LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   deny.hosts does not work in blocking anything (https://www.linuxquestions.org/questions/linux-newbie-8/deny-hosts-does-not-work-in-blocking-anything-164743/)

lexton 03-31-2004 07:58 PM

deny.hosts does not work in blocking anything
 
Hi All,

I'm running fedora redhat and I'm trying to test my hosts.deny file.

I've opened up a connection on : port 143 with this command for netcat

nc -p 143 -l

This creates a pseudo server that I then try to connect to from a remote host.

Now I have set hosts.deny to --> ALL : ALL

and hosts.allow to --> ALL: LOCAL

However everytime I try to connect to port 143 it lets me login when it should be denying me access?

I thought Fedora would have support for hosts.deny even on a basic install? What is wrong here?

ugge 04-06-2004 02:37 AM

The hosts.allow hosts.deny files are part of the tcpwrappers system.
To be able to use this kind of control the server need to be compiled with tcpwrapper support.
Some server functions are ready to run with tcpwrappers while others need to be recompiled or just replace the command line that runs the server. Usually in the /etc/xinetd.conf or /etc/xinetd.d/

dominant 04-06-2004 04:15 AM

what about sendmail?

ugge 04-06-2004 07:00 AM

Scissored out from http://www.cert.org/security-improve...s/i041.07.html
Quote:

All servers cannot be protected by tcpd due to the specific details of the network protocols and the different services:

* tcpd is designed to be started with each new connection in order to log the connections. Servers such as sendmail that have a high overhead are typically started once to reduce startup overhead; therefore they are not easily managed by tcpd which only logs the first connection.
* tcpd can only protect servers that use TCP (transmission control protocol) and UDP (user datagram protocol).
* Some servers use both TCP and RPC (remote procedure call) protocols. These cannot be protected by tcp wrapper. These servers specify the protocols as rpc/tcp in the third field of inetd.conf (4).
* Only servers that operate on one connection at a time can be protected. (Note that there may be multiple instances of such server processes at any given time, but each instance is only activated for exactly one connection and terminates upon completion. This is different from having one instance handle multiple incoming connections.) Other servers stay active after finishing the initiating connection waiting for other connection requests. Such servers can be recognized by the flag "wait" in the fourth field of inetd.conf.

320mb 04-06-2004 08:45 AM

Quote:

Now I have set hosts.deny to --> ALL : ALL
try this......
DENY:ALL(ALL)


All times are GMT -5. The time now is 09:36 AM.