On Thu, 20.03.14 20:06, Florian Weimer (fw(a)deneb.enyo.de) wrote:
* Stephen John Smoogen:
> Actually they are used quite a bit in various service worlds. Mainly for
> ssh and email for dealing with scanners. [DenyHosts is a boon in this
> area.]
I believe DenyHosts is unmaintained as well:
<
https://bugzilla.redhat.com/show_bug.cgi?id=1045983>
> At the enterprise level firewalls can come under a different set of change
> control rules than something like tcpwrappers which is considered
> application level.
I think it's difficult to generalize in this area. There is no
inherent reason why an iptables-based local packet filter has to
follow the same sign-off rules as a device on the forwarding path.
From my POV, it is kind of neat that you can grant access to *.enyo.de
and deny every thing else.
Binding access control to DNS sounds insecure like hell..
This is quite helpful against scanners and
worms, and programs like OpenSSH rely on tcpwrappers to implement
this. It's not clear to me if this has to happen at the systemd
level, though.
OpenSSH can do this on its own without involving tcpwrap:
https://raymii.org/s/tutorials/Limit_access_to_openssh_features_with_the_...
It sounds like a much better choice to stick to that instead of
involving tcpwrap, and we should push our users to understand that...
Lennart
--
Lennart Poettering, Red Hat