1 |
quoth the Peter Volkov: |
2 |
> Hello. |
3 |
> |
4 |
> Can anybody explain the differences, pro/con between the mentioned two |
5 |
> approaches in the subject? |
6 |
> |
7 |
> I thought that fewer programs I have on my server the more secure it is. |
8 |
> But gentoo security guide and some people on this list suggest usage of |
9 |
> hosts.allow, hosts.deny files, which only work if I have tpcd installed, |
10 |
> thus another service which weaken server's security. But normaly each |
11 |
> server has iptables installed. So every sysadmin can obtain hosts.allow, |
12 |
> hosts.deny functionality with simple iptables rule like the following: |
13 |
> |
14 |
> iptables -A INPUT -s bad_host -j DROP |
15 |
> |
16 |
> This is the base functionality of iptables. No PoM is nescesary for such |
17 |
> kind of things. |
18 |
> |
19 |
> More. I think some portable bash script that will parse host.* files and |
20 |
> create iptables rules is very simple to write! |
21 |
> |
22 |
> So why many people and security guides still suggest the use of tcpd |
23 |
> over simple iptables rules? |
24 |
> |
25 |
> Thank you for your time, |
26 |
> Peter. |
27 |
|
28 |
This is a good question, and one for which I am anticipating many responses |
29 |
more informative and comprehensive than mine...all I can do is offer opinion. |
30 |
|
31 |
As I see it, iptables is best used to guard the network gateway, and live |
32 |
internet servers, ie: http, ftp, smtp, named etc...and tcpwrappers is best |
33 |
suited for internal LAN security, where you may want to easily control access |
34 |
to _many_ services host by host, ie NFS, samba, rsync, ssh, pop, imap etc... |
35 |
|
36 |
I suppose the listing of services is arbitrary, depending on your |
37 |
circumstances. For me it comes down to iptables for servers directly |
38 |
accessable from the internet, and tcpwrappers for internal stuff. |
39 |
|
40 |
-d |
41 |
-- |
42 |
darren kirby :: Part of the problem since 1976 :: http://badcomputer.org |
43 |
"...the number of UNIX installations has grown to 10, with more expected..." |
44 |
- Dennis Ritchie and Ken Thompson, June 1972 |