From owner-freebsd-questions@FreeBSD.ORG Wed Oct 25 18:58:40 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2093C16A403 for ; Wed, 25 Oct 2006 18:58:40 +0000 (UTC) (envelope-from e.schuele@computer.org) Received: from rwcrmhc14.comcast.net (rwcrmhc14.comcast.net [204.127.192.84]) by mx1.FreeBSD.org (Postfix) with ESMTP id C5ED843D5D for ; Wed, 25 Oct 2006 18:58:39 +0000 (GMT) (envelope-from e.schuele@computer.org) Received: from [208.206.151.59] (host59.gtisd.com?[208.206.151.59]) by comcast.net (rwcrmhc14) with ESMTP id <20061025185838m140035guce>; Wed, 25 Oct 2006 18:58:38 +0000 Message-ID: <453FB3D3.4030308@computer.org> Date: Wed, 25 Oct 2006 13:58:27 -0500 From: Eric Schuele User-Agent: Thunderbird 1.5.0.7 (X11/20061020) MIME-Version: 1.0 To: freebsd-questions@freebsd.org, rihad@mail.ru References: <25EF2257D42835E7C800F7AB@utd59514.utdallas.edu> In-Reply-To: <25EF2257D42835E7C800F7AB@utd59514.utdallas.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: Subject: Re: tcpwrappers & SSH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2006 18:58:40 -0000 On 10/25/06 09:56, Paul Schmehl wrote: > --On Wednesday, October 25, 2006 12:08:26 +0400 ????? ??????? > wrote: > >> A comment in /etc/hosts.allow states that: >> Wrapping sshd(8) is not normally a good idea >> >> Why? Is it because such restrictions should naturally be made using a >> firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have >> been built with libwrap support in the first place. Or? >> > Because maintaining the access list can be quite ponderous if you have a > lot of users. > > I maintain a hobby website that only has two shell accounts. I use > hosts.allow for ssh because it gets rid of the brute-force crap. But > even for two users, the list of hosts/networks that are allowed is 10 or > 15. Imagine what it would be if you have a hundred users...or a thousand. Viewed from a slightly different angle... If you are responsible for maintaining machine xyz, and you have used tcpwrappers... chances are you'll eventually need access to that machine from a location you did not previously expect. Maybe your sitting in the airport and get a call that the machine is malfunctioning. Maybe you are on call at a social gathering. In any case, you'll need access and if it is using tcpwrappers, you may not gain access. IMHO, other than the problem with needing "emergency" access, I think tcpwrappers is a good thing. I use then on my laptop for example. As Paul mentions, it gets rid of the constant hammering you would normally be subject to, and I can still access it from the office or home. > > Paul Schmehl (pauls@utdallas.edu) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ -- Regards, Eric