Bringing back tcp wrappers

raf ssh at raf.org
Thu Jun 24 10:19:57 AEST 2021


On Wed, Jun 23, 2021 at 06:15:12PM +0200, Thorsten Glaser <t.glaser at tarent.de> wrote:

> On Wed, 23 Jun 2021, Saint Michael wrote:
> 
> > why do we need to ruin the lives of millions of security officers?
> > I got hacked in 72 servers this week, they installed Bitcoin miners.
> 
> Uhm… just use a firewall? For example pf can easily handle
> permitting access to SSH by host via tables.
> 
> bye,
> //mirabilos

You can even have a little script that parses /etc/hosts.allow
(even if sshd itself doesn't consult it), and creates firewall
rules based on its contents. That way, it doesn't matter if the
firewall is briefly down. Debian's sshd uses libwrap but I do
this anyway because it's an easy way to manage the firewall,
and because it dramatically reduces the sshd logs.

cheers,
raf



More information about the openssh-unix-dev mailing list