Maybe it's time to get rid of tcpwrappers/tcpd?

Michael Stahl mstahl at redhat.com
Fri Jun 6 09:57:46 UTC 2014


On 06/06/14 00:25, David Sommerseth wrote:
> On 20/03/14 20:05, Lennart Poettering wrote:
>> On Thu, 20.03.14 12:20, Stephen John Smoogen (smooge at gmail.com) wrote:
>>
>>>> I doubt there are many people even using them anymore, firewalls are
>>>> more comprehensive and a lot more powerful, and while every admin knows
>>>> firewalls, I figure only very few know tcpd/tcpwrap, and even fewer ever
>>>> actively make use of them...
>>>>
>>>>
>>> Actually they are used quite a bit in various service worlds. Mainly for
>>> ssh and email for dealing with scanners. [DenyHosts is a boon in this
>>> area.] The reason for using a secondary tool is that depth of
>>> security.
>>
>> Well, all mails servers as well as sshd have much better ways to do
>> such filtering. sshd has "Match",  Postfix for example has
>> "smtpd_client_restrictions=", and so on.
>>
>> Again, I have no doubt that some people still use tcpwrappers. But I'd
>> argue that is clearly the excpetion, not the rule, and they'd better use
>> something different, and that we should be creating an excellent distro,
>> instead of a one that features horrible software...
>>
>>> Over the years I have found that there are multiple of attacks which will
>>> nullify one layer of protection at one point or another. Having a second
>>> level or third level of protection is a boon when this happens.
>>
>> Well, it certainly makes sense to combine a firewall with let's say
>> selinux with maybe postfix/ssh acls. Then you already have three layers
>> of protection, of very good protection. But of all possible options
>> tcpwrap is the absolute worst choice. And we should be able to deprecate
>> and remove stuff from our core OS if we think it is crap.
>>
>> I mean, there are two sides of the medal: sure multiple layers of
>> protection might be a good thing, but you also make things a lot more
>> complex with each one, and you involve more possibly exploitable code --
>> and tcpwrap is simply bad code, that's a fact. So you have to balance
>> things out: is something a layer that is worth the trouble? Or does
>> having it around make things worse? I am of the opinion that tcpwrap
>> indeed does make things worse.
> 
> I happen to share Stephens concerns.  I think tcpwrappers is a good
> additional security layer.  And I honestly don't buy the idea that code
> which is 11 years old is crap by default.  If it has gone 11 years,
> being widely used by several services (including high-profile services
> such as SSH), that tells me something about the quality of the
> *performing* code.  New code is better just because it's new.

you are *clearly* not up-to-date with regard to currently on-going
flame-wars:

"heads up: tcpwrappers support going away"
Damien Miller djm at mindrot.org
Tue Apr 22 17:33:59 EST 2014

http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html





More information about the devel mailing list