oss-sec mailing list archives

Re: xz backdoor prevention using hosts.deny?

From: Stuart D Gathman <stuart () gathman org>
Date: Wed, 3 Apr 2024 09:29:33 -0400 (EDT)

On Wed, 3 Apr 2024, Nick Sal wrote:

Assume we filter SSH access only to a public domain subnet using the files hosts.{deny,allow} as seen below.
Would this prevent an attack if a malicious payload was *not* sent from the allowed subnet?


1. Clearnet IPs can be forged.  I use ips on IPv6 meshnets with
   authenticated IPs (Cjdns, yggdrasil, pinecone, etc).  In addition
   to an actually authenticated IP, the clearnet IP can be anywhere,
   so access while traveling is still supported.  Be sure to use disk
   encryption in case your laptop is lost/stolen (thereby compromising
   the private key to the authenticated IP).

2. hosts.allow/deny is not supported in many linux distros.  However,
   /etc/ssh/sshd_config allows:

   AllowUsers root@fce3:cb03:318e:5dd9:651a:5c2f:b09c:9d4e

   and so on for as many users@ips as are needed.  (fc00::/8 is the
   IPv6 net used by cjdns)

Current thread:

xz backdoor prevention using hosts.deny? Nick Sal (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Stuart D Gathman (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Stephen John Smoogen (Apr 03)
  - Re: xz backdoor prevention using hosts.deny? Pierre-Elliott Bécue (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Ángel (Apr 08)
  - Re: xz backdoor prevention using hosts.deny? Jacob Bachmeyer (Apr 09)
    - Re: xz backdoor prevention using hosts.deny? Andres Freund (Apr 09)
    - Re: xz backdoor prevention using hosts.deny? Christoph Anton Mitterer (Apr 09)
    - Re: xz backdoor prevention using hosts.deny? Jacob Bachmeyer (Apr 10)