Subject: Re: Time-windows for /etc/hosts.allow ?
To: Louis Glassy <email@example.com>
From: Bill Sommerfeld <firstname.lastname@example.org>
Date: 12/13/1999 08:40:51
> So.. question 1. Do you think there is any practical security benefit
> to be had from time-windowing the access to a host?
Would I use this? Almost certainly not. Would it increase the
security of systems I run for my own use? no..
However, this feature seems to show up in requirements lists for
security systems far more than I would expect, and presumably, the
people asking for it feel more secure when the time-windowed access is
in place, so, in a roundabout way, "yes, there may be". :-) This may
only be a "marketing checklist" feature; I'm not sure how often it's
ever used in practice.
Note that we already have this sort of thing in place for games
control (see dm(8) and dm.conf(5)), so it's not like very much code
would need to be written to support this.
A couple other complications to consider:
- time zones
- day-of-week based rules.
> question 2. If there is, is it better to do this with cron,
> or by changing libwrap to read new (optional)
> timespecs from the hosts.allow file?
Using cron for this strikes me as too fragile -- consider the case when
the system is down during one of the time-window "edges" -- you'll
find yourself running with the wrong policy until the next edge..