Date: Wed, 25 Oct 2006 09:56:50 -0500 From: Paul Schmehl <pauls@utdallas.edu> To: freebsd-questions@freebsd.org Subject: Re: tcpwrappers & SSH Message-ID: <25EF2257D42835E7C800F7AB@utd59514.utdallas.edu> In-Reply-To: <E1GcdoI-000MsQ-00.rihad-mail-ru@f48.mail.ru> References: <E1GcdoI-000MsQ-00.rihad-mail-ru@f48.mail.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
--On Wednesday, October 25, 2006 12:08:26 +0400 Рихад Гаджиев <rihad@mail.ru> wrote: > A comment in /etc/hosts.allow states that: > Wrapping sshd(8) is not normally a good idea > > Why? Is it because such restrictions should naturally be made using a > firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have > been built with libwrap support in the first place. Or? > Because maintaining the access list can be quite ponderous if you have a lot of users. I maintain a hobby website that only has two shell accounts. I use hosts.allow for ssh because it gets rid of the brute-force crap. But even for two users, the list of hosts/networks that are allowed is 10 or 15. Imagine what it would be if you have a hundred users...or a thousand. Paul Schmehl (pauls@utdallas.edu) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?25EF2257D42835E7C800F7AB>