--On Wednesday, October 25, 2006 12:08:26 +0400
<rihad@mail.ru> wrote:
> A comment in /etc/hosts.allow states that:
> Wrapping sshd(8) is not normally a good idea
>
> Why? Is it because such restrictions should naturally be made using a
> firewall/PAM/sshd itself/whatever? I think GENERIC sshd wouldn't have
> been built with libwrap support in the first place. Or?
>
Because maintaining the access list can be quite ponderous if you have a
lot of users.
I maintain a hobby website that only has two shell accounts. I use
hosts.allow for ssh because it gets rid of the brute-force crap. But even
for two users, the list of hosts/networks that are allowed is 10 or 15.
Imagine what it would be if you have a hundred users...or a thousand.
Paul Schmehl (pauls@utdallas.edu)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/