òÉÈÁÄ çÁÄÖÉÅ× wrote:
I can't answer the question as such, but on a low-ssh-usage box I do use
/etc/hosts.allow for sshd and it works just fine(**). The original
author unfortunately left out the half of the statement that explained
their reasoning. Perhaps it's just to do with trying to maintain
large(*) lists of hosts, which IIRC, hosts.allow is not overly efficient
A comment in /etc/hosts.allow states that:
Wrapping sshd(8) is not normally a good idea
Why? Is it because such restrictions should naturally be made using a
firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have been
built with libwrap support in the first place. Or?
(*) large probably means hundreds. IIRC the relevant library will just
scan down the list of hosts/addresses and compare each, rather than
trying anything clever with a db file or whatever.
(**) And I block access in the firewall. Security in depth - if I
bugger up one level, the other level still holds.
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"