tcpwrappers & SSH

Eric Schuele e.schuele at
Wed Oct 25 18:58:40 UTC 2006

On 10/25/06 09:56, Paul Schmehl wrote:
> --On Wednesday, October 25, 2006 12:08:26 +0400 ????? ??????? 
> <rihad at> wrote:
>> A comment in /etc/hosts.allow states that:
>> Wrapping sshd(8) is not normally a good idea
>> Why? Is it because such restrictions should naturally be made using a
>> firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have
>> been built with libwrap support in the first place. Or?
> Because maintaining the access list can be quite ponderous if you have a 
> lot of users.
> I maintain a hobby website that only has two shell accounts.  I use 
> hosts.allow for ssh because it gets rid of the brute-force crap.  But 
> even for two users, the list of hosts/networks that are allowed is 10 or 
> 15. Imagine what it would be if you have a hundred users...or a thousand.

Viewed from a slightly different angle...

If you are responsible for maintaining machine xyz, and you have used 
tcpwrappers... chances are you'll eventually need access to that machine 
from a location you did not previously expect.  Maybe your sitting in 
the airport and get a call that the machine is malfunctioning.  Maybe 
you are on call at a social gathering.  In any case, you'll need access 
and if it is using tcpwrappers, you may not gain access.

IMHO, other than the problem with needing "emergency" access, I think 
tcpwrappers is a good thing.  I use then on my laptop for example.  As 
Paul mentions, it gets rid of the constant hammering you would normally 
be subject to, and I can still access it from the office or home.

> Paul Schmehl (pauls at
> Senior Information Security Analyst
> The University of Texas at Dallas


More information about the freebsd-questions mailing list