Hello Federico,
Wietse is correct. You will not get security benefits from your proposed
changes.
Public key authentication, combined with a 2FA mechanism such as TOTP
for interactive users, is the current best practice.
IP filtering is a useful tool; you can already have good benefits from
allowing the /16 or /24 or whatever address ranges your contractors are
expected to be using. That will drastically reduce the number of
compromised hosts on the internet that can contact your server and
perform password brute-force authentication attempts.
The single best security improvement you can make is disable password
authentication in openssh-server and require authorized_keys to log in.
We will not make drastic changes to the design and implementation of
tcp-wrappers.
Thanks for your interest in making Ubuntu more secure
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1839598
Title:
tcp_wrappers does not whitelisting of domains, vs IPs
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tcp-wrappers/+bug/1839598/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs