Maybe it's time to get rid of tcpwrappers/tcpd?

Reindl Harald h.reindl at thelounge.net
Fri Mar 28 13:44:47 UTC 2014 

Am 28.03.2014 14:39, schrieb Petr Lautrbach:
> On 03/20/2014 08:05 PM, Lennart Poettering wrote:
>> On Thu, 20.03.14 12:20, Stephen John Smoogen (smooge at gmail.com) wrote:
>>
>>>> I doubt there are many people even using them anymore, firewalls are
>>>> more comprehensive and a lot more powerful, and while every admin knows
>>>> firewalls, I figure only very few know tcpd/tcpwrap, and even fewer ever
>>>> actively make use of them...
>>>>
>>>>
>>> Actually they are used quite a bit in various service worlds. Mainly for
>>> ssh and email for dealing with scanners. [DenyHosts is a boon in this
>>> area.] The reason for using a secondary tool is that depth of
>>> security.
>>
>> Well, all mails servers as well as sshd have much better ways to do
>> such filtering. sshd has "Match",  Postfix for example has
>> "smtpd_client_restrictions=", and so on.
> 
> I'd like to note that you can't just replace deny.hosts using Match block in sshd_config.
> 
> - using libwrap, a connection is dropped before the protocol version exchange so a client can't even check the server's
> identification string. While using Match block, a client and a server exchange id strings, negotiate the transport layer
> parameters, exchange keys and establish encrypted connection.

which is *layered* security

that is the same reason why "put the rules in iptables" is only
a uneducated phrase and anybody who will put all his security
in a single layer sooner or later regret that mistake

> - every change in sshd_config has to be confirmed by sshd restart, while changing hosts.deny doesn't need
> any other action

no - try it out!

make a fatal syntax error in "sshd_config" and in case of a
remote machine make sure you don't close the last connection
because you will not reach the machine again otherwise

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140328/a088fc06/attachment.sig>

More information about the devel mailing list