From owner-freebsd-questions@FreeBSD.ORG  Wed Oct 25 14:59:47 2006
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 0C23916A412
	for <freebsd-questions@freebsd.org>;
	Wed, 25 Oct 2006 14:59:47 +0000 (UTC)
	(envelope-from pauls@utdallas.edu)
Received: from smtp1.utdallas.edu (smtp1.utdallas.edu [129.110.10.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9825B43D49
	for <freebsd-questions@freebsd.org>;
	Wed, 25 Oct 2006 14:59:46 +0000 (GMT)
	(envelope-from pauls@utdallas.edu)
Received: from utd59514.utdallas.edu (utd59514.utdallas.edu [129.110.3.28])
	by smtp1.utdallas.edu (Postfix) with ESMTP id 20103388F1B
	for <freebsd-questions@freebsd.org>;
	Wed, 25 Oct 2006 09:59:42 -0500 (CDT)
Date: Wed, 25 Oct 2006 09:56:50 -0500
From: Paul Schmehl <pauls@utdallas.edu>
To: freebsd-questions@freebsd.org
Message-ID: <25EF2257D42835E7C800F7AB@utd59514.utdallas.edu>
In-Reply-To: <E1GcdoI-000MsQ-00.rihad-mail-ru@f48.mail.ru>
References: <E1GcdoI-000MsQ-00.rihad-mail-ru@f48.mail.ru>
X-Mailer: Mulberry/4.0.6 (Linux/x86)
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=sha1;
	protocol="application/pkcs7-signature";
	boundary="==========97462A5CD0BB520D2D57=========="
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Subject: Re: tcpwrappers & SSH
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2006 14:59:47 -0000

--==========97462A5CD0BB520D2D57==========
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

--On Wednesday, October 25, 2006 12:08:26 +0400 =
=D0=A0=D0=B8=D1=85=D0=B0=D0=B4 =D0=93=D0=B0=D0=B4=D0=B6=D0=B8=D0=B5=D0=B2=20
<rihad@mail.ru> wrote:

> A comment in /etc/hosts.allow states that:
> Wrapping sshd(8) is not normally a good idea
>
> Why? Is it because such restrictions should naturally be made using a
> firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have
> been built with libwrap support in the first place. Or?
>
Because maintaining the access list can be quite ponderous if you have a=20
lot of users.

I maintain a hobby website that only has two shell accounts.  I use=20
hosts.allow for ssh because it gets rid of the brute-force crap.  But even=20
for two users, the list of hosts/networks that are allowed is 10 or 15.=20
Imagine what it would be if you have a hundred users...or a thousand.

Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/

--==========97462A5CD0BB520D2D57==========--