On 10/25/06 09:56, Paul Schmehl wrote:
--On Wednesday, October 25, 2006 12:08:26 +0400 ????? ??????? <[EMAIL PROTECTED]> wrote:


A comment in /etc/hosts.allow states that:
Wrapping sshd(8) is not normally a good idea

Why? Is it because such restrictions should naturally be made using a
firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have
been built with libwrap support in the first place. Or?

Because maintaining the access list can be quite ponderous if you have a lot of users.

I maintain a hobby website that only has two shell accounts. I use hosts.allow for ssh because it gets rid of the brute-force crap. But even for two users, the list of hosts/networks that are allowed is 10 or 15. Imagine what it would be if you have a hundred users...or a thousand.

Viewed from a slightly different angle...

If you are responsible for maintaining machine xyz, and you have used tcpwrappers... chances are you'll eventually need access to that machine from a location you did not previously expect. Maybe your sitting in the airport and get a call that the machine is malfunctioning. Maybe you are on call at a social gathering. In any case, you'll need access and if it is using tcpwrappers, you may not gain access.

IMHO, other than the problem with needing "emergency" access, I think tcpwrappers is a good thing. I use then on my laptop for example. As Paul mentions, it gets rid of the constant hammering you would normally be subject to, and I can still access it from the office or home.


Paul Schmehl ([EMAIL PROTECTED])
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/


--
Regards,
Eric
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to