Visit Jeremy's Blog.
Go Back > Blogs > unSpawn
User Name


Rate this Entry

Denyhosts vs Fail2ban aka tcp_wrappers vs iptables

Posted 07-22-2010 at 04:58 AM by unSpawn

At times denyhosts is being recommended over fail2ban. The common misconception being these applications are equal. They're not, OK in more than one way, but focusing on method of filtering denyhosts uses tcp_wrappers by default where Fail2ban uses iptables by default.

Using tcp_wrappers means a packet has to be delivered to that service. The serving application is responsible for reading /etc/hosts.{deny,allow} to determine itself if a connection is allowed or not. Requiring a network connection being set up exposes the application to for instance malformed packets and it requires disk I/O for having to write /etc/hosts.deny entries. Also tcp_wrappers does not work if an application was not compiled with libwrap (as in 'ldd /path/to/application|grep libwrap').

In contrast the active part of the Netfilter framework resides in memory completely. Sure blocking an IP address in the firewall means CPU cycles but not for a userland application and if logging is disabled no disk I/O is needed. More importantly the service does not get exposed as no packet is delivered to it.

That's not to say tcp_wrappers is without use. In a layered security approach having a /etc/hosts.deny "ALL: ALL" entry and carefully opening up holes in /etc/hosts.allow (and using access restrictions applications like say Xinetd services or web servers can be configured with) can help prevent the firewall from becoming a single point of failure.
Posted in Uncategorized
Views 7805 Comments 1
« Prev     Main     Next »
Total Comments 1


  1. Old Comment
    // Damien Miller posted a heads up: tcpwrappers support going away in April 2014 on the openssh-unix-dev mailing list.
    Posted 10-08-2014 at 05:58 PM by unSpawn unSpawn is offline


All times are GMT -5. The time now is 03:30 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration