tcpwrappers & SSH

Paul Schmehl pauls at
Wed Oct 25 14:59:47 UTC 2006

--On Wednesday, October 25, 2006 12:08:26 +0400 Рихад Гаджиев 
<rihad at> wrote:

> A comment in /etc/hosts.allow states that:
> Wrapping sshd(8) is not normally a good idea
> Why? Is it because such restrictions should naturally be made using a
> firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have
> been built with libwrap support in the first place. Or?
Because maintaining the access list can be quite ponderous if you have a 
lot of users.

I maintain a hobby website that only has two shell accounts.  I use 
hosts.allow for ssh because it gets rid of the brute-force crap.  But even 
for two users, the list of hosts/networks that are allowed is 10 or 15. 
Imagine what it would be if you have a hundred users...or a thousand.

Paul Schmehl (pauls at
Senior Information Security Analyst
The University of Texas at Dallas

More information about the freebsd-questions mailing list