Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)

From: Vladimir Ivanov (VIvanov@tee.toshiba.de)
Date: 11/05/01


Message-ID: <3BE6C47C.B1ADD2E1@tee.toshiba.de>
Date: Mon, 05 Nov 2001 17:55:24 +0100
From: Vladimir Ivanov <VIvanov@tee.toshiba.de>
To: focus-sun@securityfocus.com
Subject: Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)

Fabrice Bacchella wrote:
>
> > * Compile and install the tcpwrappers package. Set up policies in hosts.allow
> > for in.telnetd, in.ftpd, in.rshd, and sshd. Pay especially close attention to the
> > private cluster networks for in.rshd access. Make sure hosts.deny is set
> > up to deny everything else by default.
>
> I always had a bad feeling about tcpwrappers, it can only protect a few
> daemons, those running with inetd and those willing to do so. That's
> little user against a hackers, how will just try something else. Try
> something like ipf instead, you can protect every service running on
> your machine.
>
> And there is no interest in running at the same time telnet, ftp, rsh
> and ssh. Are you sure someone in your organisation will not one day use
> telnet instead of ssh, just because he doesn't have ssh on his computer.
> Just cut all those and dtlogin too. Ssh should be the only remote access
> on your computer if you want it to be useful.

ssh could be compiled with libwrap, then, you will be able to use tcp
wrappers
configuration files for it.

Also, AFAIR 2 or 3 months ago there were a discussion here about
possibility to
add libwrap-like behavior into own Solaris utilites (like rpcbind,
dtlogin etc.),
wich are not started from inetd.

I think last mail was from Casper Dik (sorry, if i write the name
wrong), that he will
investigate such possiblity and need in it.

-- 
Vladimir Ivanov                      
System Administrator                 E-Mail:  VIvanov@tee.toshiba.de
Toshiba Electronics Europe GmbH      Tel/Fax: +49-211-5296-297/386



Relevant Pages

  • Re: ssh with tcp_wrappers!! contd/-
    ... Thanks a lot for such a huge response, of course typing mistake, i was using DenyHost not DenyGhost; as suggested by david and others i did this, ... Login, as root, to my Linux system containing the sshd server. ... i am not willing to compile openssh package is there any way out via rpm installation. ... Then try to ssh to localhost. ...
    (RedHat)
  • Re: ssh with tcp_wrappers!! contd/-
    ... and i was not willing to compile ssh with tcp_wrapper... ... Now how do i go about that, its a running server. ... On Fri, 23 Feb 2007, debu wrote: ...
    (RedHat)
  • Re: Security for SUN-Cluster 3.0/2.2 with OPS (8.1.7)
    ... Security for SUN-Cluster 3.0/2.2 with OPS ... >> * Compile and install the tcpwrappers package. ... > telnet instead of ssh, just because he doesn't have ssh on his computer. ... this thread concerns securing SunCluster 2.2 and 3.0 ...
    (Focus-SUN)
  • RE: 64_bit SSH
    ... Using SSH Tectia, if you compile to use BSD-style terminals on AIX, you can ... simultaneous connections because the o/s limits the number of BSD-style ... Subject: 64_bit SSH ...
    (SSH)
  • Re: chroot SSH users.
    ... Subsystem sftp internal-sftp ... SSH in the system. ... "Make sure chroot support was compiled in" ...
    (freebsd-questions)