Re: IPtables versus Tcp_wrapper

[Kevin Wilcox <wilcoxkm () APPSTATE EDU>]

On 3 March 2010 16:37, Josh Richard <jrichar4 () d umn edu> wrote:

> iptables drops packets at the kernel level. tcp_wrappers is less ideal
> as you expose the service to higher levels of the OS.  Most individuals
> on this list would recommend iptables over tcp_wrappers.

Or, as Adam suggested, use both.

I would use as many layers as is reasonable, with sufficient
documentation that someone trying to troubleshoot on the machine could
follow the setup.

For example, if I know a machine only needs to be accessed via ssh by
certain users coming from certain IP addresses, I'll configure pf (I
use BSD over Linux when at all possible) to only allow ssh from those
IP addresses (or ranges). Then I'll configure SSH to only allow
certain user@host combinations. If an user attempts to log in from a
machine that isn't allowed then they don't even see SSH. If they're
attempting to access it from an allowed machine but with a different
username than the one expected, I get an email from OSSEC saying
"Danger, Will Robinson!"

kmw

-- 
Kevin Wilcox
Network Infrastructure and Control Systems
Appalachian State University
Email: wilcoxkm () appstate edu
Office: 828.262.6259