oss-sec mailing list archives
Re: xz backdoor prevention using hosts.deny?
From: Pierre-Elliott Bécue <peb () debian org>
Date: Wed, 03 Apr 2024 16:07:45 +0200
Stephen John Smoogen <smooge () gmail com> wrote on 03/04/2024 at 15:38:08+0200:
On Wed, 3 Apr 2024 at 09:07, Nick Sal <specialroumpa () proton me> wrote:Hi, Assume we filter SSH access only to a public domain subnet using the files hosts.{deny,allow} as seen below. Would this prevent an attack if a malicious payload was *not* sent from the allowed subnet? Trying to figure out if an attack like this was still possible, for the few days in March the backdoor was active and undetected in rolling distros (e.g. debian testing). /etc/hosts.deny: sshd: ALL /etc/hosts.allow: sshd: "a_subnet"Does Debian still link hosts.allow/hosts.deny libwrapper with sshd? [or does sshd pull it in from another source?] I know some distributions no longer use this method to limit controls.
❯ lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 12 (bookworm) Release: 12 Codename: bookworm ❯ libtree /usr/sbin/sshd /usr/sbin/sshd ├── libcrypt.so.1 [ld.so.conf] ├── libz.so.1 [ld.so.conf] ├── libcrypto.so.3 [ld.so.conf] ├── libcom_err.so.2 [ld.so.conf] ├── libkrb5.so.3 [ld.so.conf] │ ├── libk5crypto.so.3 [ld.so.conf] │ │ └── libkrb5support.so.0 [ld.so.conf] │ ├── libresolv.so.2 [ld.so.conf] │ ├── libkeyutils.so.1 [ld.so.conf] │ ├── libkrb5support.so.0 [ld.so.conf] │ └── libcom_err.so.2 [ld.so.conf] ├── libgssapi_krb5.so.2 [ld.so.conf] │ ├── libkrb5.so.3 [ld.so.conf] │ ├── libkrb5support.so.0 [ld.so.conf] │ ├── libcom_err.so.2 [ld.so.conf] │ └── libk5crypto.so.3 [ld.so.conf] ├── libselinux.so.1 [ld.so.conf] │ └── libpcre2-8.so.0 [ld.so.conf] ├── libsystemd.so.0 [ld.so.conf] │ ├── libcap.so.2 [ld.so.conf] │ ├── liblz4.so.1 [ld.so.conf] │ ├── libzstd.so.1 [ld.so.conf] │ ├── liblzma.so.5 [ld.so.conf] │ └── libgcrypt.so.20 [ld.so.conf] │ └── libgpg-error.so.0 [ld.so.conf] ├── libpam.so.0 [ld.so.conf] │ └── libaudit.so.1 [ld.so.conf] │ └── libcap-ng.so.0 [ld.so.conf] ├── libaudit.so.1 [ld.so.conf] └── libwrap.so.0 [ld.so.conf] <------------------ └── libnsl.so.2 [ld.so.conf] └── libtirpc.so.3 [ld.so.conf] └── libgssapi_krb5.so.2 [ld.so.conf] Seems it does. -- PEB
Attachment:
signature.asc
Description:
Current thread:
- xz backdoor prevention using hosts.deny? Nick Sal (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Stuart D Gathman (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Stephen John Smoogen (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Pierre-Elliott Bécue (Apr 03)
- Re: xz backdoor prevention using hosts.deny? Ángel (Apr 08)
- Re: xz backdoor prevention using hosts.deny? Jacob Bachmeyer (Apr 09)
- Re: xz backdoor prevention using hosts.deny? Andres Freund (Apr 09)
- Re: xz backdoor prevention using hosts.deny? Christoph Anton Mitterer (Apr 09)
- Re: xz backdoor prevention using hosts.deny? Jacob Bachmeyer (Apr 10)
- Re: xz backdoor prevention using hosts.deny? Jacob Bachmeyer (Apr 09)