[rescue] SGI fw_sshd and security

Sheldon T. Hall shel at cmhcsys.com
Fri Mar 5 12:37:21 CST 2004

Meelis Roos writes ...
> 1. If your sshd has been compiled with tcp_wrappers supprt, just use
> hosts.dallow/hosts.deny. This seems pretty secure since the IP matching
> is done before any protocol parsing.

How can I tell if the code was compiled with tcp_wrappers support?  The SGI
Freeware pages don't seem to say.  Would I have to run tcp_wrappers to use
the hosts.allow/hosts.deny facility?

> 2. Use your favourite firewall rules to select which IP-s can/cannot
> access port 22 on your SGI.

Well, the "firewall" in question is a DSL router with NAT, so its
capabilities don't extend to IP-range blocking.  It seems to be pretty
tight, though, as the portscan at www.grc.com shows all ports "stealthed"
except for 22, which is (at the moment) closed.

I could, of course, put another box between the SGI and the router.  Or
should I run some firewall software on the SGI itself?


More information about the rescue mailing list