I suggest that we turn it into a ./configure option. I found the patch but I am unable to adapt it to the current version. Any volunteers? Also, we need the service definition files for Systemd. For example, Ubuntu 20.10 supports libwrap strings $(which sshd)| grep libwrap libwrap.so.0 libwrap refuse returns why do we need to ruin the lives of millions of security officers? I got hacked in 72 servers this week, they installed Bitcoin miners. On Wed, Jun 23, 2021 at 11:11 AM Brian Candler <b.candler at pobox.com> wrote:> On 23/06/2021 15:54, Saint Michael wrote: > > I compiled the latest version, 8.1, > > Current version is 8.6p1 > > > inside Centos 7.9, and to my dismay, > there was no support for libwrap > > It was removed in version 6.7p1, in 2014. > > > https://serverfault.com/questions/869431/openssh-removed-support-for-tcp-wrappers-now-what-no-hosts-allow-for-ssh-acce > > > https://github.com/openssh/openssh-portable/commit/f2719b7c2b8a3b14d778d8a6d8dc729b5174b054 > > >
Ubuntu publishes version 8.3 with libwrap support. But for us who
inherited old Centos or RHEL 7 it becomes impossible to update open-ssh.
Any helping hand?
cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=20.10
ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /usr/lib/x86_64-linux-gnu/libwrap.so.0
(0x00007fc62ad4c000)
root at mexico:~# ssh -V
OpenSSH_8.3p1 Ubuntu-1ubuntu0.1, OpenSSL 1.1.1f 31 Mar 2020
On Wed, Jun 23, 2021 at 12:03 PM Saint Michael <venefax at gmail.com>
wrote:
> I suggest that we turn it into a ./configure option.
> I found the patch but I am unable to adapt it to the current version.
> Any volunteers? Also, we need the service definition files for Systemd.
> For example, Ubuntu 20.10 supports libwrap
> strings $(which sshd)| grep libwrap
> libwrap.so.0
> libwrap refuse returns
> why do we need to ruin the lives of millions of security officers?
> I got hacked in 72 servers this week, they installed Bitcoin miners.
>
>
>
> On Wed, Jun 23, 2021 at 11:11 AM Brian Candler <b.candler at
pobox.com>
> wrote:
>
>> On 23/06/2021 15:54, Saint Michael wrote:
>>
>> I compiled the latest version, 8.1,
>>
>> Current version is 8.6p1
>>
>>
>> inside Centos 7.9, and to my dismay,
>> there was no support for libwrap
>>
>> It was removed in version 6.7p1, in 2014.
>>
>>
>>
https://serverfault.com/questions/869431/openssh-removed-support-for-tcp-wrappers-now-what-no-hosts-allow-for-ssh-acce
>>
>>
>>
https://github.com/openssh/openssh-portable/commit/f2719b7c2b8a3b14d778d8a6d8dc729b5174b054
>>
>>
>>
On Wed, 23 Jun 2021, Saint Michael wrote:> why do we need to ruin the lives of millions of security officers? > I got hacked in 72 servers this week, they installed Bitcoin miners.Uhm? just use a firewall? For example pf can easily handle permitting access to SSH by host via tables. bye, //mirabilos -- Infrastrukturexperte ? tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn ? http://www.tarent.de/ Telephon +49 228 54881-393 ? Fax: +49 228 54881-235 HRB AG Bonn 5168 ? USt-ID (VAT): DE122264941 Gesch?ftsf?hrer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg ************************************************* Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter *************************************************
On 23/06/2021 17:03, Saint Michael wrote:> I got hacked in 72 servers this week, they installed Bitcoin miners.Are you saying this happened through opensshd? What specifically was the cause: do you allow password authentication for example? You can control this by IP address with "Match" clauses in sshd_config.? For example: PasswordAuthentication no Match Address 10.0.0.0/8,fc00::/7 PasswordAuthentication yes This will allow passwords only from the 10.0.0.0/8 and fc00::/7 networks, forcing connections from the Internet to use a proper authentication mechanism (e.g. keys)
Hi, On Wed, Jun 23, 2021 at 12:03:58PM -0400, Saint Michael wrote:> I got hacked in 72 servers this week, they installed Bitcoin miners.Libwrap is not the right answer for this. Disable password authentication and/or require 2FA is. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany gert at greenie.muc.de