On Tuesday 27 April 2004 18:55, Noam Meltzer wrote: > Hi, > My sepcific interest is to implement something like this: > I have a host, connected to the internet, and it runs iptables, while > ssh's tcp port is the only one opened. > Now, I want that instead of opening this port, every communication to > that port will be dropped, unless the computer which tries to connect to > it, will try to connect with a specific user. >
Your logic is flawed here - the ssh client establishes a TCP connection with the ssh server, and only after the TCP connection is established the username is sent. This means your firewall has to allow all incoming connections to the SSH port and can only drop the connection once the username is transmitted. Since this is the case, you will not be preventing attacks on your SSH server (anyone will be able to connect, any SSH vulnerability that happens before the username is transmitted will work against your server), and on the other hand, since you're only blocking after the username is sent, the SSH server can do that better than your firewall - so all your hard work in implementing this in iptables (even if that *was* possible) is worthless. -- - Aviram ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
