On Wed, 03 Apr 2024 14:10:37 +0100, "Jonathan Dowland" <j...@debian.org> wrote: >On Tue Apr 2, 2024 at 12:30 PM BST, Marc Haber wrote: >> Please don't drop the mechanism that saved my¹ unstable installations >> from being vulnerable to the current xz-based attack. Just having to >> dump an ALL: ALL into /etc/hosts.deny is vastly easier than having to >> maintain a packet filter. > >For you and fellow greybeards, perhaps: I'd be surprised if many people >younger than us have even heard of tcp wrappers. I don't think the >muscle memory of a diminishing set of users is a strong argument, >especially given it's a preference rather than a requirement, and >alternatives do exist.
It is possible to have that alternative not present without being noticed (for example, a firewall build script failing, but sshd start nof failing), whilea security measure built into the very daemon is way harder to be accidentally disabled while keeping the daemon running. I have spent weeks if not months of my life building firewalls that fail to the safe side (have it "all closed" if something fails during build), lost them all when we got migrated to nft to do its inadequate tooling, while hosts.deny and hosts.allow is done in seconds even if you don't have orchestration. If there are arguments for keeping tcp-wrappers-compatible security in sshd, it is NOT muscle memory, it is a techincal founded and solid preference. Greetings Marc -- ---------------------------------------------------------------------------- Marc Haber | " Questions are the | Mailadresse im Header Rhein-Neckar, DE | Beginning of Wisdom " | Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 6224 1600402