On 07/16/2011 09:51 PM, Peggy Wilkins wrote:
On Sat, Jul 16, 2011 at 1:42 PM, Thomas S Hatch<thatch45@gmail.com> wrote:
In the end, I tell people that using tcp_wrappers is unnecessary and unwise, iptables is VERY powerful, and once you understand how rules are constructed and parsed it is an easy and manageable solution. I have nothing to say against iptables and other full firewall solutions. However, for my part running a number of desktops for other people at work with only sshd as a service, tcp wrappers plus denyhosts (plus disabling password authentication for good measure) already does exactly what I want. Performance doesn't enter into this issue for us, we have so many spare CPU cycles it's comical.
Thanks to the Arch devs for taking this out, this was the right move and I will argue that it has made Arch more secure by not supporting outdated security constructs. I view it as taking away my freedom to choose to run what I want in
Everyone doesn't have the same circusmstances and needs. I just would like this option to continue because I'm using it now and I find it useful and it meets my immediate needs. I also don't need my time at work diverted into a sudden project to write firewall rules that work for every desktop. You're better of blocking unwanted attempts at ssh with iptables or use sshgaurd. Or you could try http://smarden.org/ipsvd/ the simplest possible way. This is a major change. A large part of the reason I chose Arch is because it is straightforward to configure, hence doesn't require a lot of my time (which is properly spent running servers, not desktops) -- an easy way to get Linux on the desktop for our site which is otherwise all Windows desktops. I already know the limitations of my choice (and I use full firewalls in other situations).
Surely there is a good compromise possible... There
-- Jelle van der Waa