Paul Johnson wrote:
But now I don't understand what role xinetd is/was performing side by side with the tcpwrap protection inside ssh's build.
None. xinetd isn't related to tcp_wrappers. xinetd doesn't provide tcp_wrappers, and doesn't even use tcp_wrappers. xinetd has its own access control mechanisms.
The advice you got for hosts.allow/hosts.deny is still relevant for any daemons that you run which use tcp_wrappers. However, pretty much the only way to determine whether or not they do is to use "grep" to search for "hosts.allow" in the server's binary. Oddly, sshd doesn't match, even though it supports tcp_wrappers. I don't have an explanation for that...