Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
And, would you care strongly if it went away (or would you just migrate to something else)? I would care strongly as I use it at home to limit inbound ssh to just the IP addresses of my work machine. Setting up IPtables is more complicated which can be read as easier to get it wrong. The question become, Why get rid of it? It is small works well and works the same across many flavors of UNIX. I have not looked recently, but I would guess that the source code does not change very often. Just my 2cents. Bob - Phoenix, AZ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, 2014-03-20 at 15:48 -0400, Matthew Miller wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? A very late reply - yes we use it in conjunction with iptables (on CentOS 5/6 and Fedora). Tcp_wrappers allows filtering based on DNS name, which (as far as I am aware) iptables does not. It is very easy to configure, and takes immediate effect (no restarting of processes required). And, would you care strongly if it went away (or would you just migrate to something else)? Since we use it I would obviously rather it did not go away :-) If we had to we would probably build our own from source, but initially may well just look to see if iptables could do all of what we wanted. What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? No policies as such, but we include its installation as part of our standard server build process. It is part of the security used on our servers, and, as others have mentioned, multiple layers is the way to go rather than relying on just one tool. John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 04/20/2014 06:48 PM, John Horne wrote: On Thu, 2014-03-20 at 15:48 -0400, Matthew Miller wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? A very late reply - yes we use it in conjunction with iptables (on CentOS 5/6 and Fedora). Tcp_wrappers allows filtering based on DNS name, which (as far as I am aware) iptables does not. It is very easy to configure, and takes immediate effect (no restarting of processes required). And, would you care strongly if it went away (or would you just migrate to something else)? Since we use it I would obviously rather it did not go away :-) If we had to we would probably build our own from source, but initially may well just look to see if iptables could do all of what we wanted. The problem here wouldn't be so much building it from source. You'd have to rebuild everything that would make use of it as well. For example sshd is linked against it. - [jperrin@monster localbuild]$ ldd /usr/sbin/sshd | grep wrap libwrap.so.0 = /lib64/libwrap.so.0 What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? No policies as such, but we include its installation as part of our standard server build process. It is part of the security used on our servers, and, as others have mentioned, multiple layers is the way to go rather than relying on just one tool. John. -- Jim Perrin The CentOS Project | http://www.centos.org twitter: @BitIntegrity | GPG Key: FA09AD77 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Sun, 2014-04-20 at 19:27 -0500, Jim Perrin wrote: The problem here wouldn't be so much building it from source. You'd have to rebuild everything that would make use of it as well. For example sshd is linked against it. - Why ? If the guy wants to use TCP Wrappers with one other specific application / bit of system software (= IP Tables) and wishes to build it from source, why should he have to worry about SSHD compatibility if he does not want to use TCP Wrappers with SSHD ? Best regards, -- Paul. England, EU. Our systems are exclusively Centos. No Micro$oft Windoze here. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 2014-04-21, Always Learning cen...@u62.u22.net wrote: On Sun, 2014-04-20 at 19:27 -0500, Jim Perrin wrote: The problem here wouldn't be so much building it from source. You'd have to rebuild everything that would make use of it as well. For example sshd is linked against it. - Why ? If the guy wants to use TCP Wrappers with one other specific application / bit of system software (= IP Tables) and wishes to build it from source, why should he have to worry about SSHD compatibility if he does not want to use TCP Wrappers with SSHD ? That's not how I read Jim's response. I read it as, if you wished to use tcpwrappers with sshd, you'd have to rebuild sshd. If you only have one app you need to rebuild that's not so bad, but if you have a half dozen it could be annoying. --keith -- kkel...@wombat.san-francisco.ca.us ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
As others have mentioned in this thread, yes I use it as part of a defence in depth strategy, and it's a suitable tool for what it is intended to do. I would not be happy with it going away, especially if doing so broke various tools or introduced a dependancy on a non-base RPM. Devin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 4:05 PM, Matthew Miller mat...@mattdm.org wrote: On Thu, Mar 20, 2014 at 12:55:56PM -0700, Keith Keller wrote: What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? I currently use it in conjunction with denyhosts, but have been considering moving to something like sshguard with iptables instead. If hosts.deny support disappeared then I would simply go that route when necessary. May I ask what the reason is for considering dropping tcp wrappers support? I think the main reasons are: upstream library isn't actually maintained since June 2001. The API is somewhat ugly and crufty. Possibly also one more place to check, making systems administration harder. -- Matthew Miller mat...@mattdm.org http://mattdm.org/ The reasoning here seems to ignore one of the main tenets of open source -- people contribute with the purpose of scratching their own itch. If there is such a time when tcp wrappers stops working due to bug or other changes, it's going to break a LOT of stuff. At that point, many people will have a huge itch to scratch, and there will be a spontaneous coalescense of support and code from the people who need it. Why does there need to be a dedicated maintainer for something to be included/useful? That seems like a bureaucratic requirement that doesn't take into account the nature of open source. The project (tcp wrappers) exists as its own entity and will have a maintainer at the time when it needs one. The only improvement that could be made is figuring out where a canonical code repository should exist for it. Where is this discussion taking place in the Fedora community? ❧ Brian Mathis P.S. Is this somehow related to your Next proposal and trying to make Fedora exciting? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Mon, Mar 24, 2014 at 11:15:04AM -0400, Brian Mathis wrote: P.S. Is this somehow related to your Next proposal and trying to make Fedora exciting? Is it working? Got a pretty good thread going here :) But in seriousness, no. However, me asking here _is_ related to one of the things I've mentioned as a factor feeding into Fedora.next -- more direct communication lines to downstream distributions. -- Matthew Miller mat...@mattdm.org http://mattdm.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Sat, Mar 22, 2014 at 2:05 PM, Always Learning cen...@u62.u22.net wrote: Nothing is easier and simpler than [any-section] parameter1=value1 parameter2=value2 On Sat, 2014-03-22 at 18:24 +1300, Cliff Pratt wrote: That text format is simple. Too simple. If you have multiple similar sub-sections you have to use some ad-hoc construction. For example if you require sub entries with eg a default sub-section and a per-user sub-section then the simple example doesn't work, or at least it is rendered a lot less readable. It doesn't nest. Whoops your M$ heritage is showing. On Linux per-user values are usually stored in individual configuration files located in their users' ~ (/home/) directories - not in a single, fragile and all-embracing nightmare called The Windoze Registry. Linux is much more logical and user-friendly. Hence the existence of simple configuration files capable of containing copious configuration hints and explanations - something omitted from the XML monstrosity. :-) Centos is like a hot sunny day - a true joy to experience. -- Paul. England, EU. Our systems are exclusively Centos. No Micro$oft Windoze here. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 03/21/2014 08:37 AM, James B. Byrne wrote: Possibly because the machines are running programs written by humans that need to understand what they think they have told the machine to do in order to determine why it is not doing what they want it to? At the risk of running further off-topic. I hate this old machine I wish that they would sell it It never does what I want But only what I tell it. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Sun, Mar 23, 2014 at 2:02 AM, Always Learning cen...@u62.u22.net wrote: On Sat, Mar 22, 2014 at 2:05 PM, Always Learning cen...@u62.u22.net wrote: Nothing is easier and simpler than [any-section] parameter1=value1 parameter2=value2 On Sat, 2014-03-22 at 18:24 +1300, Cliff Pratt wrote: That text format is simple. Too simple. If you have multiple similar sub-sections you have to use some ad-hoc construction. For example if you require sub entries with eg a default sub-section and a per-user sub-section then the simple example doesn't work, or at least it is rendered a lot less readable. It doesn't nest. Whoops your M$ heritage is showing. Hmm, I don't deny that I moved to Linux from the Dark Side... On Linux per-user values are usually stored in individual configuration files located in their users' ~ (/home/) directories - not in a single, fragile and all-embracing nightmare called The Windoze Registry. The Windoze Registry eh? Well, I don't have CentOS/RHEL to try this on here, but when I type gconf-editor at the command line, I get something much like Windows Registry Editor. WRT user configurations, I only used users as an example. Your configuration file format is not useful in an application that requires a nested configuration. Linux is much more logical and user-friendly. Hence the existence of simple configuration files capable of containing copious configuration hints and explanations - something omitted from the XML monstrosity. :-) Yeah right. Each and every configuration has its own format of configuration file (eg sudoers) which you have to learn. XML is a monstrocity, I agree. But it's useful across the board monstrosity. Centos is like a hot sunny day - a true joy to experience. And we are stll waay off topic! Cheers, Cliff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Matthew Miller Sent: den 20 mars 2014 20:49 To: centos@centos.org Subject: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? I do use them both, together with some iptables-rules. As for caring of they disappear, well, maybe not to much, as most everything can be set in iptables as well. It will take an effort to redo our standard iptables rule list though, in order to cover up for the missing hosts.deny and hosts.allow files. -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 3:48 PM, Matthew Miller mat...@mattdm.org wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? I bring this up because we are discussing dropping it from Fedora. This would be far enough in the future that it wouldn't impact RHEL 7, and therefore won't affect anyone here for Quite Some Time*, but here in the new world order of CentOS, I thought it might be useful to check with some actual downstream users. What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? Your feedback appreciated. Thanks! * and the standard caveats that Fedora doesn't necessarily determine the path for RHEL apply, of course. -- Matthew Miller mat...@mattdm.org http://mattdm.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos We still use tcpwrappers extensively behind our firewalls to control many things. We still have a mixed CentOS 5/6 and older Solaris environment, so it would be big hassle to switch to something else. Of course, if it left Fedora today, it would still be in CentOS for years to come, and even then we could probably build our own pretty easily, but we'd rather not have to! -- Matt Phelps System Administrator, Computation Facility Harvard - Smithsonian Center for Astrophysics mphe...@cfa.harvard.edu, http://www.cfa.harvard.edu ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, March 20, 2014 17:34, Always Learning wrote: Nothing remains static. Software evolves into usually superior products. Sentimentally longing for the past hampers the introduction of new and better replacements. Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, March 20, 2014 18:52, Les Mikesell wrote: xml isn't intended for humans - it is supposed to be parsed and verified by machines. The bigger question is why the machines aren't managing the config files themselves yet? Possibly because the machines are running programs written by humans that need to understand what they think they have told the machine to do in order to determine why it is not doing what they want it to? -- *** E-Mail is NOT a SECURE channel *** James B. Byrnemailto:byrn...@harte-lyne.ca Harte Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 08:33:19AM -0400, James B. Byrne wrote: On Thu, March 20, 2014 17:34, Always Learning wrote: Nothing remains static. Software evolves into usually superior products. Sentimentally longing for the past hampers the introduction of new and better replacements. Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) This whole conversation is meaningless. Our opinions on what Fedora does or doesn't do or what Puttering does or doesn't wreck next are irrelevant. John -- Most people hate the idea of evolution because they realize that if it were working properly, they'd be dead. -- Anonymous pgpipiYfBvdDr.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 8:33 AM, James B. Byrne byrn...@harte-lyne.ca wrote: On Thu, March 20, 2014 17:34, Always Learning wrote: Nothing remains static. Software evolves into usually superior products. Sentimentally longing for the past hampers the introduction of new and better replacements. Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) I wouldn't know. I don't use it. I've been programming professionally since 1975 and I've managed to never use Windows. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 7:37 AM, James B. Byrne byrn...@harte-lyne.ca wrote: On Thu, March 20, 2014 18:52, Les Mikesell wrote: xml isn't intended for humans - it is supposed to be parsed and verified by machines. The bigger question is why the machines aren't managing the config files themselves yet? Possibly because the machines are running programs written by humans that need to understand what they think they have told the machine to do in order to determine why it is not doing what they want it to? Yes, but that reason is generally that someone changed the language syntax underneath it instead of settling on simple working APIs. What has actually stayed stable and backwards compatible over the years other than bourne shell syntax and perl (almost)? Everything else has made you repeat your work every few years instead of letting you build on it and advance. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
Larry Martell wrote: On Fri, Mar 21, 2014 at 8:33 AM, James B. Byrne byrn...@harte-lyne.ca wrote: On Thu, March 20, 2014 17:34, Always Learning wrote: Nothing remains static. Software evolves into usually superior products. Sentimentally longing for the past hampers the introduction of new and better replacements. Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) I wouldn't know. I don't use it. I've been programming professionally since 1975 and I've managed to never use Windows. 1980. and I've had to. But I worked long and hard to get into *Nix, and with one 1.25 year excursion otherwise, have managed to stay here. So I *do* object to my toolset being cut down or mangled when it's unnecessary. tcp.wrappers, no big deal. Non-plain text configuration files, or crap that invokes crap that invokes crap to do what was formerly done by one program that read one simple configuration file, not so much mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 03/20/2014 04:13 PM, Matthew Miller wrote: On Thu, Mar 20, 2014 at 04:00:49PM -0400, John Jasen wrote: Various government entities may use it extensively. I don't recall if tcp_wrappers is in the USGCB baselines for RHEL, but I do believe its in several CIS benchmarks. Good question. I checked with both that and the DoD National Checklist Program, and neither mention it. Also, unless I missed something else, the USGCB covers RHEL 5, so there won't be any impact there. Are the CIS benchmarks something you could point me to? https://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL5_Benchmark_v1.1.pdf Also note, agencies or groups required to implement CIS or better who maintain a mixed environment may also use tcp_wrappers on all their platforms, as from a cursory glance, ever UNIX benchmark lists it. I would recommend against dropping tcp wrappers. -- -- John Jasen (jja...@realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 03/20/2014 06:23 PM, Les Mikesell wrote: Not sure there's a one-to-one mapping or even a conceptual overlap in what tcpwrappers and iptables do. Applications can be configured to use different ports than someone setting up iptables might expect - and how would you handle portmapper? As another case, read some of the extended use cases for vsftpd. They require tcpd to pass an environmental variable telling vsftpd which configuration file to use. -- -- John Jasen (jja...@realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 09:29:01AM -0400, John Jasen wrote: https://benchmarks.cisecurity.org/tools2/linux/CIS_RHEL5_Benchmark_v1.1.pdf Also note, agencies or groups required to implement CIS or better who maintain a mixed environment may also use tcp_wrappers on all their platforms, as from a cursory glance, ever UNIX benchmark lists it. I would recommend against dropping tcp wrappers. Thanks, that is helpful. Cross-platform compatibility is a strong argument. I think this points towards the updated libwrap2 idea, although that does require someone who actually wants to do it. -- Matthew Miller mat...@mattdm.org http://mattdm.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 11:13 PM, Keith Keller kkel...@wombat.san-francisco.ca.us wrote: The technical problem is that there's no maintainer. Are you volunteering (and capable)? Then, for crying out loud... :) this discussion should have been started with a different subject line: Looking for a new tcp wrappers maintainer. That is much more constructive than calling the bulldozer early. FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
Am 20.03.2014 um 22:22 schrieb Matthew Miller mat...@mattdm.org: On Thu, Mar 20, 2014 at 06:14:56PM -0300, Fernando Cassia wrote: Please don't remove it. Why this sudden idea in software circles that stuff that works properly needs to be removed for no reason whatsoever other than it's old and we think nobody uses it. How do you know?. Well, that's why I'm asking. IF IT AIN'T BROKEN, DON'T FIX IT. You might have heard of it. Yes, I have heard of that. But, are you actually using it? Do you need to? we do and we also compile tcp wrappers support into service if the distro have't done it (e.g. mysql). its just used in a multiple layer protection / security model. There are real downsides to carrying unmaintained code forward. Someone put forth the possibility of developing and maintaining a maintaining a modern library implementing the same config files but with a an updated codebase and better API, but no one has actually volunteered to do that work. If you'd like to be that person, awesome. Fail2ban is one piece of software which interfaces with tcp wrappers. v0.9.0 just out http://www.fail2ban.org/wiki/index.php/Main_Page Yes, and know for sure people use that -- I do, for example. But I use it to manipulate IP tables, which is more secure and less fragile than the why is iptables more secure? its just on an other level and the attack vector persists. and by the way; you do not really want to run a firewall on the _same_ system, think about that. hosts.deny action (it's always a bit scary when configuration files are edited by a program!). Because it is actively maintained upstream, there's even support for new things like firewalld. well i would say its more scary when humans are editing configuration files :-) one think that i like on tcp_wrappers is the use of domain names. Even possible with iptables but not a good idea as with tcp_wrappers. -- LF ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 8:58 AM, Fernando Cassia fcas...@gmail.com wrote: The technical problem is that there's no maintainer. Are you volunteering (and capable)? Then, for crying out loud... :) this discussion should have been started with a different subject line: Looking for a new tcp wrappers maintainer. That is much more constructive than calling the bulldozer early. Even more to the point, why is this a fedora/RHEL or even linux specific issue? I'd expect to matter to OpenBSD. Do they maintain their copy? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, 21 Mar 2014, Leon Fauster wrote: its just used in a multiple layer protection / security model. Bingo! Same here. And it works well! well i would say its more scary when humans are editing configuration files :-) I can speak for nearly 20 years of experience on this, including blowing it myself and locking myself remotely out of my own system once. For what it is supposed to do...it does extremely well. Gilbert *** Gilbert Sebenste (My opinions only!) ** *** ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 03/20/2014 12:48 PM, Matthew Miller wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? I bring this up because we are discussing dropping it from Fedora. This would be far enough in the future that it wouldn't impact RHEL 7, and therefore won't affect anyone here for Quite Some Time*, but here in the new world order of CentOS, I thought it might be useful to check with some actual downstream users. What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? Your feedback appreciated. Thanks! * and the standard caveats that Fedora doesn't necessarily determine the path for RHEL apply, of course. I use it in conjunction with other utilities... They modify the hosts.deny in response to log parsing. Please keep in mind, security in layers. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014, m.r...@5-cent.us wrote: Larry Martell wrote: On Fri, Mar 21, 2014 at 8:33 AM, James B. Byrne byrn...@harte-lyne.ca wrote: ... Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) I wouldn't know. I don't use it. I've been programming professionally since 1975 and I've managed to never use Windows. 1980. and I've had to. But I worked long and hard to get into *Nix, and with one 1.25 year excursion otherwise, have managed to stay here. 1966, and I have never used anything Microsoft willingly other than their Natural keyboard and wireless mice :-). So I *do* object to my toolset being cut down or mangled when it's unnecessary. tcp.wrappers, no big deal. Non-plain text configuration files, or crap that invokes crap that invokes crap to do what was formerly done by one program that read one simple configuration file, not so much Remember when SuSE's yast maintained a central configuration file, and would overwrite manually changed Linux configuration files if one changed something in the GUI? So many experienced admins complained that they finally went back to honoring the manual changes. Then there's the infamous Windows Registry Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 I consider trial by jury as the only anchor ever yet imagined by man, by which a government can be held to the principles of its constitution. -- Thomas Jefferson in a letter to Thomas Paine, 1789. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014, Keith Keller wrote: On 2014-03-21, Fernando Cassia fcas...@gmail.com wrote: Interesting double negative. Implies that once the technical barriers are removed, then it's OK to remove old features for change's sake. ;) If, as Matthew says, the codebase hasn't been maintained since 2001, then we should have concerns about unfound security issues, as well as concerns that, if others find security problems, nobody is responsible for fixing them. If tcpwrappers had a current maintainer this wouldn't be an issue. There's certainly at least one technical reason to prefer other options like iptables over tcpwrappers. I've had instances where an attacker made dozens of ssh probes per second; tcpwrappers was able to reject these, but sshd was so overwhelmed that it was unable to exchange host keys with legitimate clients. iptables would have blocked these attacks more effectively, letting sshd handle the legitimate client sessions properly. My solution to this is to have swatch watching the tcp_wrappers ssh, imap, and pop3 logs and blocking with iptables any IP address that has more than N (5 by default) failed connection attempts in a minute or that is listed in our blacklist DNSRBL. A postgresql database is used on each machine with a history of IPs blocked which is used to automatically expire blocks and to add them if a system is rebooted. We maintain a couple of DNSRBLs for whitelisting and blacklisting IP addresses and net blocks that are largely fed by the reports generated. The /etc/hosts.allow files on all the systems we monitor use these DNSRBLs on critical services (e.g. sshd) to ALLOW/DENY access. The net result of this has been that it's rare when a particular IP gets more than a few failed attempts before being blocked the first time, and one or two if it's in our blacklist DNSRBL whether it's on the first machine attacked or any of the other machines we monitor. FWIW, the the majority of the attacks seem to be password guessing attempts using IMAP, not ssh. The successful cracks on Linux machines I've seen were done via weak user accounts on ISPs that were then accessed via php to the user's writeable public html directory. As somebody already pointed out, no one tool is sufficient to limit access. Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 It takes no great insight or intelligence to see that the health of a centralized economy built around dense concentrations of economic power and a close business alliance with government can't tolerate any considerable degree of intellectual schooling. John Taylor Gatto http://www.lewrockwell.com/gatto/gatto-uhae-8.html ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 7:33 AM, James B. Byrne byrn...@harte-lyne.ca wrote: Nothing remains static. Software evolves into usually superior products. Sentimentally longing for the past hampers the introduction of new and better replacements. Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) Not sure when the capability was added, but the Windows Server versions' ability to convert a standard single NTFS volume to dynamiic and then add a RAID mirror is really quite nice. And unlike the linux counterparts it works on the fly with full backwards compatibility. You don't have to load some fuse module to hook up some experimental filesystem with some new bizarre configuration syntax and figure out a different way to boot it. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
- Original Message - | Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, | would | you care strongly if it went away (or would you just migrate to | something | else)? | Yes, we do use TCP Wrappers. We also use IPTables, edge gateway firewalls, VPNs and other tools. The reason that we use them is to support additional security. The case is being made to remove a tool that is considered to be legacy. While it is understood that legacy = old/unmaintained/crap, it does remove an additional layer of security that can be applied for a base system. So the question then is, what can be used as a suitable replacement? If so what is that suitable replacement? If one doesn't exist, how long until we can get one? Security is about layering technology. IPTables doesn't solve all of the problems out there. People mentioned NFSv3 and moving to NFSv4 and while this may be suitable for some people it doesn't apply to others. To simply remove a tool because it's code hasn't been modified in X number of days,months,years,decades is really in many cases what I like to call version envy. I'd love to hear about the old and unmaintainable code. It's open source code. If somethings broken you can fix it right!?! That's the open source mantra! Either provide a set of reasons why it should be removed and the alternatives that cover all the use cases of TCP Wrappers or let the code, that obviously works remain there undisturbed. It's an extra layer of security that administrators can use to secure their systems and it's dead simple to understand! -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices Around here, however, we don’t look backwards for very long. We KEEP MOVING FORWARD, opening up new doors and doing things because we’re curious and curiosity keeps leading us down new paths. - Walt Disney ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 3:54 PM, James A. Peltier jpelt...@sfu.ca wrote: I'd love to hear about the old and unmaintainable code. It's open source code. If somethings broken you can fix it right!?! That's the open source mantra! Either provide a set of reasons why it should be removed and the alternatives that cover all the use cases of TCP Wrappers or let the code, that obviously works remain there undisturbed. It's an extra layer of security that administrators can use to secure their systems and it's dead simple to understand! +1 If it works, it works. Period. It doesn't matter if it was coded by an ancient civilization carved in stone, or that it hasn't been updated in centuries. Perhaps it hasn't been updated in centuries precisely because it work,s so there's no need to update it! FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, 21 Mar 2014, Fernando Cassia wrote: On Fri, Mar 21, 2014 at 3:54 PM, James A. Peltier jpelt...@sfu.ca wrote: I'd love to hear about the old and unmaintainable code. It's open source code. If somethings broken you can fix it right!?! That's the open source mantra! Either provide a set of reasons why it should be removed and the alternatives that cover all the use cases of TCP Wrappers or let the code, that obviously works remain there undisturbed. It's an extra layer of security that administrators can use to secure their systems and it's dead simple to understand! +1 +1 If it works, it works. Period. It doesn't matter if it was coded by an ancient civilization carved in stone, or that it hasn't been updated in centuries. Perhaps it hasn't been updated in centuries precisely because it work,s so there's no need to update it! FC MP ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 1:54 PM, James A. Peltier jpelt...@sfu.ca wrote: The case is being made to remove a tool that is considered to be legacy. While it is understood that legacy = old/unmaintained/crap, No, legacy = the foundation everything else builds on. Change it at the risk of forcing everyone who uses your product to rebuild everything from scratch. In my opinion, a new version of something isn't better unless it is also completely backwards compatible. It's not a fashion show - things aren't better just because they are different. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 9:44 AM, Les Mikesell lesmikes...@gmail.com wrote: Yes, but that reason is generally that someone changed the language syntax underneath it instead of settling on simple working APIs. What has actually stayed stable and backwards compatible over the years other than bourne shell syntax and perl (almost)? Everything else has made you repeat your work every few years instead of letting you build on it and advance. +1 FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, 2014-03-21 at 08:33 -0400, James B. Byrne wrote: On Thu, March 20, 2014 17:34, Always Learning wrote: Nothing remains static. Software evolves into usually superior products. Sentimentally longing for the past hampers the introduction of new and better replacements. Yes. For example look how MicroSoft has improved Windows since XPsp3.;-^) Thankfully and gratefully: Linux Microsoft. :-) -- Paul. England, EU. Our systems are exclusively Centos. No Micro$oft Windoze here. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Fri, Mar 21, 2014 at 10:36 AM, Always Learning cen...@u62.u22.netwrote: On Thu, 2014-03-20 at 17:18 -0400, m.r...@5-cent.us wrote: On the other hand, what justifiable reason was there for the massively increased complexity of grub2? And why do all configuration files suddenly *desperately* need to be xml? Because misguided fools believe XML is wundervol and they don't want simplicity of use. The advantages of XML are that it is a common, mature standard, it is easily parseable by humans and computers. Cheers, Cliff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, 2014-03-20 at 17:18 -0400, m.r...@5-cent.us wrote: On the other hand, what justifiable reason was there for the massively increased complexity of grub2? And why do all configuration files suddenly *desperately* need to be xml? On Fri, Mar 21, 2014 at 10:36 AM, Always Learning wrote: Because misguided fools believe XML is wundervol and they don't want simplicity of use. On Sat, 2014-03-22 at 13:54 +1300, Cliff Pratt wrote: The advantages of XML are that it is a common, mature standard, it is easily parseable by humans and computers. Nothing is easier and simpler than [any-section] parameter1=value1 parameter2=value2 Compare to XML (= the WEB PAGE 'new idea'), plain text is common, well established and a significantly more mature standard. Plain text is easier to read with vastly improve clarity, compared to XML, and no line indentations or angular brackets required. I note your reference to XML being common, mature standard omits any praise for XML and also omits calling it good :-) -- Paul. England, EU. Our systems are exclusively Centos. No Micro$oft Windoze here. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
Date: Thu, 20 Mar 2014 18:14:56 -0300 On Thu, Mar 20, 2014 at 4:48 PM, Matthew Miller mat...@mattdm.org wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? Please don't remove it. Why this sudden idea in software circles that stuff that works properly needs to be removed for no reason whatsoever other than it's old and we think nobody uses it. How do you know?. IF IT AIN'T BROKEN, DON'T FIX IT. You might have heard of it. Fail2ban is one piece of software which interfaces with tcp wrappers. v0.9.0 just out http://www.fail2ban.org/wiki/index.php/Main_Page FC --- I will have to add my 2 cent request with FC. Please do not remove it Greg Ennis ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Sat, Mar 22, 2014 at 2:05 PM, Always Learning cen...@u62.u22.net wrote: On Thu, 2014-03-20 at 17:18 -0400, m.r...@5-cent.us wrote: On the other hand, what justifiable reason was there for the massively increased complexity of grub2? And why do all configuration files suddenly *desperately* need to be xml? On Fri, Mar 21, 2014 at 10:36 AM, Always Learning wrote: Because misguided fools believe XML is wundervol and they don't want simplicity of use. On Sat, 2014-03-22 at 13:54 +1300, Cliff Pratt wrote: The advantages of XML are that it is a common, mature standard, it is easily parseable by humans and computers. Nothing is easier and simpler than [any-section] parameter1=value1 parameter2=value2 Compare to XML (= the WEB PAGE 'new idea'), plain text is common, well established and a significantly more mature standard. Plain text is easier to read with vastly improve clarity, compared to XML, and no line indentations or angular brackets required. I note your reference to XML being common, mature standard omits any praise for XML and also omits calling it good :-) http://lists.centos.org/mailman/listinfo/centos That text format is simple. Too simple. If you have multiple similar sub-sections you have to use some ad-hoc construction. For example if you require sub entries with eg a default sub-section and a per-user sub-section then the simple example doesn't work, or at least it is rendered a lot less readable. It doesn't nest. YAML is quite a good if you insist on a text type format, without the complexity of JSON. But back to XML. It is parseable using all sorts of libraries and on lots of platforms. We have a number of apps that use XML for configuration data. It is easy for the programmers to knock up a page to edit this and the app itself can easily parse the results. But I'm sorry, I must admit that there was an element of tongue in cheek in my reference to XML's advantages. I've been reading and writing it for years, so I speak it fluently, at least in the possibly limited set of usages that we have. Cheers, Cliff ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? I bring this up because we are discussing dropping it from Fedora. This would be far enough in the future that it wouldn't impact RHEL 7, and therefore won't affect anyone here for Quite Some Time*, but here in the new world order of CentOS, I thought it might be useful to check with some actual downstream users. What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? Your feedback appreciated. Thanks! * and the standard caveats that Fedora doesn't necessarily determine the path for RHEL apply, of course. -- Matthew Miller mat...@mattdm.org http://mattdm.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 2014-03-20, Matthew Miller mat...@mattdm.org wrote: What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? I currently use it in conjunction with denyhosts, but have been considering moving to something like sshguard with iptables instead. If hosts.deny support disappeared then I would simply go that route when necessary. May I ask what the reason is for considering dropping tcp wrappers support? --keith -- kkel...@wombat.san-francisco.ca.us ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
Various government entities may use it extensively. I don't recall if tcp_wrappers is in the USGCB baselines for RHEL, but I do believe its in several CIS benchmarks. On 03/20/2014 03:55 PM, Keith Keller wrote: On 2014-03-20, Matthew Miller mat...@mattdm.org wrote: What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? I currently use it in conjunction with denyhosts, but have been considering moving to something like sshguard with iptables instead. If hosts.deny support disappeared then I would simply go that route when necessary. May I ask what the reason is for considering dropping tcp wrappers support? --keith -- -- John Jasen (jja...@realityfailure.org) -- No one will sorrow for me when I die, because those who would -- are dead already. -- Lan Mandragoran, The Wheel of Time, New Spring ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 12:55:56PM -0700, Keith Keller wrote: What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? I currently use it in conjunction with denyhosts, but have been considering moving to something like sshguard with iptables instead. If hosts.deny support disappeared then I would simply go that route when necessary. May I ask what the reason is for considering dropping tcp wrappers support? I think the main reasons are: upstream library isn't actually maintained since June 2001. The API is somewhat ugly and crufty. Possibly also one more place to check, making systems administration harder. -- Matthew Miller mat...@mattdm.org http://mattdm.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 04:00:49PM -0400, John Jasen wrote: Various government entities may use it extensively. I don't recall if tcp_wrappers is in the USGCB baselines for RHEL, but I do believe its in several CIS benchmarks. Good question. I checked with both that and the DoD National Checklist Program, and neither mention it. Also, unless I missed something else, the USGCB covers RHEL 5, so there won't be any impact there. Are the CIS benchmarks something you could point me to? -- Matthew Miller mat...@mattdm.org http://mattdm.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
Matthew Miller wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? I bring this up because we are discussing dropping it from Fedora. This would be far enough in the future that it wouldn't impact RHEL 7, and therefore won't affect anyone here for Quite Some Time*, but here in the new world order of CentOS, I thought it might be useful to check with some actual downstream users. What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? Someone mentioned US gov't - we're a gov't agency (non-DoD), and I just had a quick conversation with my manager. I know I haven't used it in a *bunch* of years; his reaction was, what's the point, with firewalls, and tools like fail2ban. We're ok if it goes away. mark awk, on the other hand, you'll get away from me when you pry my cold, dead fingers off the keyboard ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 05:02:06PM -0400, m.r...@5-cent.us wrote: mark awk, on the other hand, you'll get away from me when you pry my cold, dead We're definitely keeping awk. :) -- Matthew Miller mat...@mattdm.org http://mattdm.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 4:48 PM, Matthew Miller mat...@mattdm.org wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? Please don't remove it. Why this sudden idea in software circles that stuff that works properly needs to be removed for no reason whatsoever other than it's old and we think nobody uses it. How do you know?. IF IT AIN'T BROKEN, DON'T FIX IT. You might have heard of it. Fail2ban is one piece of software which interfaces with tcp wrappers. v0.9.0 just out http://www.fail2ban.org/wiki/index.php/Main_Page FC -- During times of Universal Deceit, telling the truth becomes a revolutionary act Durante épocas de Engaño Universal, decir la verdad se convierte en un Acto Revolucionario - George Orwell ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
Fernando Cassia wrote: On Thu, Mar 20, 2014 at 4:48 PM, Matthew Miller mat...@mattdm.org wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? Please don't remove it. Why this sudden idea in software circles that stuff that works properly needs to be removed for no reason whatsoever other than it's old and we think nobody uses it. How do you know?. IF IT AIN'T BROKEN, DON'T FIX IT. You might have heard of it. Fail2ban is one piece of software which interfaces with tcp wrappers. v0.9.0 just out http://www.fail2ban.org/wiki/index.php/Main_Page On the other hand, what justifiable reason was there for the massively increased complexity of grub2? And why do all configuration files suddenly *desperately* need to be xml? mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 3/20/2014 2:18 PM, m.r...@5-cent.us wrote: On the other hand, what justifiable reason was there for the massively increased complexity of grub2? And why do all configuration files suddenly *desperately* need to be xml? dont worry, in another year or 3, they'll all be JSON instead of XML. -- john r pierce 37N 122W somewhere on the middle of the left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, 2014-03-20 at 18:14 -0300, Fernando Cassia wrote: On Thu, Mar 20, 2014 at 4:48 PM, Matthew Miller mat...@mattdm.org wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? Please don't remove it. Why this sudden idea in software circles that stuff that works properly needs to be removed for no reason whatsoever other than it's old and we think nobody uses it. How do you know?. IF IT AIN'T BROKEN, DON'T FIX IT. You might have heard of it. Fail2ban is one piece of software which interfaces with tcp wrappers. v0.9.0 just out http://www.fail2ban.org/wiki/index.php/Main_Page Everyone appreciates the importance of keeping machines, and their contents, safe and secure. Does tcp wrappers (hosts.allow/hosts.deny) provide a currently useful facility - which is actually used in production systems - or has it been superseded by better security facilities? Nothing remains static. Software evolves into usually superior products. Sentimentally longing for the past hampers the introduction of new and better replacements. Losing tcp wrappers when Centos 8 is introduced gives everyone ample time to implement changes. -- Paul. England, EU. Our systems are exclusively Centos. No Micro$oft Windoze here. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, 2014-03-20 at 17:18 -0400, m.r...@5-cent.us wrote: On the other hand, what justifiable reason was there for the massively increased complexity of grub2? And why do all configuration files suddenly *desperately* need to be xml? Because misguided fools believe XML is wundervol and they don't want simplicity of use. -- Paul. England, EU. Our systems are exclusively Centos. No Micro$oft Windoze here. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
Matthew Miller wrote: On Thu, Mar 20, 2014 at 06:14:56PM -0300, Fernando Cassia wrote: snip Fail2ban is one piece of software which interfaces with tcp wrappers. v0.9.0 just out http://www.fail2ban.org/wiki/index.php/Main_Page Yes, and know for sure people use that -- I do, for example. But I use it to manipulate IP tables, which is more secure and less fragile than the hosts.deny action (it's always a bit scary when configuration files are edited by a program!). Because it is actively maintained upstream, there's even support for new things like firewalld. snip Yup - that's what we do here, use fail2ban to manipulate iptables. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
John R Pierce wrote: On 3/20/2014 2:18 PM, m.r...@5-cent.us wrote: On the other hand, what justifiable reason was there for the massively increased complexity of grub2? And why do all configuration files suddenly *desperately* need to be xml? dont worry, in another year or 3, they'll all be JSON instead of XML. Interesting related thought - just saw this today. Excerpt: What happened to the vision in open source? First, grand schemes have been replaced by little ones, thanks to the rise of crowdfunding. In supporting all the campaigns in play at any one time, perhaps the FOSS community has become jaded and short-sighted. Faced with thousands of dreams, seeing the importance of bigger dreams has perhaps become harder. In the crowd of dreams that need support, one no doubt seems much like the other. To make matters worse, most of the crowdfunding campaigns are highly personal ones. Help me finish my movie, my book is the general request. Help me make a living writing code for cool stuff. What you hear far less often is, Help me finish this project for the greater good. Don't get me wrong - I appreciate the rise of crowdfunding, and I am a frequent contributor to causes that catch my imagination. Unquestionably, the concept has encouraged thousands to try to live out their dreams, and the creative return has been rich. All the same, I can see how, amid so many worthy causes, larger scale ones look less important than they are, and how causes that go beyond the personal might be hard to see as anything special. After the first half dozen causes or so, many people lose the ability to distinguish one from the other, much less rate their importance. --- end excerpt --- http://www.datamation.com/open-source/what-happened-to-the-vision-in-open-source-1.html mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 06:14:56PM -0300, Fernando Cassia wrote: Please don't remove it. Why this sudden idea in software circles that stuff that works properly needs to be removed for no reason whatsoever other than it's old and we think nobody uses it. How do you know?. Well, that's why I'm asking. IF IT AIN'T BROKEN, DON'T FIX IT. You might have heard of it. Yes, I have heard of that. But, are you actually using it? Do you need to? There are real downsides to carrying unmaintained code forward. Someone put forth the possibility of developing and maintaining a maintaining a modern library implementing the same config files but with a an updated codebase and better API, but no one has actually volunteered to do that work. If you'd like to be that person, awesome. Fail2ban is one piece of software which interfaces with tcp wrappers. v0.9.0 just out http://www.fail2ban.org/wiki/index.php/Main_Page Yes, and know for sure people use that -- I do, for example. But I use it to manipulate IP tables, which is more secure and less fragile than the hosts.deny action (it's always a bit scary when configuration files are edited by a program!). Because it is actively maintained upstream, there's even support for new things like firewalld. On the other hand, people using unmaintained solutions like DenyHosts would have to migrate. -- Matthew Miller mat...@mattdm.org http://mattdm.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014, Fernando Cassia wrote: On Thu, Mar 20, 2014 at 4:48 PM, Matthew Miller mat...@mattdm.org wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? Please don't remove it. Why this sudden idea in software circles that stuff that works properly needs to be removed for no reason whatsoever other than it's old and we think nobody uses it. How do you know?. IF IT AIN'T BROKEN, DON'T FIX IT. You might have heard of it. This has been a problem with various open source projects for decades, not so much removing something, but more often changing options and behaviours that break existing uses. It wouldn't matter to me if it were dropped from CentOS or the upstream as we build our own, hacked to allow use of RBLs. Bill -- INTERNET: b...@celestial.com Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way Voice: (206) 236-1676 Mercer Island, WA 98040-0820 Fax:(206) 232-9186 Skype: jwccsllc (206) 855-5792 I ask, sir, what is the militia? It is the whole people. To disarm the people is the best and most effectual way to enslave them.-- George Mason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 4:47 PM, m.r...@5-cent.us wrote: Excerpt: What happened to the vision in open source? The idea that there ever was a unified vision for open source seems like a utopian rewrite of history. At least outside of the BSD project... Even the commercial side of unix was wildly fragmented into different flavors and open source fragmented itself with licenses that prohibit best-of-breed components from being combined. And nobody likes to debug someone else's mistakes. -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 4:39 PM, m.r...@5-cent.us wrote: Matthew Miller wrote: On Thu, Mar 20, 2014 at 06:14:56PM -0300, Fernando Cassia wrote: snip Fail2ban is one piece of software which interfaces with tcp wrappers. v0.9.0 just out http://www.fail2ban.org/wiki/index.php/Main_Page Yes, and know for sure people use that -- I do, for example. But I use it to manipulate IP tables, which is more secure and less fragile than the hosts.deny action (it's always a bit scary when configuration files are edited by a program!). Because it is actively maintained upstream, there's even support for new things like firewalld. snip Yup - that's what we do here, use fail2ban to manipulate iptables. Not sure there's a one-to-one mapping or even a conceptual overlap in what tcpwrappers and iptables do. Applications can be configured to use different ports than someone setting up iptables might expect - and how would you handle portmapper? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 4:18 PM, m.r...@5-cent.us wrote: And why do all configuration files suddenly *desperately* need to be xml? xml isn't intended for humans - it is supposed to be parsed and verified by machines. The bigger question is why the machines aren't managing the config files themselves yet? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 05:23:24PM -0500, Les Mikesell wrote: Yup - that's what we do here, use fail2ban to manipulate iptables. Not sure there's a one-to-one mapping or even a conceptual overlap in what tcpwrappers and iptables do. Applications can be configured to use different ports than someone setting up iptables might expect - and how would you handle portmapper? Reasonable question. :) Ideally, you'd handle portmapper by using NFSv4 so it's not required. Or recommend using rpcbind and fixed port numbers. (See for example https://www.centos.org/docs/5/html/5.2/Deployment_Guide/s2-sysconfig-nfs.html) But I think the proposal would leave the library there for legacy programs which really want to use it, just not link core components to it anymore. -- Matthew Miller mat...@mattdm.org http://mattdm.org/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Mar 20, 2014, at 3:48 PM, Matthew Miller mat...@mattdm.org wrote: Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore? And, would you care strongly if it went away (or would you just migrate to something else)? I bring this up because we are discussing dropping it from Fedora. This would be far enough in the future that it wouldn't impact RHEL 7, and therefore won't affect anyone here for Quite Some Time*, but here in the new world order of CentOS, I thought it might be useful to check with some actual downstream users. What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? Your feedback appreciated. Thanks! * and the standard caveats that Fedora doesn't necessarily determine the path for RHEL apply, of course. -- Matthew Miller mat...@mattdm.org http://mattdm.org/ I know a .gov which exclusively uses tcp wrappers instead of iptables. 1) tcp wrappers is consistent across Unix'ses (Solaris/AIX/Linux) 2) if it ain't broke / resistance to change / etc 3) political / layer 8 issues. Iptables is a firewall and firewalls are handled by the security group not the sysadmin group. I know a .edu which uses tcp wrappers instead of iptables in a containers environment. With 250+ containers on a 40GB hardware node, iptables used too much RAM since it's resident 100% of the time. Tried using a fail2ban equivalent inserting iptables rules and after some number of rules iptables wouldn't take any more. Tcp wrappers scaled much much higher using less RAM. Political reasons shouldn't prevent removing tcp wrappers, but some technical reasons still exist. Steven Tardy ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On Thu, Mar 20, 2014 at 8:36 PM, Steven Tardy sjt5a...@gmail.com wrote: Political reasons shouldn't prevent removing tcp wrappers, but some technical reasons still exist. Interesting double negative. Implies that once the technical barriers are removed, then it's OK to remove old features for change's sake. ;) Aren't political reasons the reason they are thinking of removing ' em?. Certainly I see no technical problem with tcp wrappers. The Unix tradition was to build upon existing tools. As of late, the Linux approach seems to be hey this is old, I could add a few medals to my professional resume and escalate a few positions up the corporate ladder if I reinvent the wheel and redo this old working code in a totally different way that breaks backwards compatibility and some third party code, so let's do it, let's 'move things forward'. Those that oppose it are slowing the progress of the distro. Well DUH :-/ Pardon me if I don't cheer such moves. FC ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
On 2014-03-21, Fernando Cassia fcas...@gmail.com wrote: Interesting double negative. Implies that once the technical barriers are removed, then it's OK to remove old features for change's sake. ;) If, as Matthew says, the codebase hasn't been maintained since 2001, then we should have concerns about unfound security issues, as well as concerns that, if others find security problems, nobody is responsible for fixing them. If tcpwrappers had a current maintainer this wouldn't be an issue. There's certainly at least one technical reason to prefer other options like iptables over tcpwrappers. I've had instances where an attacker made dozens of ssh probes per second; tcpwrappers was able to reject these, but sshd was so overwhelmed that it was unable to exchange host keys with legitimate clients. iptables would have blocked these attacks more effectively, letting sshd handle the legitimate client sessions properly. Certainly others have posted legitimate reasons to prefer tcpwrappers over iptables in this thread, too. Your sole position seems to be it's old so it should be kept, which is just as illegitimate a position as it's old so it should be discarded. If you have valid technical arguments justifying keeping tcpwrappers you should make them, as others have. Aren't political reasons the reason they are thinking of removing ' em?. Matthew cited an old and unwieldy API, its status as being unmaintained, and its existence as an extra place to check for sysadmins (I'm dubious about this last). None of these strike me as being political. Certainly I see no technical problem with tcp wrappers. The technical problem is that there's no maintainer. Are you volunteering (and capable)? -- kkel...@wombat.san-francisco.ca.us ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Does anyone use tcp wrappers (hosts.allow/hosts.deny) anymore?
What do you think? Do you rely on hosts.allow/hosts.deny a primary security mechanism? As defense-in-depth? Do you have policies which mandate it? Your feedback appreciated. Thanks! * and the standard caveats that Fedora doesn't necessarily determine the path for RHEL apply, of course. I'll try to keep my response as free from whining and gnashing of teeth as that seems to be well covered by many others. where I work uses it now, I've been at places that while I can't recall there being a specific mandate for tcp wrappers, they had really stupid 'must have' requirements (like root's home has to be mode 700. which while fine, good, great even on standard linux systems is less than helpful on standard older releases of solaris where root has / as a home dir), so I can imagine they could have that.I like the notion of keeping it around and having someone take over the maint work would be great, but I can understand why it might be good to retire, and I'm pretty sure I'd adapt (possibly moving to the route of building my own from source if I -really- decided I had to have it, although life is much easier when the libs are blown into the daemons directly) -- Even the Magic 8 ball has an opinion on email clients: Outlook not so good. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos