Educause Security Discussion mailing list archives
Re: IPtables versus Tcp_wrapper
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Wed, 3 Mar 2010 16:51:40 -0500
On 3 March 2010 16:37, Josh Richard <jrichar4 () d umn edu> wrote:
iptables drops packets at the kernel level. tcp_wrappers is less ideal as you expose the service to higher levels of the OS. Most individuals on this list would recommend iptables over tcp_wrappers.
Or, as Adam suggested, use both. I would use as many layers as is reasonable, with sufficient documentation that someone trying to troubleshoot on the machine could follow the setup. For example, if I know a machine only needs to be accessed via ssh by certain users coming from certain IP addresses, I'll configure pf (I use BSD over Linux when at all possible) to only allow ssh from those IP addresses (or ranges). Then I'll configure SSH to only allow certain user@host combinations. If an user attempts to log in from a machine that isn't allowed then they don't even see SSH. If they're attempting to access it from an allowed machine but with a different username than the one expected, I get an email from OSSEC saying "Danger, Will Robinson!" kmw -- Kevin Wilcox Network Infrastructure and Control Systems Appalachian State University Email: wilcoxkm () appstate edu Office: 828.262.6259
Current thread:
- IPtables versus Tcp_wrapper Griese, Steven A. (Mar 03)
- <Possible follow-ups>
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 03)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 03)
- Re: IPtables versus Tcp_wrapper Adam Garside (Mar 03)
- Re: IPtables versus Tcp_wrapper Kevin Wilcox (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)
- Re: IPtables versus Tcp_wrapper Valdis Kletnieks (Mar 04)
- Re: IPtables versus Tcp_wrapper Josh Richard (Mar 04)