OpenSSH with tcpwrappers

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
ozone
Posts: 3
Joined: Tue Feb 14, 2006 9:21 am

OpenSSH with tcpwrappers

Unread postby ozone » Tue Feb 14, 2006 9:42 am

I looked through the SGI freeware collection and the Neko one and I can't seem to find a package of OpenSSH using tcp_wrappers (ftp://ftp.porcupine.org/pub/security/index.html). I also searched the forum and could not find any match; if I missed something, please just point me into the right direction and I won't bother you anymore.

On the other hand, if this combination really doesn't exist, I would like to ask why. This seems sensible and most Linux distributions these days have it. The reason why I ask for it is that I would like to use an automated ssh user/pass scan recognition tool (like http://denyhosts.sourceforge.net) that would add the hosts to block to /etc/hosts.deny which would then be checked by the ssh daemon via the tcp_wrappers lib for any new connection. As I don't run much anything else on the computer in terms of network servers, it makes no sense to me to do packet filtering, putting some load anytime there is network traffic on the already CPU starved SGI machines that I have.

Thanks for any insight!

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Tue Feb 14, 2006 9:50 am

Grab GCC and compile your own - that's usually the best bet when you need specialized features.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.

ozone
Posts: 3
Joined: Tue Feb 14, 2006 9:21 am

Unread postby ozone » Tue Feb 14, 2006 10:06 am

Thanks for the very fast reply, but I was hoping for a different answer :D

I already have gcc installed and could do what you suggested, but I wanted to avoid it as I have several machines that need it and a tardist installation would have been much nicer long term from the administration point of view... It goes without saying that I never made a tardist myself.

User avatar
squeen
Moderator
Moderator
Posts: 2933
Joined: Fri May 09, 2003 6:10 am
Location: Maryland, USA

Unread postby squeen » Tue Feb 14, 2006 10:27 am

I use ipfilterd instead on IRIX. It's on the system CDs'.

User avatar
joerg
Donor
Donor
Posts: 2226
Joined: Thu Jan 08, 2004 6:57 am
Location: In an origin rack - Germany
Contact:

Unread postby joerg » Tue Feb 14, 2006 11:00 am

squeen wrote:I use ipfilterd instead on IRIX. It's on the system CDs'.


Whats the difference between ipf and ipfilterd?

regards
Joerg

ozone
Posts: 3
Joined: Tue Feb 14, 2006 9:21 am

Unread postby ozone » Thu Feb 16, 2006 6:00 am

ipfilterd falls under the "it makes no sense to me to do packet filtering" category that I mentioned in the original post. From the man page of ipfilterd:

Ipfilterd is a networking daemon that screens all inbound packets that use the Internet Protocol (IP).


which is precisely what I wish to avoid. Using tcp_wrappers makes only ssh connections from the blocked hosts be rejected, for a much smaller overall system impact.

User avatar
squeen
Moderator
Moderator
Posts: 2933
Joined: Fri May 09, 2003 6:10 am
Location: Maryland, USA

Unread postby squeen » Thu Feb 16, 2006 6:15 am

joerg wrote:
squeen wrote:I use ipfilterd instead on IRIX. It's on the system CDs'.


Whats the difference between ipf and ipfilterd?

regards
Joerg


ipfilterd is on the IRIX system CD's (optional install, add to chkconfig). I don't know what ipf is but, there's and open source package at http://www.sgi.com/products/evaluation/ that was released more recently (and conflicts). Is that what you mean by ipf?

@ozone: Oh, I see. If you have trouble compiling wrappers, just post a report. Folks here may be able to help.

User avatar
joerg
Donor
Donor
Posts: 2226
Joined: Thu Jan 08, 2004 6:57 am
Location: In an origin rack - Germany
Contact:

Unread postby joerg » Thu Feb 16, 2006 11:29 am

squeen wrote:
joerg wrote:
squeen wrote:I use ipfilterd instead on IRIX. It's on the system CDs'.


Whats the difference between ipf and ipfilterd?

regards
Joerg


ipfilterd is on the IRIX system CD's (optional install, add to chkconfig). I don't know what ipf is but, there's and open source package at http://www.sgi.com/products/evaluation/ that was released more recently (and conflicts). Is that what you mean by ipf?

Yes thats 'ipf' what i mean. I use it since years because i need some protection after connecting my irix machines to the i-net.


regards
Joerg

User avatar
Annatar
Posts: 107
Joined: Fri Jun 25, 2004 5:12 am

Re: OpenSSH with tcpwrappers

Unread postby Annatar » Tue Feb 21, 2006 10:06 am

ozone wrote:I looked through the SGI freeware collection and the Neko one and I can't seem to find a package of OpenSSH using tcp_wrappers (ftp://ftp.porcupine.org/pub/security/index.html). I also searched the forum and could not find any match; if I missed something, please just point me into the right direction and I won't bother you anymore.

On the other hand, if this combination really doesn't exist, I would like to ask why. This seems sensible and most Linux distributions these days have it.
Forget what the Linux geeks are doing; they're so clueless about computers that it's sickening.

If you'd like to lock the box down, I recommend you disable all unnecessary services, and control who has access to SSH via his internal facilities (/etc/ssh/sshd_conf), as well as IPFilter.

IPFilter is much more powerful and flexible than TCP wrappers could ever hope to be. TCP wrappers do a litlle more than give you a false sense of security, and are no replacement for proper security / system lockdown.

User avatar
Annatar
Posts: 107
Joined: Fri Jun 25, 2004 5:12 am

Unread postby Annatar » Tue Feb 21, 2006 10:15 am

squeen wrote:ipfilterd is on the IRIX system CD's (optional install, add to chkconfig). I don't know what ipf is but, there's and open source package at http://www.sgi.com/products/evaluation/ that was released more recently (and conflicts). Is that what you mean by ipf?
Looking at it, I'd say that's the one and the same; but it's an ancient revision (3.4.27), while the current IPF is at 4.1.10.

User avatar
DraconianTimes
Posts: 205
Joined: Fri Mar 05, 2004 4:39 am
Location: Leafy Surrey, UK

Re: OpenSSH with tcpwrappers

Unread postby DraconianTimes » Tue Feb 21, 2006 3:13 pm

Annatar wrote:If you'd like to lock the box down, I recommend you disable all unnecessary services, and control who has access to SSH via his internal facilities (/etc/ssh/sshd_conf), as well as IPFilter.

IPFilter is much more powerful and flexible than TCP wrappers could ever hope to be. TCP wrappers do a litlle more than give you a false sense of security, and are no replacement for proper security / system lockdown.


Amen to that. If you can, take it a step further by grabbing any old low power box (a 486 will do!) with a couple of network cards and install OpenBSD with pf. I run pf on an embedded Soekris box and it works wonders.

Nick

User avatar
foetz
Moderator
Moderator
Posts: 6543
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Unread postby foetz » Tue Feb 21, 2006 3:23 pm

Annatar wrote:
squeen wrote:ipfilterd is on the IRIX system CD's (optional install, add to chkconfig). I don't know what ipf is but, there's and open source package at http://www.sgi.com/products/evaluation/ that was released more recently (and conflicts). Is that what you mean by ipf?
Looking at it, I'd say that's the one and the same; but it's an ancient revision (3.4.27), while the current IPF is at 4.1.10.


it's an sgi custom version so you can't compare it directly.

User avatar
nekonoko
Site Admin
Site Admin
Posts: 8145
Joined: Thu Jan 23, 2003 1:31 am
Location: Pleasanton, California
Contact:

Unread postby nekonoko » Wed Sep 27, 2006 3:22 pm

neko_openssh-4.4p1 is compiled against the system supplied libwrap.so.7 library and should do what you want.
Twitter: @neko_no_ko
IRIX Release 4.0.5 IP12 Version 06151813 System V
Copyright 1987-1992 Silicon Graphics, Inc.
All Rights Reserved.


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 2 guests