TCP wrappers? The 1990s just called, and they want their O'Reilly network security book back. Seriously, I hear phone and power networks, and TCP wrappers are the best defense-in-depth that can be done? We're doomed as a species. At the very least, you can use https://cr.yp.to/ucspi-tcp.html and https://cr.yp.to/daemontools.html for reliable alternatives to TCP wrappers and systems, respectively. At best, you should be using on-host iptables, public-key or certificate authentication, and other modern methods to secure your systems.... -- jmk > On Jun 23, 2021, at 11:52, Thomas Dwyer III <tomiii@xxxxxxxxxx> wrote: > > iptables is not an external app. It's never "down" any more than > /etc/hosts.deny is down. What can tcpwrappers do that iptables cannot do > even better? > > > Tom.III > > >> On Wed, Jun 23, 2021 at 10:32 AM Saint Michael <venefax@xxxxxxxxx> wrote: >> >> any external app can be down at any time, while openssh remains active and >> exposed, BUT libwrap is baked into openssh, so the protection will hold. >> Libwrap is the last line of defense. Why remove it? >> >>> On Wed, Jun 23, 2021 at 1:01 PM Lars Noodén <lars.nooden@xxxxxxx> wrote: >>> >>> On 6/23/21 5:54 PM, Saint Michael wrote: >>>> I compiled the latest version, 8.1, inside Centos 7.9, and >>> [snip] >>> >>> What use-case would there be there for tcpwrappers that cannot be better >>> solved with a packet filter? In the case of CentOS 7 you have nftables >>> and iptables. >>> >>> /Lars >>> >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev@xxxxxxxxxxx >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >>> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev@xxxxxxxxxxx >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
