On Fri, 2017-08-18 at 13:15 -0500, Jason L Tibbitts III wrote: > For the record, denyhosts currently relies upon the tcp_wrappers > functionality in openssh to function. While it's possible to make it > manipulate the firewall as well, the whole situation is kind of a > mess. > (Does it talk to firewalld? What if you're not running firewalld?)
Unfortunately this is not as straightforward as it could be. Checking how Archlinux does it now, they probably go without denyhosts. There is a also a tool sshguard [1], which does quite much the same as fail2ban using configurable backend (firewalld, iptables, ...). The denyhosts got last update also 10 years ago [2] and we already have quite much 2 alternatives that can do the same using firewalls, so it might be also a time to go for denyhosts. Or not, but clearly document that OpenSSH will not be using hosts.deny anymore. > Sadly I know how terrible tcp_wrappers is and so I know it needs to > go > away. It's just unfortunate that there's no replacement for it > besides > firewalling, and dealing with the firewall is unfortunately so > complicated. > > So that's three of my packages that use tcp_wrappers in some way > (denyhosts, apcupsd and cyrus-imapd) though I suspect two of those > just > need the build dependencies dropped. That would be great if you could review the dependencies if it is used and drop the bogus dependencies. [1] https://wiki.archlinux.org/index.php/sshguard [2] https://sourceforge.net/projects/denyhosts/files/ Thanks, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
