[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-devel
Subject:    Re: Debian openssh option review: considering splitting out GSS-API key exchange
From:       Colin Watson <cjwatson () debian ! org>
Date:       2024-04-02 10:27:26
Message-ID: ZgvdjkI-SG7D7Sdw () riva ! ucam ! org
[Download RAW message or body]

On Tue, Apr 02, 2024 at 12:04:26PM +0200, Marco d'Itri wrote:
> On Apr 02, Colin Watson <cjwatson@debian.org> wrote:
> > At the time, denyhosts was popular, but it was removed from Debian
> > several years ago.  I remember that, when I dealt with that on my own
> > systems, fail2ban seemed like the obvious replacement, and my impression
> > is that it's pretty widely used nowadays; it's very pluggable but it
> > normally works by adding firewall rules.  Are there any similar popular
> > systems left that rely on editing /etc/hosts.deny?
> 
> Yes, people. I object to removing TCP wrappers support since the patch 
> is tiny and it supports use cases like DNS-based ACLs which cannot be 
> supported by L3 firewalls.

It's not about the size of the patch.

You could use a drop-in unit to wrap sshd in tcpd, as suggested by the
Fedora wiki page?  This would avoid exposing sshd's process space to
libwrap and all the stuff it links to by default.

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

[prev in list] [next in list] [prev in thread] [next in thread]