LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Blogs > unSpawn
User Name
Password

Notices



Rate this Entry

Denyhosts vs Fail2ban aka tcp_wrappers vs iptables

Posted 07-22-2010 at 04:58 AM by unSpawn

At times denyhosts is being recommended over fail2ban. The common misconception being these applications are equal. They're not, OK in more than one way, but focusing on method of filtering denyhosts uses tcp_wrappers by default where Fail2ban uses iptables by default.

Using tcp_wrappers means a packet has to be delivered to that service. The serving application is responsible for reading /etc/hosts.{deny,allow} to determine itself if a connection is allowed or not. Requiring a network connection being set up exposes the application to for instance malformed packets and it requires disk I/O for having to write /etc/hosts.deny entries. Also tcp_wrappers does not work if an application was not compiled with libwrap (as in 'ldd /path/to/application|grep libwrap').

In contrast the active part of the Netfilter framework resides in memory completely. Sure blocking an IP address in the firewall means CPU cycles but not for a userland application and if logging is disabled no disk I/O is needed. More importantly the service does not get exposed as no packet is delivered to it.

That's not to say tcp_wrappers is without use. In a layered security approach having a /etc/hosts.deny "ALL: ALL" entry and carefully opening up holes in /etc/hosts.allow (and using access restrictions applications like say Xinetd services or web servers can be configured with) can help prevent the firewall from becoming a single point of failure.
Posted in Uncategorized
Views 5538 Comments 1
« Prev     Main     Next »
Total Comments 1

Comments

  1. Old Comment
    // Damien Miller posted a heads up: tcpwrappers support going away in April 2014 on the openssh-unix-dev mailing list.
    Posted 10-08-2014 at 05:58 PM by unSpawn unSpawn is online now
 

  



All times are GMT -5. The time now is 05:24 PM.

Main Menu
Advertisement

Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration