1 简述

TCP wrappers is a simple tool to block incoming connection on application level. This was very useful 20 years ago, when there were no firewalls in Linux. This is not the case for today and connection filtering should be done in network level or completely in application scope if it makes sense. After recent discussions I believe it is time to go for this package, if not completely, than at least as a dependency of modern daemons in system by default.

2 详细描述

The last version of tcp_wrappers was released 20 years ago (although IPv6 support was added later). At that time it was very powerful tool to "block all traffic", but these days we can do the same thing using firewalls/iptables/nftables for all traffic on network level or use similar filtering at the application level.

One of the motivating factors for this change was the removal of TCP wrappers support from systemd and OpenSSH in 2014, based on the thread on fedora devel list [1]. Another thread was started during 2017 [2] which is trying to explain the reasons why we should do that with other constructive ideas.

Another factor which has driven the deprecation of this package is the lack of any upstream community around it. Although the threats on networking communications continually increase, the threat coverage of this package has remained the same over the last two decades, leading one to draw the inference that new threats are now being handled by different components.

3 升级影响

Updating from older versions might expose existing services "protected" by tcp_wrappers before (sshd). The removal needs to be explicitly mentioned in the migration guide/release notes so the users are able to configure different layer of security (firewalld, application configuration) if this was the only one they used.

4 替代方案

After removing the libwrap dependency from openssh, it will stop using rules defines in /etc/hosts.deny. The functionality can be "added back" if needed to any socket-activated service. For example SSHD:

  • Disable sshd.service
systemctl disable sshd
  • Copy the shipped sshd@.service to /etc:
cp {/usr/lib,/etc}/systemd/system/sshd@.service
  • Modify the ExecStart line in the above file under /etc/ from
ExecStart=-/usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY

to

ExecStart=@-/usr/sbin/tcpd /usr/sbin/sshd -i $OPTIONS $CRYPTO_POLICY
  • Reload systemctl
systemctl daemon-reload
  • Enable and start sshd.socket
systemctl enable sshd.socket

systemctl start sshd.socket
  • Verify that you can connect to new service (not working now, because it is blocked by SELinux). Blocked by the bug #1482554 [3].

A similar approach can be used for other services to drop the tcp_wrappers dependency.

参考链接:

https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers

https://serverfault.com/questions/869431/openssh-removed-support-for-tcp-wrappers-now-what-no-hosts-allow-for-ssh-acce

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/UOAUI4TC6PQVHRJ2ONQ2N3IKHR4577VH/    废弃后如何实现原有功能

为什么tcp-wrappers被Redhat Centos Fedora废弃?的更多相关文章

  1. Fedora Redhat Centos 有什么区别和关系?

    Fedora Redhat Centos 有什么区别和关系? 经常看到有人讨论服务器的操作系统,比如 Readhat 和 Centos,还有 Ubuntu Server. 可能 Ubuntu Serv ...

  2. CentOS 访问控制列表(tcp wrappers)

    1.TCP Wrappers是一个工作在应用层的安全工具,它只能针对某些具体的应用或者服务起到一定的防护作用.比如说ssh.telnet.FTP等服务的请求,都会先受到TCP Wrappers的拦截. ...

  3. 在RedHat/CentOS下安装Docker(不升级内核)

    由于内核版本问题,最初仅Ubuntu可以较好的支持Docker.不过,由于RedHat系列OS(REHL.CentOS)是目前主流的Linux服务器操作系统,所以令RedHat系列OS支持Docker ...

  4. RHEL/CentOS/Fedora各种源(EPEL、Remi、RPMForge、RPMFusion)配置

    最新文章:Virson’s Blog CentOS默认自带CentOS-Base.repo源,但官方源中去除了很多有版权争议的软件,而且安装的软件也不是最新的稳定版.Fedora自带的源中也找不到很多 ...

  5. Install MongoDB on Red Hat Enterprise, CentOS, Fedora, or Amazon Linux

    Install MongoDB on Red Hat Enterprise, CentOS, Fedora, or Amazon Linux¶ Overview Use this tutorial t ...

  6. RHEL/CentOS/Fedora常用的 CentOS 5/6/7 yum 源(EPEL、Remi、RPMForge、RPMFusion, ius,163,sohu,阿里云)配置

    RHEL以及他的衍生发行版如CentOS.Scientific Linux为了稳定,官方的rpm repository提供的rpm包往往是很滞后的,当然了,这样做这是无可厚非的,毕竟这是服务器版本,安 ...

  7. Linux下载_Linux系统各种版本ISO镜像下载(redhat,centos,oracle,ubuntu,openSUSE)

    以下是风哥收集的Linux系统各种版本ISO镜像下载,包括redhat,centos,oracle,ubuntu等linux操作系统. Linux下载1:红帽RedHat Linux(RHEL5.RH ...

  8. RHEL/CentOS/Fedora各种源

    CentOS 默认自带 CentOS-Base.repo 源, 但官方源中去除了很多有版权争议的软件, 而且安装的软件也不是最新的稳定版. Fedora 自带的源中也找不到很多多媒体软件, 如果需要安 ...

  9. Docker运行操作系统环境(BusyBox&Alpine&Debian/Ubuntu&CentOS/Fedora)

    目前常用的Linux发行版主要包括Debian/Ubuntu系列和CentOS/Fedora系列.前者以自带软件包版本较新而出名:后者则宣称运行更稳定一些.选择哪个操作系统取决于读者的具体需求.同时, ...

随机推荐

  1. npm安装教程[转载的,版权归原作者]

    详情在里面:https://www.cnblogs.com/lgx5/p/10732016.html 详情二:https://www.cnblogs.com/lolDragon/p/6268345.h ...

  2. Ajax ——数据解析

             Ajax应用中数据解析是非常重要的一件事情.一般服务器返回数据有三种格式:txt , xml,  json 1.解析txt       当服务器返回的数据为字符串,则这种Ajax数据 ...

  3. LeetCode Array Easy 448. Find All Numbers Disappeared in an Array

    Description Given an array of integers where 1 ≤ a[i] ≤ n (n = size of array), some elements appear ...

  4. GeneXus笔记本—常用函数(下)

    这篇是常用函数的最后一节 当然 我这里聊的还不是全部的,需要各位朋友继续在工作中去深入才行啊 ,毕竟从入门到入土....┌(; ̄◇ ̄)┘ 1:Sleep 这个函数你们应该能猜到 ”To allow m ...

  5. 【记录】eclipse jar包看不了源码

    第一步:下载JAD . jad官方地址的官方下载地址是: http://www.softpedia.com/get/Programming/Debuggers-Decompilers-Dissasem ...

  6. 机器学习——k-近邻(K-Nearest Neighbor)

    目录 K-Nearest neighbor K-近邻分类算法 从文本文件中解析和导入数据 使用python创建扩散图 归一化数值 K-Nearest neighbor (个人观点,仅供参考.) k-近 ...

  7. 【LeetCode】链表 linked list(共34题)

    [2]Add Two Numbers (2018年11月30日,第一次review,ko) 两个链表,代表两个整数的逆序,返回一个链表,代表两个整数相加和的逆序. Example: Input: ( ...

  8. Sass:RGB颜色函数-Red()、Green()、Blue()函数

    Red() 函数 red() 函数非常简单,其主要用来获取一个颜色当中的红色值.假设有一个 #f36 的颜色,如果你想得到 #f36 中的 red 值是多少,这个时候使用 red() 函数就能很简单获 ...

  9. 如何防御DNS陷阱?黑客常用3种DNS欺骗手法

    DNS如何被利用?那么这个系统如何让用户变得脆弱?通常解析器会告诉每个DNS服务器你正在寻找哪个域名.此请求有时会包含您的完整IP地址.或者,如果不是您的完整IP地址,请求中通常会包含您的大部分IP地 ...

  10. restful风格接口和spring的运用

    Restful风格的API是一种软件架构风格,设计风格而不是标准,只是提供了一组设计原则和约束条件.它主要用于客户端和服务器交互类的软件.基于这个风格设计的软件可以更简洁,更有层次,更易于实现缓存等机 ...