Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <eaed1cdb-6bd2-b9e6-a0d2-ac1e464d71a5@gathman.org>
Date: Wed, 3 Apr 2024 09:29:33 -0400 (EDT)
From: Stuart D Gathman <stuart@...hman.org>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: xz backdoor prevention using hosts.deny?

On Wed, 3 Apr 2024, Nick Sal wrote:

> Assume we filter SSH access only to a public domain subnet using the files hosts.{deny,allow} as seen below.
> Would this prevent an attack if a malicious payload was *not* sent from the allowed subnet?

1. Clearnet IPs can be forged.  I use ips on IPv6 meshnets with
    authenticated IPs (Cjdns, yggdrasil, pinecone, etc).  In addition
    to an actually authenticated IP, the clearnet IP can be anywhere,
    so access while traveling is still supported.  Be sure to use disk
    encryption in case your laptop is lost/stolen (thereby compromising
    the private key to the authenticated IP).

2. hosts.allow/deny is not supported in many linux distros.  However,
    /etc/ssh/sshd_config allows:

    AllowUsers root@...3:cb03:318e:5dd9:651a:5c2f:b09c:9d4e

    and so on for as many users@ips as are needed.  (fc00::/8 is the
    IPv6 net used by cjdns)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.