Date: Wed, 25 Oct 2006 09:56:50 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: freebsd-questions@freebsd.org Subject: Re: tcpwrappers & SSH Message-ID: <25EF2257D42835E7C800F7AB@utd59514.utdallas.edu> In-Reply-To: <E1GcdoI-000MsQ-00.rihad-mail-ru@f48.mail.ru> References: <E1GcdoI-000MsQ-00.rihad-mail-ru@f48.mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--==========97462A5CD0BB520D2D57========== Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Wednesday, October 25, 2006 12:08:26 +0400 = =D0=A0=D0=B8=D1=85=D0=B0=D0=B4 =D0=93=D0=B0=D0=B4=D0=B6=D0=B8=D0=B5=D0=B2=20 <rihad@mail.ru> wrote: > A comment in /etc/hosts.allow states that: > Wrapping sshd(8) is not normally a good idea > > Why? Is it because such restrictions should naturally be made using a > firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have > been built with libwrap support in the first place. Or? > Because maintaining the access list can be quite ponderous if you have a=20 lot of users. I maintain a hobby website that only has two shell accounts. I use=20 hosts.allow for ssh because it gets rid of the brute-force crap. But even=20 for two users, the list of hosts/networks that are allowed is 10 or 15.=20 Imagine what it would be if you have a hundred users...or a thousand. Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========97462A5CD0BB520D2D57==========--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25EF2257D42835E7C800F7AB>