[CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?

Fri Mar 21 14:43:50 UTC 2014
Leon Fauster <leonfauster at googlemail.com>

Am 20.03.2014 um 22:22 schrieb Matthew Miller <mattdm at mattdm.org>:
> On Thu, Mar 20, 2014 at 06:14:56PM -0300, Fernando Cassia wrote:
>> Please don't remove it. Why  this sudden idea in software circles that
>> stuff that works properly needs to be removed for no reason whatsoever
>> other than "it's old and we think nobody uses it". How do you know?.
> 
> Well, that's why I'm asking.
> 
>> IF IT AIN'T BROKEN, DON'T FIX IT. You might have heard of it.
> 
> Yes, I have heard of that.
> 
> But, are you actually using it? Do you need to?


we do and we also compile tcp wrappers support 
into service if the distro have't done it (e.g. mysql).
its just used in a multiple layer protection / security model.


> There are real downsides to carrying unmaintained code forward.
> 
> Someone put forth the possibility of developing and maintaining a
> maintaining a modern library implementing the same config files but with a
> an updated codebase and better API, but no one has actually volunteered to
> do that work. If you'd like to be that person, awesome.
> 
>> Fail2ban is one piece of software which interfaces with tcp wrappers.
>> v0.9.0 just out
>> http://www.fail2ban.org/wiki/index.php/Main_Page
> 
> Yes, and know for sure people use that -- I do, for example. But I use it to
> manipulate IP tables, which is more secure and less fragile than the


why is iptables more secure? its just on an other level and the attack vector persists.
and by the way; you do not really want to run a "firewall" on the _same_ system, think
about that. 


> hosts.deny action (it's always a bit scary when configuration files are
> edited by a program!). Because it is actively maintained upstream, there's
> even support for new things like firewalld.



well i would say its more scary when humans are editing configuration files :-)


one think that i like on tcp_wrappers is the use of domain names. 
Even possible with iptables but not a good idea as with tcp_wrappers.



--
LF