Bringing back tcp wrappers

Peter Stuge peter at stuge.se
Thu Jun 24 05:10:39 AEST 2021


Saint Michael wrote:
> I compiled the latest version, 8.1, inside Centos 7.9, and to my dismay,
> there was no support for libwrap

Be aware that many Linux distributions make changes to the upstream
release as part of their packages.

It's wise to consider whether that's actually in ones interest on a
case-by-case basis.

If "recent" distribution OpenSSH packages support libwrap then that's
such a modification, made by the distribution.


> I didn’t find service definitions for Systemd. ¿where can I find them?

systemd integration in OpenSSH, which Red Hat (the company) distributes
plenty of, is another such modification by the distribution.

If you look closer into this you'll find that few distributions actually
make independent, informed decisions - herd mentality is strong.

Upstream OpenSSH doesn't support systemd at all at the moment, and thus
also doesn't distribute unit files.

Running upstream sshd under systemd works anyway, but you can run
into problems if you expect everything that systemd provides to work
according to the systemd model - it will not, potentially leaving the
system without a running sshd.


> How do I overcome these obstacles?

As far as I know there exists no sensible sshd+systemd integration.

Red Hat (the company) distributes an sshd that depends on libsystemd.so,
which I find a horrible idea. I think debian (thus also Ubuntu) have
followed along and use the same patches.

I've written and proposed a small standalone sd_notify() implementation
to be used instead of libsystemd.so, but I don't think anyone uses it.

Personally I wouldn't mind upstream OpenSSH supporting systemd Type=notify
but I expect nothing.


> we should keep libwrap baked into openssh, even as optional.

I don't think upstream OpenSSH will support it. Like others I
recommend you to place useful firewall rules on every system and
to monitor that they are in effect.

Oh, and don't assume that the visible Bitcoin miner is the only thing
that was installed on your compromised servers; boot from CD and take
a closer look.


Kind regards

//Peter


More information about the openssh-unix-dev mailing list