AllowHosts / DenyHosts

Andreas Vetter vetter at physik.uni-wuerzburg.de
Wed Feb 28 19:57:11 EST 2001


On Tue, 27 Feb 2001, Pekka Savola wrote:

->On Tue, 27 Feb 2001, Andreas Vetter wrote:
->> I'd like to see a feature of the commercial ssh in openssh:
->> AllowHosts xxx.yyy.xxx.yyy *.domain.net
->> DenyHosts xxx.yyy.xxx.* name.domain.net
->
->I begged this for a long time half a year ago or so, but never got any
->replies.  So I gave up.  Now I'm happily using tcp wrappers.
->
->I've made a patch for tcp_wrappers to enable wildcard matching (from ssh
->1.2.12), and to enable file includes (from freebsd).  So I can't see why
->tcp_wrappers should be worse than HostsAllow and friends in this aspect.

Tcp-wrappers are invoked by inetd, so when there is a DoS-attack against
the inetd (usually this is done port by port): game over. If ssh can
handle AllowHosts/DenyHosts itself, I don't need the (buggy) inetd.

 Andreas Vetter
 Universitaet Wuerzburg






More information about the openssh-unix-dev mailing list