Date: Wed, 11 Nov 2015 09:52:49 -0800 (PST) From: Roger Marquis <marquis@roble.com> To: =?ISO-8859-15?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no> Cc: Bryan Drewery <bdrewery@FreeBSD.org>, freebsd-security@freebsd.org, freebsd-current@freebsd.org Subject: Re: OpenSSH HPN In-Reply-To: <86r3jwfpiq.fsf@desk.des.no> References: <86io5a9ome.fsf@desk.des.no> <56428E8A.3090201@FreeBSD.org> <56428F59.5010908@FreeBSD.org> <86y4e47uty.fsf@desk.des.no> <56436F4B.8050002@FreeBSD.org> <86r3jwfpiq.fsf@desk.des.no>
| previous in thread | raw e-mail | index | archive | help
On Wed, 11 Nov 2015, Dag-Erling Sm?rgrav wrote: > I want to keep tcpwrapper support - it is another reason why I still > haven't upgraded OpenSSH, but to the best of my knowledge, it is far > less intrusive than HPN. There's also inetd's tcpwrapper support if you call sshd from inetd for D/DOS protection. Inetd and its rate-limiting flags are strongly recommended for security-minded systems. Starting sshd from rc.d should never have been made the default, IMO, as keygen delays are rarely relevant and weren't even back in the days of 300MHz CPUs (18 years ago). The only reason inetd is not more widely used today is that many sysadmins aren't familiar with it. Roger Marquis
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?>