From owner-freebsd-questions@FreeBSD.ORG Wed Oct 25 13:13:28 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1EDB16A416 for ; Wed, 25 Oct 2006 13:13:28 +0000 (UTC) (envelope-from xfb52@dial.pipex.com) Received: from smtp-out3.blueyonder.co.uk (smtp-out3.blueyonder.co.uk [195.188.213.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A52743D7D for ; Wed, 25 Oct 2006 13:13:07 +0000 (GMT) (envelope-from xfb52@dial.pipex.com) Received: from [172.23.170.145] (helo=anti-virus03-08) by smtp-out3.blueyonder.co.uk with smtp (Exim 4.52) id 1GciZ8-0007oO-Ls; Wed, 25 Oct 2006 14:13:06 +0100 Received: from [62.31.10.95] (helo=[192.168.0.2]) by asmtp-out2.blueyonder.co.uk with esmtp (Exim 4.52) id 1GciZ7-0006mp-LA; Wed, 25 Oct 2006 14:13:05 +0100 Message-ID: <453F62E1.5090506@dial.pipex.com> Date: Wed, 25 Oct 2006 14:13:05 +0100 From: Alex Zbyslaw User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.7.13) Gecko/20060515 X-Accept-Language: en MIME-Version: 1.0 To: =?UTF-8?B?0KDQuNGF0LDQtCDQk9Cw0LTQttC40LXQsg==?= References: In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Cc: freebsd-questions@freebsd.org Subject: Re: tcpwrappers & SSH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2006 13:13:28 -0000 =C3=B2=C3=89=C3=88=C3=81=C3=84 =C3=A7=C3=81=C3=84=C3=96=C3=89=C3=85=C3=97= wrote: >A comment in /etc/hosts.allow states that: >Wrapping sshd(8) is not normally a good idea > >Why? Is it because such restrictions should naturally be made using a fi= rewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have been = built with libwrap support in the first place. Or? > =20 > I can't answer the question as such, but on a low-ssh-usage box I do use = /etc/hosts.allow for sshd and it works just fine(**). The original=20 author unfortunately left out the half of the statement that explained=20 their reasoning. Perhaps it's just to do with trying to maintain=20 large(*) lists of hosts, which IIRC, hosts.allow is not overly efficient = for. --Alex (*) large probably means hundreds. IIRC the relevant library will just=20 scan down the list of hosts/addresses and compare each, rather than=20 trying anything clever with a db file or whatever. (**) And I block access in the firewall. Security in depth - if I=20 bugger up one level, the other level still holds.