SEO

#11 (**permalink**) 03-28-2008, 04:36 AM

On Wed, Mar 26, 2008, jd wrote:
>
>
>On Wed, 26 Mar 2008, Nico Kadel-Garcia wrote:
>
>> On 25 Mar, 09:12, Rob <r...@nothere.com> wrote:
>>
>>> Steve,
>>>
>>> what about using tcp_wrappers as to perform a "route delete" on the offending IP?
>>>
>>> If memory serves, there was a porting of tcp_wrapper for SCO OS5 on a TLS076a
>>> on the FTP site:
>>>
>>> ftp://ftp.sco.com/pub/TLS/tls076a.tcp_wrappers.tar.Z
>>>
>>> Hope this helps!
>>
>> If our faithful here only needs SSH access from a small set of well-
>> maintained sites, that might work well. However, if he has clients who
>> use NAT on their ISP networks (such as AOL, which uses 10.* internal
>> addresses), than the tcp_wrapper will block the NAT and everything
>> behind the NAT server.

We use tcp_wrappers extensively, and absolutely require it when
allowing username/password authentication via SSH. Normally we
only permit authentication via authorized_keys, with good pass
phrases, with tcp_wrappers not restricting sshd access (it's used
for many other services).

>Then perhaps a VPN (such as OpenVPN) is a more appropriate solution for
>remote access, instead of SSH (although SSH can be used over the VPN).

OpenVPN is great -- unless one has high packet loss as it
normally runs with UDP. I particularly like it for Windows users
as it doesn't require that they think much to use it. We
generate a zip file with the configuration files and keys that
they can just drop in the correct place.

Bill
--
INTERNET: bill@celestial.com Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way
FAX: (206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676

Those who cast the vote decide nothing.
Those who count the vote decide everything. (Joseph Stalin)

#12 (**permalink**) 03-28-2008, 04:36 AM

On Wed, 26 Mar 2008, Bill Campbell wrote:

> On Wed, Mar 26, 2008, jd wrote:
>>
>>
>> On Wed, 26 Mar 2008, Nico Kadel-Garcia wrote:
>>
>>> On 25 Mar, 09:12, Rob <r...@nothere.com> wrote:
>>>
>>>> Steve,
>>>>
>>>> what about using tcp_wrappers as to perform a "route delete" on the offending IP?
>>>>
>>>> If memory serves, there was a porting of tcp_wrapper for SCO OS5 on a TLS076a
>>>> on the FTP site:
>>>>
>>>> ftp://ftp.sco.com/pub/TLS/tls076a.tcp_wrappers.tar.Z
>>>>
>>>> Hope this helps!
>>>
>>> If our faithful here only needs SSH access from a small set of well-
>>> maintained sites, that might work well. However, if he has clients who
>>> use NAT on their ISP networks (such as AOL, which uses 10.* internal
>>> addresses), than the tcp_wrapper will block the NAT and everything
>>> behind the NAT server.
>
> We use tcp_wrappers extensively, and absolutely require it when
> allowing username/password authentication via SSH. Normally we
> only permit authentication via authorized_keys, with good pass
> phrases, with tcp_wrappers not restricting sshd access (it's used
> for many other services).
>
>> Then perhaps a VPN (such as OpenVPN) is a more appropriate solution for
>> remote access, instead of SSH (although SSH can be used over the VPN).
>
> OpenVPN is great -- unless one has high packet loss as it
> normally runs with UDP.

It can run over TCP, but I am not sure why you would want to do this. If
you get dropped packets when running TCP over TCP, which layer requests
that the packets should be re-sent? What happens if both TCP layers
request a re-send?

Any VPN is not going to work well with a high packet loss, but then SSH
probably won't work well either.

I found a discussion on the web and the consensus seemed to be that the
only case where using TCP for the transport layer would be sensible is
when tunnelling a UDP protocol that requires a reliable connection (eg.
tunnelling NFS using its default UDP protocol).
http://www.google.com/search?q=%22Te...icial&filter=0

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

SEO

OpenSSH 3.4p1 Trouble on SCO 5.0.5?