On Wed, 20 May 2015 14:46:57 +0200 Peter Stuge <peter at stuge.se> wrote:> Stephan von Krawczynski wrote: > > it is pretty obvious > > I guess you're not only not subscribed to the development list, but > you seem to also not have looked at the list archives. > > You can only seem like a troll if you act as if you know best but > in fact you are wrong. It's up to you whether you want to risk that > of course, but it's dangerous for your case.Are you already preparing for having no arguments?> > _not_ replaceable by your match-statement. > > This rhetoric makes it sound like it is very important for you to > distance yourself from the OpenSSH developers. That may not be such > a great strategy when you want someone to do something for you. > > The rationale is that firewall rules can replace libwrap and that > removing libwrap removes a significant attack surface exposed to the > network.Show me this as an example of your firewall skills and replace this hosts.allow entry: sshd: .... : spawn (echo -e "%u@%h[%a] on `/bin/date`" to %d connected me | /bin/mail -s "hosts.allow entry XYZ" root) & : ALLOW This is only an example code, of course.> > somebody will fork the project for sure. > > Go for it. I think uptake will be limited. I think your best bet will > be for you to contribute modifications to your prefered distribution.Negative. Wait and see.> > you made the wrong decision. Please cc me in case as I am not > > reading the list. > > If you had been reading the list you would already have known > everything I wrote in this email. > > > //PeterI saw the wrong outcome of it, and will reverse it. -- Regards, Stephan
On Wed, May 20, 2015 at 03:58:22PM +0200, Stephan von Krawczynski wrote:>Show me this as an example of your firewall skills and replace this >hosts.allow entry: > >sshd: .... : spawn (echo -e "%u@%h[%a] on `/bin/date`" to %d connected me | >/bin/mail -s "hosts.allow entry XYZ" root) & : ALLOW > > >This is only an example code, of course.It's an example of something really horrible. It might have seemed like a good idea in the 90s, but in a modern system that sort of alerting should be integrated into log monitoring (and should be much more comprehensive than a couple of services linked against wrappers). I think you're confirming the decision to remove wrapper support rather than demonstrating that it was a mistake. Mike Stone
Stephan von Krawczynski wrote:> Are you already preparing for having no arguments?I pointed out that your style of communication makes you look bad so that next time when you want something you can try to avoid risking that, because looking bad is sufficient for lots of people to ignore you, regardless of technical merits.> > The rationale is that firewall rules can replace libwrap > > Show me this as an example of your firewall skills and replace this > hosts.allow entry: > > sshd: .... : spawn (echo -e "%u@%h[%a] on `/bin/date`" to %d connected me | > /bin/mail -s "hosts.allow entry XYZ" root) & : ALLOWLinux netfilter has a nice ULOG target which can be used with a program much smaller than libwrap to accomplish the essential functionality above. I used ULOG for the first time somewhere between 7 and 10 years ago so it has been around for a while. But that's of course off-topic for this list, so let's stop here. What's on-topic is that firewalls are indeed able to replace the functionality. //Peter
On Wed, 20 May 2015 11:05:34 -0400 Michael Stone <mstone at mathom.us> wrote:> On Wed, May 20, 2015 at 03:58:22PM +0200, Stephan von Krawczynski wrote: > >Show me this as an example of your firewall skills and replace this > >hosts.allow entry: > > > >sshd: .... : spawn (echo -e "%u@%h[%a] on `/bin/date`" to %d connected me | > >/bin/mail -s "hosts.allow entry XYZ" root) & : ALLOW > > > > > >This is only an example code, of course. > > It's an example of something really horrible. It might have seemed like > a good idea in the 90s, but in a modern system that sort of alerting > should be integrated into log monitoring (and should be much more > comprehensive than a couple of services linked against wrappers). > > I think you're confirming the decision to remove wrapper support rather > than demonstrating that it was a mistake. > > Mike StoneWhy do you think you really have understood all occasions and surroundings on which something like this can be deployed. Can you imagine there is infrastructure besides routed internet? -- Regards, Stephan
On Thu, May 21, 2015 at 1:05 AM, Michael Stone <mstone at mathom.us> wrote:> On Wed, May 20, 2015 at 03:58:22PM +0200, Stephan von Krawczynski wrote: > >> Show me this as an example of your firewall skills and replace this >> hosts.allow entry: >> >> sshd: .... : spawn (echo -e "%u@%h[%a] on `/bin/date`" to %d connected >> me | >> /bin/mail -s "hosts.allow entry XYZ" root) & : ALLOW >> >> >> This is only an example code, of course. >> > > It's an example of something really horrible. It might have seemed like a > good idea in the 90s, but in a modern system that sort of alerting should > be integrated into log monitoring (and should be much more comprehensive > than a couple of services linked against wrappers). >Note that you can still do that by starting sshd under tcpd+inetd, something like: ssh stream tcp nowait root /usr/sbin/tcpd /usr/sbin/sshd -i or the equivalent in your inetd-alike. For SSHv2 connections it should be about the same speed (it'll be slower for Protocol 1 connections because each connection will need to generate a new ephemeral host key, but that's probably a plus from a security standpoint). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
All; ? I'm working on an ssh honeypot to analyze botnets, and I'm trying to find the chunk of code that specifies the following (like in Kippo) TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] kex alg, key alg: diffie-hellman-group1-sha1 ssh-rsa TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] outgoing: aes128-ctr hmac-sha1 none TIMESTAMP [HoneyPotTransport,2522,XX.XX.XX.XX] incoming: aes128-ctr hmac-sha1 none I was able to find the section in sshd.c where I can log the client name and port, and the section in auth.c where the password is cleartext, but I have no idea what I'm really looking for for finding the protocols. I honestly have no idea where I should really be looking.? If somebody can point me in the right direction (or send a code fragment) I'd really appreciate it.? I'll post a link back to the mailing list of where everyone else can find the completed code if I get some help. (BTW: It's live already at http://longtail.it.marist.edu and I've already found and/or analyzed 9 botnets.? Having better information on who's attacking will make it easier I hope to bunch them all together). (And no, I'm not rising to the bait about tcpwrappers :-) It's decided and done.)>>>Ericw