The problem is that the people who invented security audits never remove anything from the list of things they will ding you with… If you are getting paid to pass all of these benchmarks, you have keep everything around forever. From: openssh-unix-dev <openssh-unix-dev-bounces+herbie.robinson=stratus.com@xxxxxxxxxxx> On Behalf Of Jim Knoble Sent: Wednesday, June 23, 2021 7:25 PM To: Thomas Dwyer III <tomiii@xxxxxxxxxx> Cc: Saint Michael <venefax@xxxxxxxxx>; Lars Noodén <lars.nooden@xxxxxxx>; openssh-unix-dev@xxxxxxxxxxx Subject: [EXTERNAL] Re: Bringing back tcp wrappers [EXTERNAL SENDER: This email originated from outside of Stratus Technologies. Do not click links or open attachments unless you recognize the sender and know the content is safe.] TCP wrappers? The 1990s just called, and they want their O'Reilly network security book back. Seriously, I hear phone and power networks, and TCP wrappers are the best defense-in-depth that can be done? We're doomed as a species. At the very least, you can use https://cr.yp.to/ucspi-tcp.html<https://cr.yp.to/ucspi-tcp.html> and https://cr.yp.to/daemontools.html<https://cr.yp.to/daemontools.html> for reliable alternatives to TCP wrappers and systems, respectively. At best, you should be using on-host iptables, public-key or certificate authentication, and other modern methods to secure your systems.... -- jmk > On Jun 23, 2021, at 11:52, Thomas Dwyer III <tomiii@xxxxxxxxxx<mailto:tomiii@xxxxxxxxxx>> wrote: > > iptables is not an external app. It's never "down" any more than > /etc/hosts.deny is down. What can tcpwrappers do that iptables cannot do > even better? > > > Tom.III > > >> On Wed, Jun 23, 2021 at 10:32 AM Saint Michael <venefax@xxxxxxxxx<mailto:venefax@xxxxxxxxx>> wrote: >> >> any external app can be down at any time, while openssh remains active and >> exposed, BUT libwrap is baked into openssh, so the protection will hold. >> Libwrap is the last line of defense. Why remove it? >> >>> On Wed, Jun 23, 2021 at 1:01 PM Lars Noodén <lars.nooden@xxxxxxx<mailto:lars.nooden@xxxxxxx>> wrote: >>> >>> On 6/23/21 5:54 PM, Saint Michael wrote: >>>> I compiled the latest version, 8.1, inside Centos 7.9, and >>> [snip] >>> >>> What use-case would there be there for tcpwrappers that cannot be better >>> solved with a packet filter? In the case of CentOS 7 you have nftables >>> and iptables. >>> >>> /Lars >>> >>> _______________________________________________ >>> openssh-unix-dev mailing list >>> openssh-unix-dev@xxxxxxxxxxx<mailto:openssh-unix-dev@xxxxxxxxxxx> >>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev<https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev> >>> >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev@xxxxxxxxxxx<mailto:openssh-unix-dev@xxxxxxxxxxx> >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev<https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev> >> > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx<mailto:openssh-unix-dev@xxxxxxxxxxx> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev<https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev> _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx<mailto:openssh-unix-dev@xxxxxxxxxxx> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev<https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev> _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
