[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Apr 2024 09:29:33 -0400 (EDT)
From: Stuart D Gathman <stuart@...hman.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: xz backdoor prevention using hosts.deny?
On Wed, 3 Apr 2024, Nick Sal wrote:
> Assume we filter SSH access only to a public domain subnet using the files hosts.{deny,allow} as seen below.
> Would this prevent an attack if a malicious payload was *not* sent from the allowed subnet?
1. Clearnet IPs can be forged. I use ips on IPv6 meshnets with
authenticated IPs (Cjdns, yggdrasil, pinecone, etc). In addition
to an actually authenticated IP, the clearnet IP can be anywhere,
so access while traveling is still supported. Be sure to use disk
encryption in case your laptop is lost/stolen (thereby compromising
the private key to the authenticated IP).
2. hosts.allow/deny is not supported in many linux distros. However,
/etc/ssh/sshd_config allows:
AllowUsers root@...3:cb03:318e:5dd9:651a:5c2f:b09c:9d4e
and so on for as many users@ips as are needed. (fc00::/8 is the
IPv6 net used by cjdns)
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
