tcp_wrappers is enabled, but there's no way of changing the /etc/hosts.{allow,deny} files except manually, which does not survive upgrade.
Suggest a per-service configuration as such:
set service ssh client-allow [ IPv4 network ]
set service ssh client-allow [ IPv6 network ]
which would change the files:
/etc/hosts.allow
sshd: [ IPv4 network ],[ IPv6 network ]
/etc/hosts.deny
sshd: ALL
This same method could be used for https, console-server, etc. - anything which uses libwrap.
Naturally, tcp_wrappers doesn't replace normal security procedures, like 'disable-password-authentication' but it keeps the log files from being flooded by brute force attacks, and helps prevent compromises by mistakes in other methods.
This change could easily be added to any existing version.