Am 28.03.2014 14:39, schrieb Petr Lautrbach: > On 03/20/2014 08:05 PM, Lennart Poettering wrote: >> On Thu, 20.03.14 12:20, Stephen John Smoogen (smooge@xxxxxxxxx) wrote: >> >>>> I doubt there are many people even using them anymore, firewalls are >>>> more comprehensive and a lot more powerful, and while every admin knows >>>> firewalls, I figure only very few know tcpd/tcpwrap, and even fewer ever >>>> actively make use of them... >>>> >>>> >>> Actually they are used quite a bit in various service worlds. Mainly for >>> ssh and email for dealing with scanners. [DenyHosts is a boon in this >>> area.] The reason for using a secondary tool is that depth of >>> security. >> >> Well, all mails servers as well as sshd have much better ways to do >> such filtering. sshd has "Match", Postfix for example has >> "smtpd_client_restrictions=", and so on. > > I'd like to note that you can't just replace deny.hosts using Match block in sshd_config. > > - using libwrap, a connection is dropped before the protocol version exchange so a client can't even check the server's > identification string. While using Match block, a client and a server exchange id strings, negotiate the transport layer > parameters, exchange keys and establish encrypted connection. which is *layered* security that is the same reason why "put the rules in iptables" is only a uneducated phrase and anybody who will put all his security in a single layer sooner or later regret that mistake > - every change in sshd_config has to be confirmed by sshd restart, while changing hosts.deny doesn't need > any other action no - try it out! make a fatal syntax error in "sshd_config" and in case of a remote machine make sure you don't close the last connection because you will not reach the machine again otherwise
Attachment:
signature.asc
Description: OpenPGP digital signature
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
