TCP wrappers? The 1990s just called, and they want their O'Reilly network
security book back.
Seriously, I hear phone and power networks, and TCP wrappers are the best
defense-in-depth that can be done? We're doomed as a species.
At the very least, you can use https://cr.yp.to/ucspi-tcp.html and
https://cr.yp.to/daemontools.html for reliable alternatives to TCP wrappers and
systems, respectively.
At best, you should be using on-host iptables, public-key or certificate
authentication, and other modern methods to secure your systems....
--
jmk
> On Jun 23, 2021, at 11:52, Thomas Dwyer III <tomiii at tomiii.com>
wrote:
>
> ?iptables is not an external app. It's never "down" any more
than
> /etc/hosts.deny is down. What can tcpwrappers do that iptables cannot do
> even better?
>
>
> Tom.III
>
>
>> On Wed, Jun 23, 2021 at 10:32 AM Saint Michael <venefax at
gmail.com> wrote:
>>
>> any external app can be down at any time, while openssh remains active
and
>> exposed, BUT libwrap is baked into openssh, so the protection will
hold.
>> Libwrap is the last line of defense. Why remove it?
>>
>>> On Wed, Jun 23, 2021 at 1:01 PM Lars Nood?n <lars.nooden at
gmx.com> wrote:
>>>
>>> On 6/23/21 5:54 PM, Saint Michael wrote:
>>>> I compiled the latest version, 8.1, inside Centos 7.9, and
>>> [snip]
>>>
>>> What use-case would there be there for tcpwrappers that cannot be
better
>>> solved with a packet filter? In the case of CentOS 7 you have
nftables
>>> and iptables.
>>>
>>> /Lars
>>>
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev