CentOS - Mar 2014 - Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would
you care strongly if it went away (or would you just migrate to something
else)?

I bring this up because we are discussing dropping it from Fedora. This
would be far enough in the future that it wouldn't impact RHEL 7, and
therefore won't affect anyone here for Quite Some Time*, but here in the new
world order of CentOS, I thought it might be useful to check with some
actual downstream users.

What do you think? Do you rely on hosts.allow/hosts.deny a primary security
mechanism? As defense-in-depth? Do you have policies which mandate it?

Your feedback appreciated. Thanks!


* and the standard caveats that Fedora doesn't necessarily determine the
path for RHEL apply, of course.


-- 
Matthew Miller           mattdm at mattdm.org         
<http://mattdm.org/>

On 2014-03-20, Matthew Miller <mattdm at mattdm.org>
wrote:
> What do you think? Do you rely on hosts.allow/hosts.deny a primary security
> mechanism? As defense-in-depth? Do you have policies which mandate it?
I currently use it in conjunction with denyhosts, but have been
considering moving to something like sshguard with iptables instead.  If
hosts.deny support disappeared then I would simply go that route when
necessary.

May I ask what the reason is for considering dropping tcp wrappers
support?

--keith

-- 
kkeller at wombat.san-francisco.ca.us

On Thu, Mar 20, 2014 at 4:48 PM, Matthew Miller <mattdm at mattdm.org>
wrote:
> Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would
> you care strongly if it went away (or would you just migrate to something
> else)?
>
Please don't remove it. Why  this sudden idea in software circles that
stuff that works properly needs to be removed for no reason whatsoever
other than "it's old and we think nobody uses it". How do you
know?. IF IT
AIN'T BROKEN, DON'T FIX IT. You might have heard of it.

Fail2ban is one piece of software which interfaces with tcp wrappers.
v0.9.0 just out
http://www.fail2ban.org/wiki/index.php/Main_Page

FC

-- 
During times of Universal Deceit, telling the truth becomes a revolutionary
act
Durante ?pocas de Enga?o Universal, decir la verdad se convierte en un Acto
Revolucionario
- George Orwell

> On Mar 20, 2014, at 3:48 PM, Matthew Miller <mattdm at mattdm.org>
wrote:
> 
> Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would
> you care strongly if it went away (or would you just migrate to something
> else)?
> 
> I bring this up because we are discussing dropping it from Fedora. This
> would be far enough in the future that it wouldn't impact RHEL 7, and
> therefore won't affect anyone here for Quite Some Time*, but here in
the new
> world order of CentOS, I thought it might be useful to check with some
> actual downstream users.
> 
> What do you think? Do you rely on hosts.allow/hosts.deny a primary security
> mechanism? As defense-in-depth? Do you have policies which mandate it?
> 
> Your feedback appreciated. Thanks!
> 
> 
> * and the standard caveats that Fedora doesn't necessarily determine
the
> path for RHEL apply, of course.
> 
> 
> -- 
> Matthew Miller           mattdm at mattdm.org         
<http://mattdm.org/>
I know a .gov which exclusively uses tcp wrappers instead of iptables. 
1) tcp wrappers is consistent across Unix'ses (Solaris/AIX/Linux)
2) if it ain't broke / resistance to change / etc
3) political / layer 8 issues. Iptables is a firewall and firewalls are handled
by the security group not the sysadmin group.


I know a .edu which uses tcp wrappers instead of iptables in a containers
environment. With 250+ containers on a 40GB hardware node, iptables used too
much RAM since it's resident 100% of the time. Tried using a
"fail2ban" equivalent inserting iptables rules and after some number
of rules iptables wouldn't take any more. Tcp wrappers scaled much much
higher using less RAM.


Political reasons shouldn't prevent removing tcp wrappers, but some
technical reasons still exist.

Steven Tardy

>
> What do you think? Do you rely on hosts.allow/hosts.deny a primary security
> mechanism? As defense-in-depth? Do you have policies which mandate it?
>
> Your feedback appreciated. Thanks!
>
>
> * and the standard caveats that Fedora doesn't necessarily determine
the
> path for RHEL apply, of course.
>

I'll try to keep my response as free from whining and gnashing of
teeth as that seems to be well covered by many others.   where I work
uses it now, I've been at places that while I can't recall there being
a specific mandate for tcp wrappers, they had really stupid 'must
have' requirements (like root's home has to be mode 700.   which
while fine, good, great even on standard linux systems is less than
helpful on standard older releases of solaris where root has / as a
home dir), so I can imagine they could have that.    I like the notion
of keeping it around and having someone take over the maint work would
be great, but I can understand why it might be good to retire, and I'm
pretty sure I'd adapt (possibly moving to the route of building my own
from source if I -really- decided I had to have it, although life is
much easier when the libs are blown into the daemons directly)


-- 
Even the Magic 8 ball has an opinion on email clients: Outlook not so good.

> -----Original Message-----
> From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
> Behalf Of Matthew Miller
> Sent: den 20 mars 2014 20:49
> To: centos at centos.org
> Subject: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny)
> anymore?
>
> Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And,
> would you care strongly if it went away (or would you just migrate to 
> something
> else)?
I do use them both, together with some iptables-rules.

As for caring of they disappear, well, maybe not to much, as most everything 
can be set in iptables as well.
It will take an effort to redo our standard iptables rule list though, in 
order to cover up for the missing hosts.deny and hosts.allow files.
--
//Sorin

On Thu, Mar 20, 2014 at 3:48 PM, Matthew Miller <mattdm at mattdm.org>
wrote:
> Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would
> you care strongly if it went away (or would you just migrate to something
> else)?
>
> I bring this up because we are discussing dropping it from Fedora. This
> would be far enough in the future that it wouldn't impact RHEL 7, and
> therefore won't affect anyone here for Quite Some Time*, but here in
the
> new
> world order of CentOS, I thought it might be useful to check with some
> actual downstream users.
>
> What do you think? Do you rely on hosts.allow/hosts.deny a primary security
> mechanism? As defense-in-depth? Do you have policies which mandate it?
>
> Your feedback appreciated. Thanks!
>
>
> * and the standard caveats that Fedora doesn't necessarily determine
the
> path for RHEL apply, of course.
>
>
> --
> Matthew Miller           mattdm at mattdm.org         
<http://mattdm.org/>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

We still use tcpwrappers extensively behind our firewalls to control many
things. We still have a mixed CentOS 5/6 and older Solaris environment, so
it would be big hassle to switch to something else.

Of course, if it left Fedora today, it would still be in CentOS for years
to come, and even then we could probably build our own pretty easily, but
we'd rather not have to!


-- 
Matt Phelps
System Administrator, Computation Facility
Harvard - Smithsonian Center for Astrophysics
mphelps at cfa.harvard.edu, http://www.cfa.harvard.edu

On 03/20/2014 12:48 PM, Matthew Miller wrote:
> Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would
> you care strongly if it went away (or would you just migrate to something
> else)?
>
> I bring this up because we are discussing dropping it from Fedora. This
> would be far enough in the future that it wouldn't impact RHEL 7, and
> therefore won't affect anyone here for Quite Some Time*, but here in
the new
> world order of CentOS, I thought it might be useful to check with some
> actual downstream users.
>
> What do you think? Do you rely on hosts.allow/hosts.deny a primary security
> mechanism? As defense-in-depth? Do you have policies which mandate it?
>
> Your feedback appreciated. Thanks!
>
>
> * and the standard caveats that Fedora doesn't necessarily determine
the
> path for RHEL apply, of course.
>
>
I use it in conjunction with other utilities... They modify the hosts.deny in
response to log parsing.

Please keep in mind, security in layers.

----- Original Message -----
| Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And,
| would
| you care strongly if it went away (or would you just migrate to
| something
| else)?
| 

Yes, we do use TCP Wrappers.  We also use IPTables, edge gateway firewalls, VPNs
and other tools.  The reason that we use them is to support additional security.

The case is being made to remove a tool that is considered to be legacy.  While
it is understood that legacy = old/unmaintained/crap, it does remove an
additional layer of security that can be applied for a base system.  So the
question then is, what can be used as a suitable replacement?  If so what is
that suitable replacement?  If one doesn't exist, how long until we can get
one?

Security is about layering technology.  IPTables doesn't solve all of the
problems out there.  People mentioned NFSv3 and moving to NFSv4 and while this
may be suitable for some people it doesn't apply to others.  To simply
remove a tool because it's code hasn't been modified in X number of
days,months,years,decades is really in many cases what I like to call
"version envy".

I'd love to hear about the "old and unmaintainable code". 
It's open source code.  If somethings broken you can fix it right!?!
That's the open source mantra!  Either provide a set of reasons why it
should be removed and the alternatives that cover all the use cases of TCP
Wrappers or let the code, that obviously works remain there undisturbed. 
It's an extra layer of security that administrators can use to secure their
systems and it's dead simple to understand!



-- 
James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : jpeltier at sfu.ca
Website : http://www.sfu.ca/itservices

"Around here, however, we don?t look backwards for very long.  We KEEP
MOVING FORWARD, opening up new doors and doing things because we?re curious and
curiosity keeps leading us down new paths." - Walt Disney

As others have mentioned in this thread, yes I use it as part of
a defence in depth strategy, and it's a suitable tool for what
it is intended to do.  I would not be happy with it going away,
especially if doing so broke various tools or introduced a 
dependancy on a non-base RPM.

Devin

On Thu, 2014-03-20 at 15:48 -0400, Matthew Miller wrote:
> Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
>
A very late reply - yes we use it in conjunction with iptables (on
CentOS 5/6 and Fedora). Tcp_wrappers allows filtering based on DNS name,
which (as far as I am aware) iptables does not. It is very easy to
configure, and takes immediate effect (no restarting of processes
required).
>  And, would you care strongly if it went away (or would you just
> migrate to something else)?
> 
Since we use it I would obviously rather it did not go away :-) If we
had to we would probably build our own from source, but initially may
well just look to see if iptables could do all of what we wanted.
> 
> What do you think? Do you rely on hosts.allow/hosts.deny a primary security
> mechanism? As defense-in-depth? Do you have policies which mandate it?
> 
No policies as such, but we include its installation as part of our
standard server build process. It is part of the security used on our
servers, and, as others have mentioned, multiple layers is the way to go
rather than relying on just one tool.




John.

-- 
----------------------------------------------------
John Horne                   Tel: +44 (0)1752 587287
Plymouth University, UK      Fax: +44 (0)1752 587001