On Thu, 20.03.14 20:06, Florian Weimer (fw@xxxxxxxxxxxxx) wrote: > * Stephen John Smoogen: > > > Actually they are used quite a bit in various service worlds. Mainly for > > ssh and email for dealing with scanners. [DenyHosts is a boon in this > > area.] > > I believe DenyHosts is unmaintained as well: > > <https://bugzilla.redhat.com/show_bug.cgi?id=1045983> > > > At the enterprise level firewalls can come under a different set of change > > control rules than something like tcpwrappers which is considered > > application level. > > I think it's difficult to generalize in this area. There is no > inherent reason why an iptables-based local packet filter has to > follow the same sign-off rules as a device on the forwarding path. > > From my POV, it is kind of neat that you can grant access to *.enyo.de > and deny every thing else. Binding access control to DNS sounds insecure like hell.. > This is quite helpful against scanners and > worms, and programs like OpenSSH rely on tcpwrappers to implement > this. It's not clear to me if this has to happen at the systemd > level, though. OpenSSH can do this on its own without involving tcpwrap: https://raymii.org/s/tutorials/Limit_access_to_openssh_features_with_the_Match_keyword.html It sounds like a much better choice to stick to that instead of involving tcpwrap, and we should push our users to understand that... Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
