Kimball Larsen wrote:
Secondly, I realize that tcpwrappers affect more than just sshd - I immediately noticed, for example, that when I added this rule: ALL: ALL to hosts.deny, that I could no longer connect to mysql on the same server. Adding mysqld to the list of permitted hosts did the trick (ie: sshd,mysqld: comma,separated,list,of,hosts) in hosts.allow.I personally suggest using iptables rather than tcp wrappers for your IP based security.
Basically, iptables works on the ip layer in the kernel, where tcp wrappers works in the specific application (on the application layer of the OSI model). Better to block as low on the OSI as you can to prevent application bugs from being exploited.
IPtables also uses a lot less cpu and processing to stop a packet. And iptables will block in such a way that anyone ascanning will think the port not open, where wrappers will still answer, even to the point of allowing an octopus attack, or even a minor DDoS, to disable your box.
smime.p7s
Description: S/MIME Cryptographic Signature
/* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
