Does Anyone Use Tcp Wrappers (hosts.allow/hosts.deny) Anymore?

Home » CentOS » Does Anyone Use Tcp Wrappers (hosts.allow/hosts.deny) Anymore?
CentOS 4 Comments

A very late reply – yes we use it in conjunction with iptables (on CentOS 5/6 and Fedora). Tcp_wrappers allows filtering based on DNS name, which (as far as I am aware) iptables does not. It is very easy to configure, and takes immediate effect (no restarting of processes required).

Since we use it I would obviously rather it did not go away :-) If we had to we would probably build our own from source, but initially may well just look to see if iptables could do all of what we wanted.

No policies as such, but we include its installation as part of our standard server build process. It is part of the security used on our servers, and, as others have mentioned, multiple layers is the way to go rather than relying on just one tool.

John.

4 thoughts on - Does Anyone Use Tcp Wrappers (hosts.allow/hosts.deny) Anymore?

  • The problem here wouldn’t be so much building it from source. You’d have to rebuild everything that would make use of it as well. For example sshd is linked against it. ->

    [jperrin@monster localbuild]$ ldd /usr/sbin/sshd | grep wrap libwrap.so.0 => /lib64/libwrap.so.0

  • Why ?

    If the guy wants to use TCP Wrappers with one other specific application / bit of system software (= IP Tables) and wishes to build it from source, why should he have to worry about SSHD compatibility if he does not want to use TCP Wrappers with SSHD ?

    Best regards,

  • That’s not how I read Jim’s response. I read it as, if you wished to use tcpwrappers with sshd, you’d have to rebuild sshd. If you only have one app you need to rebuild that’s not so bad, but if you have a half dozen it could be annoying.

    –keith

  • I would care strongly as I use it at home to limit inbound SSH to just the IP addresses of my work machine. Setting up IPtables is more complicated which can be read as “easier to get it wrong”.

    The question become, “Why get rid of it?” It is small works well and works the same across many flavors of UNIX. I have not looked recently, but I
    would guess that the source code does not change very often.

    Just my 2cents.

    Bob – Phoenix, AZ