AllowHosts / DenyHosts
Pekka Savola
pekkas at netcore.fi
Wed Feb 28 22:08:02 EST 2001
On Wed, 28 Feb 2001, Yuliy Minchev wrote:
>
> re
>
> > > > why should every feature, even if there exist special solutions,
> > > > included in openssh? you can deny ip-addresses with tcp-wrapper,
> > > > ipfw, ipf, etc, etc.
> > >
> > > There are some old (or exotic) systems which haven't nor ip filtering
> > > capabilities, nor tcp-wrapper.
> > > So it would be a good think if OpenSSH can handle Allow/Deny clauses.
> >
> > [Cc: list tailored a bit]
> >
> > These ancient systems should not be trusted to be connected to the
> > internet anyway, unless they're behind a firewall which can do this kind
> > of thing.
>
> Yes, you are right. But, how can one increase security indoors of
> organization? Especialy if he takes care only for this old machines and
> not for communications and firewall policy?
>
> What about an organization with offices all over the country (or the
> world), with private network connecting these offices. No one talks about
> Internet in this situation.
Most security breaches (so the statistics show) are internal. I don't
quite understand organizations where you just have one huge firewall but
nothing between different offices, departments, lan segments or whatever.
Perhaps (usually) not as strict as the outer packet filters, but
definitely a capability to do so.
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
More information about the openssh-unix-dev
mailing list