oss-sec mailing list archives
Re: xz backdoor prevention using hosts.deny?
From: Ángel <oss-security () sec 16bits net>
Date: Mon, 08 Apr 2024 02:31:38 +0200
On 2024-04-03 at 03:31 +0000, Nick Sal wrote:
Hi,
Assume we filter SSH access only to a public domain subnet using the
files hosts.{deny,allow} as seen below.
Would this prevent an attack if a malicious payload was *not* sent
from the allowed subnet?
Trying to figure out if an attack like this was still possible, for
the few days in March the backdoor was active and undetected in
rolling distros (e..g. debian testing).
/etc/hosts.deny: sshd: ALL
/etc/hosts.allow: sshd: "a_subnet"
If your sshd uses libwrap, blocking access except from that subnet (I would check it is indeed doing what you expect, by trying from an external ip) then yes, it would protect from that. The libwrap filtering happens before the exchange identification.
Moreover, allowing only public-key authentication for SSH does not help, isn't this right?
Right. It doesn't help in this case, since the backdoor happens at the preauth phase, when it would be validating the provided public key (certificate). Regards
Current thread:
- xz backdoor prevention using hosts.deny? Nick Sal (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Stuart D Gathman (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Stephen John Smoogen (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Pierre-Elliott Bécue (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Ángel (Apr 08)
- Re: xz backdoor prevention using hosts.deny? Jacob Bachmeyer (Apr 09)
- Re: xz backdoor prevention using hosts.deny? Andres Freund (Apr 09)
- Re: xz backdoor prevention using hosts.deny? Christoph Anton Mitterer (Apr 09)
- Re: xz backdoor prevention using hosts.deny? Jacob Bachmeyer (Apr 10)
- Re: xz backdoor prevention using hosts.deny? Jacob Bachmeyer (Apr 09)