openssh unix dev - Jun 2021 - [EXTERNAL] Re: Bringing back tcp wrappers

TCP wrappers? The 1990s just called, and they want their O'Reilly network
security book back.

Seriously, I hear phone and power networks, and TCP wrappers are the best
defense-in-depth that can be done? We're doomed as a species.

At the very least, you can use https://cr.yp.to/ucspi-tcp.html and
https://cr.yp.to/daemontools.html for reliable alternatives to TCP wrappers and
systems, respectively.

At best, you should be using on-host iptables, public-key or certificate
authentication, and other modern methods to secure your systems....

-- 
jmk
> On Jun 23, 2021, at 11:52, Thomas Dwyer III <tomiii at tomiii.com>
wrote:
> 
> ?iptables is not an external app. It's never "down" any more
than
> /etc/hosts.deny is down. What can tcpwrappers do that iptables cannot do
> even better?
> 
> 
> Tom.III
> 
> 
>> On Wed, Jun 23, 2021 at 10:32 AM Saint Michael <venefax at
gmail.com> wrote:
>> 
>> any external app can be down at any time, while openssh remains active
and
>> exposed, BUT libwrap is baked into openssh, so the protection will
hold.
>> Libwrap is the last line of defense. Why remove it?
>> 
>>> On Wed, Jun 23, 2021 at 1:01 PM Lars Nood?n <lars.nooden at
gmx.com> wrote:
>>> 
>>> On 6/23/21 5:54 PM, Saint Michael wrote:
>>>> I compiled the latest version, 8.1, inside Centos 7.9, and
>>> [snip]
>>> 
>>> What use-case would there be there for tcpwrappers that cannot be
better
>>> solved with a packet filter?  In the case of CentOS 7 you have
nftables
>>> and iptables.
>>> 
>>> /Lars
>>> 
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>>> 
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

The problem is that the people who invented security audits never remove
anything from the list of things they will ding you with?  If you are getting
paid to pass all of these benchmarks, you have keep everything around forever.

From: openssh-unix-dev <openssh-unix-dev-bounces+herbie.robinson=stratus.com
at mindrot.org> On Behalf Of Jim Knoble
Sent: Wednesday, June 23, 2021 7:25 PM
To: Thomas Dwyer III <tomiii at tomiii.com>
Cc: Saint Michael <venefax at gmail.com>; Lars Nood?n <lars.nooden at
gmx.com>; openssh-unix-dev at mindrot.org
Subject: [EXTERNAL] Re: Bringing back tcp wrappers

[EXTERNAL SENDER: This email originated from outside of Stratus Technologies. Do
not click links or open attachments unless you recognize the sender and know the
content is safe.]

TCP wrappers? The 1990s just called, and they want their O'Reilly network
security book back.

Seriously, I hear phone and power networks, and TCP wrappers are the best
defense-in-depth that can be done? We're doomed as a species.

At the very least, you can use
https://cr.yp.to/ucspi-tcp.html<https://cr.yp.to/ucspi-tcp.html> and
https://cr.yp.to/daemontools.html<https://cr.yp.to/daemontools.html> for
reliable alternatives to TCP wrappers and systems, respectively.

At best, you should be using on-host iptables, public-key or certificate
authentication, and other modern methods to secure your systems....

--
jmk
> On Jun 23, 2021, at 11:52, Thomas Dwyer III <tomiii at
tomiii.com<mailto:tomiii at tomiii.com>> wrote:
>
> ?iptables is not an external app. It's never "down" any more
than
> /etc/hosts.deny is down. What can tcpwrappers do that iptables cannot do
> even better?
>
>
> Tom.III
>
>
>> On Wed, Jun 23, 2021 at 10:32 AM Saint Michael <venefax at
gmail.com<mailto:venefax at gmail.com>> wrote:
>>
>> any external app can be down at any time, while openssh remains active
and
>> exposed, BUT libwrap is baked into openssh, so the protection will
hold.
>> Libwrap is the last line of defense. Why remove it?
>>
>>> On Wed, Jun 23, 2021 at 1:01 PM Lars Nood?n <lars.nooden at
gmx.com<mailto:lars.nooden at gmx.com>> wrote:
>>>
>>> On 6/23/21 5:54 PM, Saint Michael wrote:
>>>> I compiled the latest version, 8.1, inside Centos 7.9, and
>>> [snip]
>>>
>>> What use-case would there be there for tcpwrappers that cannot be
better
>>> solved with a packet filter? In the case of CentOS 7 you have
nftables
>>> and iptables.
>>>
>>> /Lars
>>>
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org<mailto:openssh-unix-dev at
mindrot.org>
>>>
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev<https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>
>>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org<mailto:openssh-unix-dev at
mindrot.org>
>>
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev<https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>
>>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org<mailto:openssh-unix-dev at
mindrot.org>
>
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev<https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org<mailto:openssh-unix-dev at mindrot.org>
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev<https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>