[EXTERNAL] Re: Bringing back tcp wrappers

Robinson, Herbie Herbie.Robinson at stratus.com
Thu Jun 24 09:50:46 AEST 2021


The problem is that the people who invented security audits never remove anything from the list of things they will ding you with…  If you are getting paid to pass all of these benchmarks, you have keep everything around forever.

From: openssh-unix-dev <openssh-unix-dev-bounces+herbie.robinson=stratus.com at mindrot.org> On Behalf Of Jim Knoble
Sent: Wednesday, June 23, 2021 7:25 PM
To: Thomas Dwyer III <tomiii at tomiii.com>
Cc: Saint Michael <venefax at gmail.com>; Lars Noodén <lars.nooden at gmx.com>; openssh-unix-dev at mindrot.org
Subject: [EXTERNAL] Re: Bringing back tcp wrappers

[EXTERNAL SENDER: This email originated from outside of Stratus Technologies. Do not click links or open attachments unless you recognize the sender and know the content is safe.]

TCP wrappers? The 1990s just called, and they want their O'Reilly network security book back.

Seriously, I hear phone and power networks, and TCP wrappers are the best defense-in-depth that can be done? We're doomed as a species.

At the very least, you can use https://cr.yp.to/ucspi-tcp.html<https://cr.yp.to/ucspi-tcp.html> and https://cr.yp.to/daemontools.html<https://cr.yp.to/daemontools.html> for reliable alternatives to TCP wrappers and systems, respectively.

At best, you should be using on-host iptables, public-key or certificate authentication, and other modern methods to secure your systems....

--
jmk

> On Jun 23, 2021, at 11:52, Thomas Dwyer III <tomiii at tomiii.com<mailto:tomiii at tomiii.com>> wrote:
>
> iptables is not an external app. It's never "down" any more than
> /etc/hosts.deny is down. What can tcpwrappers do that iptables cannot do
> even better?
>
>
> Tom.III
>
>
>> On Wed, Jun 23, 2021 at 10:32 AM Saint Michael <venefax at gmail.com<mailto:venefax at gmail.com>> wrote:
>>
>> any external app can be down at any time, while openssh remains active and
>> exposed, BUT libwrap is baked into openssh, so the protection will hold.
>> Libwrap is the last line of defense. Why remove it?
>>
>>> On Wed, Jun 23, 2021 at 1:01 PM Lars Noodén <lars.nooden at gmx.com<mailto:lars.nooden at gmx.com>> wrote:
>>>
>>> On 6/23/21 5:54 PM, Saint Michael wrote:
>>>> I compiled the latest version, 8.1, inside Centos 7.9, and
>>> [snip]
>>>
>>> What use-case would there be there for tcpwrappers that cannot be better
>>> solved with a packet filter? In the case of CentOS 7 you have nftables
>>> and iptables.
>>>
>>> /Lars
>>>
>>> _______________________________________________
>>> openssh-unix-dev mailing list
>>> openssh-unix-dev at mindrot.org<mailto:openssh-unix-dev at mindrot.org>
>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev<https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>
>>>
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org<mailto:openssh-unix-dev at mindrot.org>
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev<https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>
>>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org<mailto:openssh-unix-dev at mindrot.org>
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev<https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org<mailto:openssh-unix-dev at mindrot.org>
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev<https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev>


More information about the openssh-unix-dev mailing list