I compiled the latest version, 8.1, inside Centos 7.9, and to my dismay, there was no support for libwrap, which offers a level of protection that is added to a firewall, but in my opinion, it works better. Also, I didn?t find service definitions for Systemd. ?where can I find them? How do I overcome these obstacles? In the times when cyberattacks come on a daily basis, we should keep libwrap baked into openssh, even as optional. Thanks for your help.
I second this request. We were forced to put tcpwrappers support in ourselves because customers complained about the removal? From: openssh-unix-dev <openssh-unix-dev-bounces+herbie.robinson=stratus.com at mindrot.org> On Behalf Of Saint Michael Sent: Wednesday, June 23, 2021 10:55 AM To: openssh-unix-dev at mindrot.org Subject: [EXTERNAL] Bringing back tcp wrappers [EXTERNAL SENDER: This email originated from outside of Stratus Technologies. Do not click links or open attachments unless you recognize the sender and know the content is safe.] I compiled the latest version, 8.1, inside Centos 7.9, and to my dismay, there was no support for libwrap, which offers a level of protection that is added to a firewall, but in my opinion, it works better. Also, I didn?t find service definitions for Systemd. ?where can I find them? How do I overcome these obstacles? In the times when cyberattacks come on a daily basis, we should keep libwrap baked into openssh, even as optional. Thanks for your help. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org<mailto:openssh-unix-dev at mindrot.org> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev<https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>
On 23/06/2021 15:54, Saint Michael wrote:> I compiled the latest version, 8.1,Current version is 8.6p1> inside Centos 7.9, and to my dismay, > there was no support for libwrapIt was removed in version 6.7p1, in 2014. https://serverfault.com/questions/869431/openssh-removed-support-for-tcp-wrappers-now-what-no-hosts-allow-for-ssh-acce https://github.com/openssh/openssh-portable/commit/f2719b7c2b8a3b14d778d8a6d8dc729b5174b054
On 6/23/21 5:54 PM, Saint Michael wrote:> I compiled the latest version, 8.1, inside Centos 7.9, and[snip] What use-case would there be there for tcpwrappers that cannot be better solved with a packet filter? In the case of CentOS 7 you have nftables and iptables. /Lars
Saint Michael wrote:> I compiled the latest version, 8.1, inside Centos 7.9, and to my dismay, > there was no support for libwrapBe aware that many Linux distributions make changes to the upstream release as part of their packages. It's wise to consider whether that's actually in ones interest on a case-by-case basis. If "recent" distribution OpenSSH packages support libwrap then that's such a modification, made by the distribution.> I didn?t find service definitions for Systemd. ?where can I find them?systemd integration in OpenSSH, which Red Hat (the company) distributes plenty of, is another such modification by the distribution. If you look closer into this you'll find that few distributions actually make independent, informed decisions - herd mentality is strong. Upstream OpenSSH doesn't support systemd at all at the moment, and thus also doesn't distribute unit files. Running upstream sshd under systemd works anyway, but you can run into problems if you expect everything that systemd provides to work according to the systemd model - it will not, potentially leaving the system without a running sshd.> How do I overcome these obstacles?As far as I know there exists no sensible sshd+systemd integration. Red Hat (the company) distributes an sshd that depends on libsystemd.so, which I find a horrible idea. I think debian (thus also Ubuntu) have followed along and use the same patches. I've written and proposed a small standalone sd_notify() implementation to be used instead of libsystemd.so, but I don't think anyone uses it. Personally I wouldn't mind upstream OpenSSH supporting systemd Type=notify but I expect nothing.> we should keep libwrap baked into openssh, even as optional.I don't think upstream OpenSSH will support it. Like others I recommend you to place useful firewall rules on every system and to monitor that they are in effect. Oh, and don't assume that the visible Bitcoin miner is the only thing that was installed on your compromised servers; boot from CD and take a closer look. Kind regards //Peter
There is a Centos 7 machine where this falls after 80 loops
target="same host"
while [ $i -ne 500 ];do
echo -e "$i"
ssh -p 22 root@${target} "ls / 1>/dev/null && exit;"
((i++))
done
The loop does not fail against Ubuntu boxes.
kindly let me know if I am doing something wrong.
This is my sshd_config
sshd -T
port 22
addressfamily any
listenaddress [::]:22
listenaddress 0.0.0.0:22
usepam no
logingracetime 120
x11displayoffset 10
maxauthtries 20
maxsessions 100
clientaliveinterval 0
clientalivecountmax 3
streamlocalbindmask 0177
permitrootlogin without-password
ignorerhosts yes
ignoreuserknownhosts no
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
pubkeyauthentication yes
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
gssapiauthentication no
gssapicleanupcredentials yes
passwordauthentication no
kbdinteractiveauthentication yes
challengeresponseauthentication yes
printmotd yes
printlastlog yes
x11forwarding no
x11uselocalhost yes
permittty yes
permituserrc yes
strictmodes no
tcpkeepalive yes
permitemptypasswords no
compression yes
gatewayports no
usedns no
allowtcpforwarding yes
allowagentforwarding yes
disableforwarding no
allowstreamlocalforwarding yes
streamlocalbindunlink no
fingerprinthash SHA256
exposeauthinfo no
pidfile /var/run/sshd.pid
xauthlocation /usr/bin/xauth
ciphers chacha20-poly1305 at openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,
aes128-gcm at openssh.com,aes256-gcm at openssh.com
macs umac-64-etm at openssh.com,umac-128-etm at openssh.com,
hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at openssh.com,
hmac-sha1-etm at openssh.com,umac-64 at openssh.com,umac-128 at openssh.com
,hmac-sha2-256,hmac-sha2-512,hmac-sha1
banner none
forcecommand none
chrootdirectory none
trustedusercakeys none
revokedkeys none
authorizedprincipalsfile none
versionaddendum none
authorizedkeyscommand none
authorizedkeyscommanduser none
authorizedprincipalscommand none
authorizedprincipalscommanduser none
hostkeyagent none
kexalgorithms curve25519-sha256,curve25519-sha256 at libssh.org
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
casignaturealgorithms
ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostbasedacceptedkeytypes ecdsa-sha2-nistp256-cert-v01 at openssh.com,
ecdsa-sha2-nistp384-cert-v01 at openssh.com,
ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,
rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,
ssh-rsa-cert-v01 at openssh.com
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01 at openssh.com,
ecdsa-sha2-nistp384-cert-v01 at openssh.com,
ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,
rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,
ssh-rsa-cert-v01 at openssh.com
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
pubkeyacceptedkeytypes ecdsa-sha2-nistp256-cert-v01 at openssh.com,
ecdsa-sha2-nistp384-cert-v01 at openssh.com,
ecdsa-sha2-nistp521-cert-v01 at openssh.com,ssh-ed25519-cert-v01 at openssh.com,
rsa-sha2-512-cert-v01 at openssh.com,rsa-sha2-256-cert-v01 at openssh.com,
ssh-rsa-cert-v01 at openssh.com
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
rdomain none
loglevel INFO
syslogfacility AUTH
authorizedkeysfile .ssh/authorized_keys
hostkey /etc/ssh/ssh_host_rsa_key
hostkey /etc/ssh/ssh_host_ecdsa_key
hostkey /etc/ssh/ssh_host_ed25519_key
allowusers root
authenticationmethods any
subsystem sftp /usr/libexec/sftp-server
maxstartups 500:30:500
permittunnel no
ipqos af21 cs1
rekeylimit 0 0
permitopen any
permitlisten any
permituserenvironment no