On Tue, Apr 2, 2024, at 07:04, Marco d'Itri wrote: > On Apr 02, Colin Watson <cjwat...@debian.org> wrote: > >> At the time, denyhosts was popular, but it was removed from Debian >> several years ago. I remember that, when I dealt with that on my own >> systems, fail2ban seemed like the obvious replacement, and my impression >> is that it's pretty widely used nowadays; it's very pluggable but it >> normally works by adding firewall rules. Are there any similar popular >> systems left that rely on editing /etc/hosts.deny? > Yes, people. I object to removing TCP wrappers support since the patch > is tiny and it supports use cases like DNS-based ACLs which cannot be > supported by L3 firewalls.
If libwrap is bringing in complex libs, maybe we could reduce the attack surface on libwrap itself? It would be nice to have a variant that only links to the libc and that's it... And that benefits everything that links to TCP wrappers... I also like to have the (old-school) standard extra layer of protection that libwrap can provide. I'd like to find a way to keep it useful for sshd. -- Henrique de Moraes Holschuh <h...@debian.org>