On Mar 31, 2008, at 11:53 AM, Steven Alligood wrote:
Kimball Larsen wrote:
Secondly, I realize that tcpwrappers affect more than just sshd - I
immediately noticed, for example, that when I added this rule: ALL:
ALL to hosts.deny, that I could no longer connect to mysql on the
same server. Adding mysqld to the list of permitted hosts did the
trick (ie: sshd,mysqld: comma,separated,list,of,hosts) in
hosts.allow.
I personally suggest using iptables rather than tcp wrappers for
your IP based security.
Basically, iptables works on the ip layer in the kernel, where tcp
wrappers works in the specific application (on the application layer
of the OSI model). Better to block as low on the OSI as you can to
prevent application bugs from being exploited.
IPtables also uses a lot less cpu and processing to stop a packet.
And iptables will block in such a way that anyone ascanning will
think the port not open, where wrappers will still answer, even to
the point of allowing an octopus attack, or even a minor DDoS, to
disable your box.
This I can appreciate and understand. However, it does not address
either of my original questions, and in the case of this particular
server, I already have layers of security at the router to deal with
DDos, etc. After I get tcpwrappers doing what I want, I'll likely set
up iptables for yet another layer of security.
Thanks.
- Kimball
http://www.kimballlarsen.com
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
