On Fri Nov 8, 2019 at 10:55 PM Gene Heskett wrote: > unforch, reinstalling apache2 is not a workable situation because it was > built for the repos w/o libwrappers support. Dumb and forces me to run > iptables to block the bots that are DDOSing my site.
Blocking malicious connections with iptables is a *better* solution than with libwrappers. With libwrappers, your application (apache2) is still having to do some connection management, even though you're going to reject the connection. It's still at risk of exploitation if there's a bad actor and a known vulnerability. iptables does it job before apache2 even sees the connection. And is far, far more flexible. At this point libwrappers is more of a historical curiosity than an actively used and developed tool for filtering.
