[nycbug-talk] Re: OpenSSH and hosts.allow/hosts.deny
a nice bug
nycbug
Sat Nov 6 21:59:39 EST 2004
G. Rosamond:
> A few weeks ago, Chris asked it you could explicitly block or allow by
> ip for OpenSSH.
> I answered blindly "yes," even though SSH is not governed by inetd.conf
> and therefore is not ruled by /etc/hosts.allow or /etc/hosts.deny. But
> I knew it could be, but did not remember.
<snip>
> Anyway, no one else had followed up with a more comprehensive answer to
I have yet to use an sshd on FreeBSD or Linux that was not built by
default with libwrap.
But, why allow a TCP connection in the first place from an unwanted
party? Access is done better at the local packet filter or the
upstream firewall thereby managing network access from a single
point, at roughly network speed without involving a disk read on the
box itself.
Harold
More information about the talk
mailing list