Date: Wed, 25 Oct 2006 13:58:27 -0500 From: Eric Schuele <e.schuele@computer.org> To: freebsd-questions@freebsd.org, rihad@mail.ru Subject: Re: tcpwrappers & SSH Message-ID: <453FB3D3.4030308@computer.org> In-Reply-To: <25EF2257D42835E7C800F7AB@utd59514.utdallas.edu> References: <E1GcdoI-000MsQ-00.rihad-mail-ru@f48.mail.ru> <25EF2257D42835E7C800F7AB@utd59514.utdallas.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On 10/25/06 09:56, Paul Schmehl wrote: > --On Wednesday, October 25, 2006 12:08:26 +0400 ????? ??????? > <rihad@mail.ru> wrote: > >> A comment in /etc/hosts.allow states that: >> Wrapping sshd(8) is not normally a good idea >> >> Why? Is it because such restrictions should naturally be made using a >> firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have >> been built with libwrap support in the first place. Or? >> > Because maintaining the access list can be quite ponderous if you have a > lot of users. > > I maintain a hobby website that only has two shell accounts. I use > hosts.allow for ssh because it gets rid of the brute-force crap. But > even for two users, the list of hosts/networks that are allowed is 10 or > 15. Imagine what it would be if you have a hundred users...or a thousand. Viewed from a slightly different angle... If you are responsible for maintaining machine xyz, and you have used tcpwrappers... chances are you'll eventually need access to that machine from a location you did not previously expect. Maybe your sitting in the airport and get a call that the machine is malfunctioning. Maybe you are on call at a social gathering. In any case, you'll need access and if it is using tcpwrappers, you may not gain access. IMHO, other than the problem with needing "emergency" access, I think tcpwrappers is a good thing. I use then on my laptop for example. As Paul mentions, it gets rid of the constant hammering you would normally be subject to, and I can still access it from the office or home. > > Paul Schmehl (pauls@utdallas.edu) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ -- Regards, Eric
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?453FB3D3.4030308>