[prev in list] [next in list] [prev in thread] [next in thread] 

List:       debian-devel
Subject:    Re: Debian openssh option review: considering splitting out GSS-API key exchange
From:       "Henrique de Moraes Holschuh" <hmh () debian ! org>
Date:       2024-04-04 21:42:08
Message-ID: 6e7e7787-f3f2-4d22-b4a3-c5bb86df5bb6 () app ! fastmail ! com
[Download RAW message or body]

On Tue, Apr 2, 2024, at 07:04, Marco d'Itri wrote:
> On Apr 02, Colin Watson <cjwatson@debian.org> wrote:
> 
> > At the time, denyhosts was popular, but it was removed from Debian
> > several years ago.  I remember that, when I dealt with that on my own
> > systems, fail2ban seemed like the obvious replacement, and my impression
> > is that it's pretty widely used nowadays; it's very pluggable but it
> > normally works by adding firewall rules.  Are there any similar popular
> > systems left that rely on editing /etc/hosts.deny?
> Yes, people. I object to removing TCP wrappers support since the patch 
> is tiny and it supports use cases like DNS-based ACLs which cannot be 
> supported by L3 firewalls.

If libwrap is bringing in complex libs, maybe we could reduce the attack surface on \
libwrap itself?  It would be nice to have a variant that only links to the libc and \
that's it...

And that benefits everything that links to TCP wrappers...

I also like to have the (old-school) standard extra layer of protection that libwrap \
can provide. I'd like to find a way to keep it useful for sshd.

-- 
  Henrique de Moraes Holschuh <hmh@debian.org>


[prev in list] [next in list] [prev in thread] [next in thread]