On 04/20/2014 06:48 PM, John Horne wrote: > On Thu, 2014-03-20 at 15:48 -0400, Matthew Miller wrote: >> Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? >> > A very late reply - yes we use it in conjunction with iptables (on > CentOS 5/6 and Fedora). Tcp_wrappers allows filtering based on DNS name, > which (as far as I am aware) iptables does not. It is very easy to > configure, and takes immediate effect (no restarting of processes > required). > >> And, would you care strongly if it went away (or would you just >> migrate to something else)? >> > Since we use it I would obviously rather it did not go away :-) If we > had to we would probably build our own from source, but initially may > well just look to see if iptables could do all of what we wanted. The problem here wouldn't be so much building it from source. You'd have to rebuild everything that would make use of it as well. For example sshd is linked against it. -> [jperrin at monster localbuild]$ ldd /usr/sbin/sshd | grep wrap libwrap.so.0 => /lib64/libwrap.so.0 > >> >> What do you think? Do you rely on hosts.allow/hosts.deny a primary security >> mechanism? As defense-in-depth? Do you have policies which mandate it? >> > No policies as such, but we include its installation as part of our > standard server build process. It is part of the security used on our > servers, and, as others have mentioned, multiple layers is the way to go > rather than relying on just one tool. > > > > > John. > -- Jim Perrin The CentOS Project | http://www.centos.org twitter: @BitIntegrity | GPG Key: FA09AD77