[CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

Thu Mar 20 21:22:45 UTC 2014
Matthew Miller <mattdm at mattdm.org>

On Thu, Mar 20, 2014 at 06:14:56PM -0300, Fernando Cassia wrote:
> Please don't remove it. Why  this sudden idea in software circles that
> stuff that works properly needs to be removed for no reason whatsoever
> other than "it's old and we think nobody uses it". How do you know?.

Well, that's why I'm asking.

> IF IT AIN'T BROKEN, DON'T FIX IT. You might have heard of it.

Yes, I have heard of that.

But, are you actually using it? Do you need to?

There are real downsides to carrying unmaintained code forward.

Someone put forth the possibility of developing and maintaining a
maintaining a modern library implementing the same config files but with a
an updated codebase and better API, but no one has actually volunteered to
do that work. If you'd like to be that person, awesome.

> Fail2ban is one piece of software which interfaces with tcp wrappers.
> v0.9.0 just out
> http://www.fail2ban.org/wiki/index.php/Main_Page

Yes, and know for sure people use that -- I do, for example. But I use it to
manipulate IP tables, which is more secure and less fragile than the
hosts.deny action (it's always a bit scary when configuration files are
edited by a program!). Because it is actively maintained upstream, there's
even support for new things like firewalld.

On the other hand, people using unmaintained solutions like DenyHosts would
have to migrate.


-- 
Matthew Miller           mattdm at mattdm.org          <http://mattdm.org/>