>=net-misc/openssh-6.7p1 dropped sys-apps/tcp-wrappers support (bug #531156), which makes app-admin/denyhosts effectively useless. After quickly looking into that I think we have the following options: - patch net-misc/openssh (denied in bug #531156) - run sshd through xinetd - some config files missing, could be added through denyhosts ebuild - replace app-admin/denyhosts by net-analyzer/fail2ban - adding a guide to the wiki - ask to replace net-misc/openssh by a different ssh client (e.g. net-misc/dropbear) Whatever we do, we should put out a news item timely to ensure users running app-admin/denyhosts knowing that they are effectively unprotected!
It was not widely announced, but there is a maintained denyhosts fork called denyhost [1] which is able to work without tcp-wrappers. Maybe upgrading is a less intrusive path forward since it will retain the familiar and well-working model. [1] http://denyhost.sourceforge.net/
(In reply to Holger Hoffstätte from comment #1) > denyhosts fork called denyhost [1] And just seconds after posting this I see that it again has grown a traling "s" and is now maintained "for real" at https://github.com/denyhosts/denyhosts
(In reply to Holger Hoffstätte from comment #1) > It was not widely announced, but there is a maintained denyhosts fork called > denyhost [1] which is able to work without tcp-wrappers. Maybe upgrading is > a less intrusive path forward since it will retain the familiar and > well-working model. > > [1] http://denyhost.sourceforge.net/ Good call! +*denyhosts-2.9 (03 Feb 2015) + + 03 Feb 2015; Christoph Junghans <ottxor@gentoo.org> +denyhosts-2.9.ebuild: + version bump +