Maybe it's time to get rid of tcpwrappers/tcpd?
Lennart Poettering
mzerqung at 0pointer.de
Thu Mar 20 19:13:04 UTC 2014
On Thu, 20.03.14 20:06, Florian Weimer (fw at deneb.enyo.de) wrote:
> * Stephen John Smoogen:
>
> > Actually they are used quite a bit in various service worlds. Mainly for
> > ssh and email for dealing with scanners. [DenyHosts is a boon in this
> > area.]
>
> I believe DenyHosts is unmaintained as well:
>
> <https://bugzilla.redhat.com/show_bug.cgi?id=1045983>
>
> > At the enterprise level firewalls can come under a different set of change
> > control rules than something like tcpwrappers which is considered
> > application level.
>
> I think it's difficult to generalize in this area. There is no
> inherent reason why an iptables-based local packet filter has to
> follow the same sign-off rules as a device on the forwarding path.
>
> From my POV, it is kind of neat that you can grant access to *.enyo.de
> and deny every thing else.
Binding access control to DNS sounds insecure like hell..
> This is quite helpful against scanners and
> worms, and programs like OpenSSH rely on tcpwrappers to implement
> this. It's not clear to me if this has to happen at the systemd
> level, though.
OpenSSH can do this on its own without involving tcpwrap:
https://raymii.org/s/tutorials/Limit_access_to_openssh_features_with_the_Match_keyword.html
It sounds like a much better choice to stick to that instead of
involving tcpwrap, and we should push our users to understand that...
Lennart
--
Lennart Poettering, Red Hat
More information about the devel
mailing list