AllowHosts / DenyHosts
Pekka Savola
pekkas at netcore.fi
Wed Feb 28 20:00:21 EST 2001
On Wed, 28 Feb 2001, Andreas Vetter wrote:
> On Tue, 27 Feb 2001, Pekka Savola wrote:
>
> ->On Tue, 27 Feb 2001, Andreas Vetter wrote:
> ->> I'd like to see a feature of the commercial ssh in openssh:
> ->> AllowHosts xxx.yyy.xxx.yyy *.domain.net
> ->> DenyHosts xxx.yyy.xxx.* name.domain.net
> ->
> ->I begged this for a long time half a year ago or so, but never got any
> ->replies. So I gave up. Now I'm happily using tcp wrappers.
> ->
> ->I've made a patch for tcp_wrappers to enable wildcard matching (from ssh
> ->1.2.12), and to enable file includes (from freebsd). So I can't see why
> ->tcp_wrappers should be worse than HostsAllow and friends in this aspect.
>
> Tcp-wrappers are invoked by inetd, so when there is a DoS-attack against
> the inetd (usually this is done port by port): game over. If ssh can
> handle AllowHosts/DenyHosts itself, I don't need the (buggy) inetd.
No, this isn't necessary. Use ./configure --with-tcp-wrappers.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
More information about the openssh-unix-dev
mailing list