LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 05-24-2006, 05:54 AM   #1
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Rep: Reputation: 282Reputation: 282Reputation: 282
question about hosts.allow/hosts.deny


I'm currently trying to secure a LAMP server (Slackware 10.1) and have plenty of questions. First one (this thread) is that I'm trying to understand hosts.deny and hosts.allow . With the setup shown below I can still remotely connect to the mysql server application (port 3306). So question is why this is still possible? Where and how do the files influence the system?

So I'm looking for an explanation, not a solution.

Code:
#
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# Version:      @(#)/etc/hosts.deny     1.00    05/28/93
#
# Author:       Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org
#
#

ALL: ALL
# End of hosts.deny.
Code:
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided by
#               the '/usr/sbin/tcpd' server.
#
# Version:      @(#)/etc/hosts.allow    1.00    05/28/93
#
# Author:       Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org
#
#

ALL: 127.0.0.1
#telnet replaced by ssh (2006-05-23 by WimS)
#in.telnetd: 172.31.212.19
proftpd: 172.31.212.19
sshd: 172.31.212.19
https: 172.31.212.19
# End of hosts.allow.
PS My initial thoughts were that it had to do with inetd, but when I started using sshd (which is not started through inetd), this does not make sense. Can it have to do with portnumbers (below 1024)?

Last edited by Wim Sturkenboom; 05-24-2006 at 06:26 AM. Reason: added PS
 
Old 05-24-2006, 06:33 AM   #2
debulu
Member
 
Registered: May 2006
Location: India
Distribution: Redhat
Posts: 49

Rep: Reputation: 15
Can You be a little elaborate how you are connecting to the Mysql server.Have you installed mysql client in the remote machine and trying to connect
 
Old 05-24-2006, 06:46 AM   #3
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
I've used SQLyog as well as 'telnet btd-techweb01 3306' from a Win2K machine. Both show that I can connect to the server. It will be refused after connecting as MySQL itself is configured to refuse connections from the outside world, and the result of the telnet session is a reply from the mysql server:
Code:
F♦Host '172.31.212.19' is not allowed to connect to this MySQL server
 
Old 05-24-2006, 07:14 AM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
I believe the mysql is probably built with it's own tcwrappers interface. So the service isn't started as an xinetd service and access is configured according to mysql instructions.
Look in the pdf manual at /usr/share/doc/packages/mysql/manual.pdf

You probably want to uninstall the telnetd service on the server in any case.

Last edited by jschiwal; 05-24-2006 at 09:15 AM.
 
Old 05-24-2006, 07:44 AM   #5
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
OK, don't know exactly what tc(p?)wrapper is. But your reference to (x)inetd makes me think that this is not the explanation. Both mysql and sshd are not started from inetd. I had to add sshd to hosts.allow before the box allowed me secure access.

PS The telnet server will be disabled in inetd once the setup is complete.

Last edited by Wim Sturkenboom; 05-24-2006 at 07:53 AM.
 
Old 05-24-2006, 09:23 AM   #6
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
tc_wrappers is the library that xinetd uses to provide access restrictions based on hosts.allow and hosts.deny. If a program is built with tc_wrappers, then the program is able to have allow and deny restricted by the library based on its own configuration.

Samba uses tc_wrappers this way. Samba is a stand alone service. The allow/deny configuration is done in the samba.conf file. Authentication of passwords may be done by PAM on your server.

The /etc/hosts.allow and /etc/hosts.deny files are used by configuration. The effected services are the ones that are started by configuration. Stand alone services are not. As you said, muscled is a stand-alone service and not controlled by xinetd. Therefore you need to configure similar access restricts by entries in the privilege table as per MySQL instructions given in the manual. You can use the "mysqladmin" program to set up access, or use SQL commands.

Usually, sshd is not an xinetd controlled service and access is controlled by setting up /etc/sshd/ssh_config and /etc/sshd_config. Authentication may be provided by configuring /etc/pam/ssh.
You can do other things like restrict times of access or resource limits by editing PAM configuration files in /etc/security/.

Most of these files such as ssh_config and sshd_config have their own man pages.

----

The MySQL administrators manual I referred to on my last post has a section with a check list on what you need to do to secure the server. Be sure to study that section and follow its advice.

Last edited by jschiwal; 05-24-2006 at 09:38 AM.
 
Old 05-24-2006, 10:09 AM   #7
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Thanks. If I understand you correctly, mysqld does not use tc_wrappers and sshd does (as does (x)inetd)).
Leaves the question how to know which programs use tc_wrappers? Trial and error is not really a nice way.

Probably download the source code and check

Last edited by Wim Sturkenboom; 05-24-2006 at 10:11 AM.
 
Old 05-24-2006, 01:32 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,709
Blog Entries: 54

Rep: Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965
AFAIK it's tcp_wrappers, the library to compile against is "libwrap" so, ldd binary|grep libwrap
 
Old 05-24-2006, 04:24 PM   #9
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655Reputation: 655
Thank you unSpawn for the correction.
Wim Sturkenboom, I think you may have it backwards.
xinetd is used for services that don't use tcp_wrappers on their own.
Some other services use the tcp_wrappers library ( sometimes it's an option in the ./configure phase of installation )
and are started on their own in /etc/init.d/rc.#/. Access control for these services might be configured in their own respective configuration files rather than in /etc/hosts.allow and /etc/hosts.deny. It depends on how the service is written.

Some services are started in /etc/init.d/rc.# on your system, and don't use tcp_wrappers. If a tcp_wrappers enabled program reads /etc/hosts.allow or /etc/hosts.deny is determined whether that option was included when the program was built. It's possible a service was compiled without using tcp_wrappers.

Some servers rely on the firewall(s) setup, or the programs config files to control access and don't have any xinetd controlled services. I.E. they don't run xinetd at all.
 
Old 05-30-2006, 02:33 AM   #10
Wim Sturkenboom
Senior Member
 
Registered: Jan 2005
Location: Roodepoort, South Africa
Distribution: Slackware 10.1/10.2/12, Ubuntu 12.04, Crunchbang Statler
Posts: 3,786

Original Poster
Rep: Reputation: 282Reputation: 282Reputation: 282
Quote:
Originally Posted by jschiwal
Wim Sturkenboom, I think you may have it backwards.
Maybe my way of expressing was not right. I understand that (x)inetd implements the wrapper and that for that reason services started from there are 'sensitive to' hosts.allow.
In Slackware, both mysqld and sshd are started from /etc/rc.d (similar to your /etc/init.d/rc.#). sshd required an entry in hosts.allow while mysqld did not. And that was what I tried to understand.

I think that we can consider this thread as solved.

Thanks
 
  


Reply

Tags
hostsallow, hostsdeny


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
/etc/hosts.deny/hosts.allow have no effect on sshd access bganesh Linux - Security 4 05-04-2006 09:06 PM
/etc/hosts and hosts.deny question ilan1 Linux - Networking 4 03-04-2006 06:28 PM
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 10:41 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 04:52 PM
hosts.deny question egarnel Linux - Security 2 09-15-2003 04:30 PM


All times are GMT -5. The time now is 11:30 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration