Hi there, I have to disagree with this one. From my experience, TCP wrappers are still commonly used on many systems. (Well, this is of course my own experience - so I may be wrong here.) There may be better ways, no doupt, but this does not change the fact they are used. This does not indicate we should ignore newer security features; but in my opinion, we should not drop it (yet), as it still is importent to know.
With best regards, Ortwin ------------------------------------------------------------------------------------------ Ortwin Ebhardt Capricorn Consulting GmbH An Krietes Park 6 28307 Bremen Telefon: +49 421 98981-642 E-Mail: [email protected] Internet: www.capricorn.de Geschäftsführer: Thomas Bargfrede, Dipl.-Ing. Axel Buschmann, Thomas von Massenbach, Thomas Heuermann Registergericht: Amtsgericht Bremen, HRB 31421 ------------------------------------------------------------------------------------------ Die Capricorn-News versorgen Sie mit aktuellen Informationen aus der IT-Welt - Schauen Sie mal rein: www.capricorn.de *** In Kürze auch als News-Abo verfügbar *** -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Ingo Wichmann Gesendet: Mittwoch, 29. November 2017 10:06 An: This is the lpi-examdev mailing list. <[email protected]> Betreff: Re: [lpi-examdev] LPIC-1 Exam 102 Objectives Discussion - TCP Wrapper Hi there, Am 29.11.2017 um 06:34 schrieb Bryan Smith: > One thing I love about the LPIC-1 program is that it exposes > candidates to _all_ common technologies on a system ... especially > useful for troubleshooting. I.e., if one can't figure out why a > service isn't accessible, knowing _all_ the common places to look is > very useful. I question, whether tcp wrappers are really commonly used today. I do not question, that they are available for some services. I do not question, that they are useful in some corner cases. I'd say, iptables, ACL's, capabilities, AppArmor, SELinux, cgroups are much more commonly used than TCP wrappers. So candidates are much more likely to be hit by one of these. The most common service mentioned in this thread was ssh. But which admin still implements TCP wrappers on sshd, if he knows the Match keyword in sshd_config? There is only one reason to me: because he did so 15 years ago. > Alessandro Selli <[email protected]> wrote: >> Say you change in.ftpd service >> port to some non-standard one in it's configuration file. >> in.ftpd: 192.168.0.0/255.255.0.0 EXCEPT 192.168.1.0/255.255.255.0 in >> /etc/hosts.allow is still going to work, iptables -I INPUT -i eth0 -p >> tcp --dport ftp -m conntrack --ctstate NEW -j REJECT no longer will. FTP is an example of a protocol, that has lost importance. If this is the best use case for TCP wrappers we come up with, we should remove it from LPIC 1. Here's some indication, that on servers iptables is more commonly used than TCP wrappers: * No distro comes with TCP wrappers blocking some service by default, other than iptables * Ansible has an iptables module by default, TCP wrappers are in galaxy * PuppetForge finds 4 modules tagged with 'tcpwrappers' - none of them is supported by puppetlabs. And 22 modules tagged with 'iptables', one of them the "official" puppetlabs module So please TCP wrappers users: where is the indication, that TCP wrappers kept their importance since they have been introduced in LPIC 1 in 2001? Linux has changed, since! Ingo -- Linuxhotel GmbH, Geschäftsführer Dipl.-Ing. Ingo Wichmann HRB 20463 Amtsgericht Essen, UStID DE 814 943 641 Antonienallee 1, 45279 Essen, Tel.: 0201 8536-600, http://www.linuxhotel.de _______________________________________________ lpi-examdev mailing list [email protected] http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev _______________________________________________ lpi-examdev mailing list [email protected] http://list.lpi.org/cgi-bin/mailman/listinfo/lpi-examdev
