Florian Lohoff <f...@zz.de> writes: > These times have long gone and tcp wrapper as a security mechanism has > lost its reliability, this is why people started moving away from tcp > wrapper (which i think is a shame)
> I personally moved to nftables which is nearly as simple once you get > your muscle memory set. If ssh is your only candidate of network service > you could also use match statements in /etc/ssh/sshd_config.d/. For what it's worth, I have iptables (I know, it's nftables under the hood now, but I'm still using the iptables syntax because the number of hours in each day is annoyingly low) on every system I run and I still use TCP wrappers for ssh restrictions for one host. That's because I have users who use various ISPs, and for some of those ISPs, DNS-based restrictions are less maintenance work than playing whack-a-mole with their ever-changing IP blocks. Yes, yes, I know this isn't actually secure, etc., but that's fine, I'm not using it as a primary security measure. I'm using it to narrow the number of hosts on the Internet that can exploit an sshd vulnerability, and to reduce the amount of annoying automated exploit attempts I get. (Exactly the kind of thing that helps mildly against situations like the xz backdoor.) That said, the point that I could switch over to Match blocks in the sshd configuration is well-taken, and not wanting to take an hour to rewrite my rules in a different configuration format is probably not a good enough reason to keep a dependency in a security-critical, network-exposed service. I'm mildly grumbly becuase it's yet another thing I have to change just to keep things from breaking, but such is life. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
