为什么tcp-wrappers被Redhat Centos Fedora废弃?
1 简述
TCP wrappers is a simple tool to block incoming connection on application level. This was very useful 20 years ago, when there were no firewalls in Linux. This is not the case for today and connection filtering should be done in network level or completely in application scope if it makes sense. After recent discussions I believe it is time to go for this package, if not completely, than at least as a dependency of modern daemons in system by default.
2 详细描述
The last version of tcp_wrappers was released 20 years ago (although IPv6 support was added later). At that time it was very powerful tool to "block all traffic", but these days we can do the same thing using firewalls/iptables/nftables for all traffic on network level or use similar filtering at the application level.
One of the motivating factors for this change was the removal of TCP wrappers support from systemd and OpenSSH in 2014, based on the thread on fedora devel list [1]. Another thread was started during 2017 [2] which is trying to explain the reasons why we should do that with other constructive ideas.
Another factor which has driven the deprecation of this package is the lack of any upstream community around it. Although the threats on networking communications continually increase, the threat coverage of this package has remained the same over the last two decades, leading one to draw the inference that new threats are now being handled by different components.
3 升级影响
Updating from older versions might expose existing services "protected" by tcp_wrappers before (sshd). The removal needs to be explicitly mentioned in the migration guide/release notes so the users are able to configure different layer of security (firewalld, application configuration) if this was the only one they used.
4 替代方案
After removing the libwrap dependency from openssh, it will stop using rules defines in /etc/hosts.deny. The functionality can be "added back" if needed to any socket-activated service. For example SSHD:
- Disable
sshd.service
systemctl disable sshd
- Copy the shipped
sshd@.serviceto/etc:
cp {/usr/lib,/etc}/systemd/system/sshd@.service
- Modify the
ExecStartline in the above file under/etc/from
ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY
to
ExecStart=@-/usr/sbin/tcpd /usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY
- Reload
systemctl
systemctl daemon-reload
- Enable and start
sshd.socket
systemctl enable sshd.socket
systemctl start sshd.socket
- Verify that you can connect to new service (not working now, because it is blocked by SELinux). Blocked by the bug #1482554 [3].
A similar approach can be used for other services to drop the tcp_wrappers dependency.
参考链接:
https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
https://serverfault.com/questions/869431/openssh-removed-support-for-tcp-wrappers-now-what-no-hosts-allow-for-ssh-acce
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/UOAUI4TC6PQVHRJ2ONQ2N3IKHR4577VH/ 废弃后如何实现原有功能
最新文章
- Android-monkey稳定性测试(多台设备同时进行)
- 【XLL API 函数】 xlGetInst
- nginx限制访问速度
- INPUT只能输入数字
- sqlplus实现上下翻页设置
- MySQL性能分析
- lucene 3.0.2 中文分词
- Java中double类型的数据精确到小数点后两位
- CentOS让root用户可以SSH登录
- 常用433MHZ无线芯片性能对比表分享
- Java网络编程:利用apache的HttpClient包进行http操作
- 深入浅出SQL Server 2008 分区函数和分区表
- Java排序算法之堆排序
- JS 函数作用域及变量提升那些事!
- splay模板(BZOJ3224)
- 收集一些dos网络配置命令,从新获取ip刷新dns
- 文件下载的ie11兼容性优化
- zabbix分布式监控的部署与win被控端
- Android adb调试
- MySQL的Blob类型的手工编辑(manually edit)