On 2/14/20 6:37 PM, Ben Woods wrote: > On Sat, 15 Feb 2020 at 4:27 am, Joey Kelly <joey_at_joeykelly.net> wrote: > >> On Friday, February 14, 2020 01:18:44 PM Ed Maste wrote: >>> Upstream OpenSSH-portable removed libwrap support in version 6.7, >>> released in October 2014. We've maintained a patch in our tree to >>> restore it, but it causes friction on each OpenSSH update and may >>> introduce security vulnerabilities not present upstream. It's (past) >>> time to remove it. >> >> So color me ignorant, but how does this affect things like DenyHosts? Or >> is >> there an in-application way to block dictionary attacks? I can't go back >> to >> having my servers pounded on day and night (and yes, I listed on an >> alternative port). > > > DenyHosts can be configured to use PF firewall tables directly, rather than > using TCP wrappers: > https://github.com/denyhosts/denyhosts/blob/master/denyhosts.conf#L261 > Requiring the addition of a firewall where there was none before is a significant and potentially error-prone change. I am not about to add this degree of complexity to every machine which only has a single port exposed via NAT. To maintain equivalent functionality, the port version (security/openssh-portable) has the requisite patch as an option or, perhaps better, the base SSHD can be run from INETD and, consequently, TCP-wrapped as it was before, imbReceived on Fri Feb 14 2020 - 22:59:09 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:23 UTC