On Tue, Apr 02, 2024 at 01:30:43PM +0200, Marc Haber wrote: > On Tue, 2 Apr 2024 01:30:10 +0100, Colin Watson <cjwat...@debian.org> > wrote: > >We carry a patch to restore support for TCP wrappers, which was dropped > >in OpenSSH 6.7 (October 2014); see > >https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-April/032497.html > >and thread. That wasn't long before the Debian 8 (jessie) freeze, and > >so I patched it back in "temporarily", but then I dropped the ball on > >organizing a proper transition. > > Please don't drop the mechanism that saved my¹ unstable installations > from being vulnerable to the current xz-based attack. Just having to > dump an ALL: ALL into /etc/hosts.deny is vastly easier than having to > maintain a packet filter. > > Greetings > Marc > > ¹ and probably thousands others
In the good old days we relied on any network facing service to be linked to tcp wrappers so a single line would secure your system against the network with all the possible intruders. This is how i worked for decades. These times have long gone and tcp wrapper as a security mechanism has lost its reliability, this is why people started moving away from tcp wrapper (which i think is a shame) I personally moved to nftables which is nearly as simple once you get your muscle memory set. If ssh is your only candidate of network service you could also use match statements in /etc/ssh/sshd_config.d/. So - i am okay with removing the libwrap dependency (not happy) Flo -- Florian Lohoff f...@zz.de Any sufficiently advanced technology is indistinguishable from magic.
signature.asc
Description: PGP signature
