Maybe it's time to get rid of tcpwrappers/tcpd?
Pete Zaitcev
zaitcev at redhat.com
Fri Mar 28 18:49:58 UTC 2014
On Thu, 20 Mar 2014 18:34:22 +0100
Lennart Poettering <mzerqung at 0pointer.de> wrote:
> I doubt there are many people even using them anymore, firewalls are
> more comprehensive and a lot more powerful, and while every admin knows
> firewalls, I figure only very few know tcpd/tcpwrap, and even fewer ever
> actively make use of them...
I use tcpwrappers through denyhosts, which write out /etc/hosts.deny.
Then openssh-server then uses the tcpwrappers to apply the rules (AFAIK).
When I investigated it, denyhosts was superior to fail2ban due to the
latter doing some crazy stuff with iptables that made me uncomfortable.
Also, this:
Installing:
fail2ban noarch 0.9-0.3.git1f1a561.fc20 fedora 261 k
Installing for dependencies:
ed x86_64 1.10-1.fc20 updates 72 k
gamin-python x86_64 0.1.10-15.fc20 fedora 34 k
python-inotify noarch 0.9.4-4.fc20 fedora 49 k
systemd-python x86_64 208-15.fc20 updates 80 k
I agree that tcpwrappers should die in favour of firewalls.
Folks working on fail2ban are already considering integration
with firewalld, which seems like a great idea. Too bad fail2ban
is just as crusty as tcpwrappers. If we only had denyhosts that
executed firewall-cmd...
-- Pete
More information about the devel
mailing list