On 06/06/14 00:25, David Sommerseth wrote: > On 20/03/14 20:05, Lennart Poettering wrote: >> On Thu, 20.03.14 12:20, Stephen John Smoogen (smooge@xxxxxxxxx) wrote: >> >>>> I doubt there are many people even using them anymore, firewalls are >>>> more comprehensive and a lot more powerful, and while every admin knows >>>> firewalls, I figure only very few know tcpd/tcpwrap, and even fewer ever >>>> actively make use of them... >>>> >>>> >>> Actually they are used quite a bit in various service worlds. Mainly for >>> ssh and email for dealing with scanners. [DenyHosts is a boon in this >>> area.] The reason for using a secondary tool is that depth of >>> security. >> >> Well, all mails servers as well as sshd have much better ways to do >> such filtering. sshd has "Match", Postfix for example has >> "smtpd_client_restrictions=", and so on. >> >> Again, I have no doubt that some people still use tcpwrappers. But I'd >> argue that is clearly the excpetion, not the rule, and they'd better use >> something different, and that we should be creating an excellent distro, >> instead of a one that features horrible software... >> >>> Over the years I have found that there are multiple of attacks which will >>> nullify one layer of protection at one point or another. Having a second >>> level or third level of protection is a boon when this happens. >> >> Well, it certainly makes sense to combine a firewall with let's say >> selinux with maybe postfix/ssh acls. Then you already have three layers >> of protection, of very good protection. But of all possible options >> tcpwrap is the absolute worst choice. And we should be able to deprecate >> and remove stuff from our core OS if we think it is crap. >> >> I mean, there are two sides of the medal: sure multiple layers of >> protection might be a good thing, but you also make things a lot more >> complex with each one, and you involve more possibly exploitable code -- >> and tcpwrap is simply bad code, that's a fact. So you have to balance >> things out: is something a layer that is worth the trouble? Or does >> having it around make things worse? I am of the opinion that tcpwrap >> indeed does make things worse. > > I happen to share Stephens concerns. I think tcpwrappers is a good > additional security layer. And I honestly don't buy the idea that code > which is 11 years old is crap by default. If it has gone 11 years, > being widely used by several services (including high-profile services > such as SSH), that tells me something about the quality of the > *performing* code. New code is better just because it's new. you are *clearly* not up-to-date with regard to currently on-going flame-wars: "heads up: tcpwrappers support going away" Damien Miller djm at mindrot.org Tue Apr 22 17:33:59 EST 2014 http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
