TCPWrappers?

[Steven Alligood]

Kimball Larsen wrote:
> Secondly, I realize that tcpwrappers affect more than just sshd - I 
> immediately noticed, for example, that when I added this rule: ALL: 
> ALL to hosts.deny, that I could no longer connect to mysql on the same 
> server.  Adding mysqld to the list of permitted hosts did the trick 
> (ie: sshd,mysqld: comma,separated,list,of,hosts) in hosts.allow.
I personally suggest using iptables rather than tcp wrappers for your IP 
based security.

Basically, iptables works on the ip layer in the kernel, where tcp 
wrappers works in the specific application (on the application layer of 
the OSI model).  Better to block as low on the OSI as you can to prevent 
application bugs from being exploited.

IPtables also uses a lot less cpu and processing to stop a packet.  And 
iptables will block in such a way that anyone ascanning will think the 
port not open, where wrappers will still answer, even to the point of 
allowing an octopus attack, or even a minor DDoS, to disable your box.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3241 bytes
Desc: S/MIME Cryptographic Signature
Url : http://plug.org/pipermail/plug/attachments/20080331/da954ba4/smime-0001.bin