tcpwrappers & SSH
Paul Schmehl
pauls at utdallas.edu
Wed Oct 25 14:59:47 UTC 2006
--On Wednesday, October 25, 2006 12:08:26 +0400 Рихад Гаджиев
<rihad at mail.ru> wrote:
> A comment in /etc/hosts.allow states that:
> Wrapping sshd(8) is not normally a good idea
>
> Why? Is it because such restrictions should naturally be made using a
> firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have
> been built with libwrap support in the first place. Or?
>
Because maintaining the access list can be quite ponderous if you have a
lot of users.
I maintain a hobby website that only has two shell accounts. I use
hosts.allow for ssh because it gets rid of the brute-force crap. But even
for two users, the list of hosts/networks that are allowed is 10 or 15.
Imagine what it would be if you have a hundred users...or a thousand.
Paul Schmehl (pauls at utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
More information about the freebsd-questions
mailing list