[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#512209: Please don't touch sshd from interfaces-up

On Sun, 18 Jan 2009, Perry E. Metzger wrote:

> Peter Palfrader <weasel@debian.org> writes:
> > Yes, I read that.  I don't think this would ever be a problem unless you
> > explicitly listen only on a specific address, and then I'd think that
> > sshd wouldn't even start so the reload couldn't have been a fix for
> > that.  Unless of course you listen on more than one specific address at
> > least one of which is available when sshd starts.  Still, why you would
> > do this rather than listen on * as is the default is beyond me.
> Often one doesn't want to listen on particular addresses that are
> attached to dangerous subnets.

That doesn't really help you.  If you don't trust (the hosts in) a
subnet then you should use iptables/tcpwrappers to protect you.

Any host in the evil subnet could just connect to your sshd on any of
your system's other IP addresses.  Remember that you don't listen on
interfaces, you listen on IP addresses.  And Linux accepts traffic for
any of its addresses on any of its interfaces.

                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/

Reply to: