On 06/06/14 00:25, David Sommerseth wrote:
On 20/03/14 20:05, Lennart Poettering wrote:
> On Thu, 20.03.14 12:20, Stephen John Smoogen (smooge(a)gmail.com) wrote:
>
>>> I doubt there are many people even using them anymore, firewalls are
>>> more comprehensive and a lot more powerful, and while every admin knows
>>> firewalls, I figure only very few know tcpd/tcpwrap, and even fewer ever
>>> actively make use of them...
>>>
>>>
>> Actually they are used quite a bit in various service worlds. Mainly for
>> ssh and email for dealing with scanners. [DenyHosts is a boon in this
>> area.] The reason for using a secondary tool is that depth of
>> security.
>
> Well, all mails servers as well as sshd have much better ways to do
> such filtering. sshd has "Match", Postfix for example has
> "smtpd_client_restrictions=", and so on.
>
> Again, I have no doubt that some people still use tcpwrappers. But I'd
> argue that is clearly the excpetion, not the rule, and they'd better use
> something different, and that we should be creating an excellent distro,
> instead of a one that features horrible software...
>
>> Over the years I have found that there are multiple of attacks which will
>> nullify one layer of protection at one point or another. Having a second
>> level or third level of protection is a boon when this happens.
>
> Well, it certainly makes sense to combine a firewall with let's say
> selinux with maybe postfix/ssh acls. Then you already have three layers
> of protection, of very good protection. But of all possible options
> tcpwrap is the absolute worst choice. And we should be able to deprecate
> and remove stuff from our core OS if we think it is crap.
>
> I mean, there are two sides of the medal: sure multiple layers of
> protection might be a good thing, but you also make things a lot more
> complex with each one, and you involve more possibly exploitable code --
> and tcpwrap is simply bad code, that's a fact. So you have to balance
> things out: is something a layer that is worth the trouble? Or does
> having it around make things worse? I am of the opinion that tcpwrap
> indeed does make things worse.
I happen to share Stephens concerns. I think tcpwrappers is a good
additional security layer. And I honestly don't buy the idea that code
which is 11 years old is crap by default. If it has gone 11 years,
being widely used by several services (including high-profile services
such as SSH), that tells me something about the quality of the
*performing* code. New code is better just because it's new.
you are *clearly* not up-to-date with regard to currently on-going
flame-wars:
"heads up: tcpwrappers support going away"
Damien Miller djm at
mindrot.org
Tue Apr 22 17:33:59 EST 2014
http://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html