From owner-freebsd-questions@FreeBSD.ORG Wed Oct 25 19:16:36 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 91EFF16A4A7 for ; Wed, 25 Oct 2006 19:16:36 +0000 (UTC) (envelope-from pauls@utdallas.edu) Received: from smtp1.utdallas.edu (smtp1.utdallas.edu [129.110.10.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A0D043D45 for ; Wed, 25 Oct 2006 19:16:36 +0000 (GMT) (envelope-from pauls@utdallas.edu) Received: from utd59514.utdallas.edu (utd59514.utdallas.edu [129.110.3.28]) by smtp1.utdallas.edu (Postfix) with ESMTP id B25F2389119 for ; Wed, 25 Oct 2006 14:16:31 -0500 (CDT) Date: Wed, 25 Oct 2006 14:13:40 -0500 From: Paul Schmehl To: freebsd-questions@freebsd.org Message-ID: <12CC13AA49D069C7FAD7B7B2@utd59514.utdallas.edu> In-Reply-To: <453FB3D3.4030308@computer.org> References: <25EF2257D42835E7C800F7AB@utd59514.utdallas.edu> <453FB3D3.4030308@computer.org> X-Mailer: Mulberry/4.0.6 (Linux/x86) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=sha1; protocol="application/pkcs7-signature"; boundary="==========4224533C84BF8EAE3795==========" X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Re: tcpwrappers & SSH X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Oct 2006 19:16:36 -0000 --==========4224533C84BF8EAE3795========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Wednesday, October 25, 2006 13:58:27 -0500 Eric Schuele=20 wrote: > > Viewed from a slightly different angle... > > If you are responsible for maintaining machine xyz, and you have used > tcpwrappers... chances are you'll eventually need access to that machine > from a location you did not previously expect. Maybe your sitting in the > airport and get a call that the machine is malfunctioning. Maybe you are > on call at a social gathering. In any case, you'll need access and if it > is using tcpwrappers, you may not gain access. > This is *definitely* something that you need to think through. I have two=20 machines at work that are always on, so I can always ssh to them first,=20 then to the server and edit the /etc/hosts.allow file to give myself=20 temporary access, if needed. In general, I prefer to go through those=20 hosts, rather than open another avenue that I may later forget to remove.=20 Since everything I do on those servers (almost) is through ssh, it's not a=20 problem for me to need an extra "hop" before I get to the box. Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ --==========4224533C84BF8EAE3795==========--