Maybe it's time to get rid of tcpwrappers/tcpd?

David Sommerseth davids at redhat.com
Thu Jun 5 22:25:17 UTC 2014 

On 20/03/14 20:05, Lennart Poettering wrote:
> On Thu, 20.03.14 12:20, Stephen John Smoogen (smooge at gmail.com) wrote:
> 
>>> I doubt there are many people even using them anymore, firewalls are
>>> more comprehensive and a lot more powerful, and while every admin knows
>>> firewalls, I figure only very few know tcpd/tcpwrap, and even fewer ever
>>> actively make use of them...
>>>
>>>
>> Actually they are used quite a bit in various service worlds. Mainly for
>> ssh and email for dealing with scanners. [DenyHosts is a boon in this
>> area.] The reason for using a secondary tool is that depth of
>> security.
> 
> Well, all mails servers as well as sshd have much better ways to do
> such filtering. sshd has "Match",  Postfix for example has
> "smtpd_client_restrictions=", and so on.
> 
> Again, I have no doubt that some people still use tcpwrappers. But I'd
> argue that is clearly the excpetion, not the rule, and they'd better use
> something different, and that we should be creating an excellent distro,
> instead of a one that features horrible software...
> 
>> Over the years I have found that there are multiple of attacks which will
>> nullify one layer of protection at one point or another. Having a second
>> level or third level of protection is a boon when this happens.
> 
> Well, it certainly makes sense to combine a firewall with let's say
> selinux with maybe postfix/ssh acls. Then you already have three layers
> of protection, of very good protection. But of all possible options
> tcpwrap is the absolute worst choice. And we should be able to deprecate
> and remove stuff from our core OS if we think it is crap.
> 
> I mean, there are two sides of the medal: sure multiple layers of
> protection might be a good thing, but you also make things a lot more
> complex with each one, and you involve more possibly exploitable code --
> and tcpwrap is simply bad code, that's a fact. So you have to balance
> things out: is something a layer that is worth the trouble? Or does
> having it around make things worse? I am of the opinion that tcpwrap
> indeed does make things worse.

I happen to share Stephens concerns.  I think tcpwrappers is a good
additional security layer.  And I honestly don't buy the idea that code
which is 11 years old is crap by default.  If it has gone 11 years,
being widely used by several services (including high-profile services
such as SSH), that tells me something about the quality of the
*performing* code.  New code is better just because it's new.

That we have a "firewall" layer which resides in the application level
is a plus.  Netfilter/iptables and SELinux are in kernel space,
tcpwrapper is in the user-space.

Yes, more layers adds complexity.  But adding more security layers
usually doesn't make any setups less complicated.  Managing security
properly is a complicated task.

I would further like to hear *how* you mean tcpwrappers "make things
worse".  You just state it, you don't provide any arguments supporting it.

And comparing code and condoms is just as clever as comparing age and
wisdom.


--
kind regards,

David Sommerseth

More information about the devel mailing list