSSH 6.7 will bring socket forwarding and more

Posted Aug 28, 2014 19:36 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

I didn't mean that their intention was to DOS you... I think it's just sloppy bot coding, where they ruthlessly make as many simultaneous connections as possible, each trying different username/password combinations... The DOS is a just side-affect of the password-guessing attempt... I've seen it in action before, where legit users were getting booted when trying to connect, and it turned out some stupid automated attack was managing to hold all the outstanding unauthed connections sshd was configured to allow (I think 10 is the default, so it's really not difficult to hit that limit)... If the attack is coming from a single IP, then the DenyHosts thing works very well at stopping that crap in its tracks very quickly... If it's coming from multiple IPs via a botnet, it's still helpful, and I don't care if a compromised end-user host is blocked, because if they're compromised I don't want them connecting to my server!

Yes, there are other approaches that can work too, as I said, but I just really like the simple hosts.deny approach...

OpenSSH 6.7 will bring socket forwarding and more

Posted Aug 30, 2014 12:59 UTC (Sat) by jsanders (subscriber, #69784) [Link] (1 responses)

I don't know why more people don't use pam_abl - it doesn't have all this messy handling of iptables and cleanly prevents logins.

OpenSSH 6.7 will bring socket forwarding and more

Posted Oct 8, 2014 18:17 UTC (Wed) by smurf (subscriber, #17840) [Link]

pam_abl does not make sense if you don't even allow password logins.

Using password logins on the open Internet is not a good idea without additional safety measures; anybody who watches you type (or has installed a keylogger) can now grab your login.