On 07/16/2011 09:51 PM, Peggy Wilkins wrote:
On Sat, Jul 16, 2011 at 1:42 PM, Thomas S Hatch<thatch45@xxxxxxxxx> wrote:
In the end, I tell people that using tcp_wrappers is unnecessary and unwise,
iptables is VERY powerful, and once you understand how rules are constructed
and parsed it is an easy and manageable solution.
I have nothing to say against iptables and other full firewall
solutions. However, for my part running a number of desktops for
other people at work with only sshd as a service, tcp wrappers plus
denyhosts (plus disabling password authentication for good measure)
already does exactly what I want. Performance doesn't enter into this
issue for us, we have so many spare CPU cycles it's comical.
Everyone doesn't have the same circusmstances and needs. I just would
like this option to continue because I'm using it now and I find it
useful and it meets my immediate needs. I also don't need my time at
work diverted into a sudden project to write firewall rules that work
for every desktop.
You're better of blocking unwanted attempts at ssh with iptables or use
sshgaurd. Or you could try http://smarden.org/ipsvd/
Thanks to the Arch devs for taking this out, this was the right move and I
will argue that it has made Arch more secure by not supporting outdated
security constructs.
I view it as taking away my freedom to choose to run what I want in
the simplest possible way. This is a major change. A large part of
the reason I chose Arch is because it is straightforward to configure,
hence doesn't require a lot of my time (which is properly spent
running servers, not desktops) -- an easy way to get Linux on the
desktop for our site which is otherwise all Windows desktops. I
already know the limitations of my choice (and I use full firewalls in
other situations).
Surely there is a good compromise possible...
There
--
Jelle van der Waa
