LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-22-2007, 02:55 PM   #1
javier_ccs
Member
 
Registered: Apr 2005
Location: Milton Keynes
Distribution: ubuntu 12.10
Posts: 90

Rep: Reputation: 15
Unhappy basic question about tcp wrappers


Hello,

im trying to set my machine to deny everything but ssh and ftp... so far, heres what i have:

hosts.deny
ALL: ALL@ALL, PARANOID

hosts.allow
sshd: 192.168.1.5
ftpd: 192.168.1.5

ssh works fine, ftp doesnt work, i change it to:

vsftpd: 192.168.1.5

didnt work either...

what am i doing wrong?
 
Old 03-22-2007, 03:17 PM   #2
pileofrogs
LQ Newbie
 
Registered: Mar 2007
Location: Seattle
Distribution: CentOS, Fedora, Ubuntu
Posts: 17

Rep: Reputation: 0
I think it wants the protocol name, not the program name. So, it would be

hosts.allow
sshd: 192.168.1.5
ftp: 192.168.1.5

If I'm right (which I might not be) I'm not sure why ssh would be working. Are you sure ssh connections are being blocked from other hosts? Maybe your sshd doesn't do hosts.allow/deny.

If I were in your shoes, I'd skip tcp wrappers and use iptables.
 
Old 03-22-2007, 03:29 PM   #3
javier_ccs
Member
 
Registered: Apr 2005
Location: Milton Keynes
Distribution: ubuntu 12.10
Posts: 90

Original Poster
Rep: Reputation: 15
im sure ssh is working...

but ftp: 192.168.1.5 doenst either... if i remove the line from hosts.deny, ftp works perfectly....

im sure im missing the right option
 
Old 03-22-2007, 03:48 PM   #4
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
are you positive that your vsftpd is linked to libwrap??
Code:
win32sux@candystore:~$ ldd /usr/sbin/vsftpd
        linux-gate.so.1 =>  (0xffffe000)
        libwrap.so.0 => /lib/libwrap.so.0 (0xb7f2b000)
        libnsl.so.1 => /lib/tls/i686/cmov/libnsl.so.1 (0xb7f16000)
        libpam.so.0 => /lib/libpam.so.0 (0xb7f0e000)
        libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7f0b000)
        libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7ef8000)
        libutil.so.1 => /lib/tls/i686/cmov/libutil.so.1 (0xb7ef4000)
        libcap.so.1 => /lib/libcap.so.1 (0xb7ef0000)
        libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7eb3000)
        libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7d84000)        libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7c55000)
        /lib/ld-linux.so.2 (0xb7f40000)
        libz.so.1 => /usr/lib/libz.so.1 (0xb7c40000)
win32sux@candystore:~$
if not, it'll need to have the support built-in...

Last edited by win32sux; 03-22-2007 at 03:52 PM.
 
Old 03-22-2007, 03:57 PM   #5
javier_ccs
Member
 
Registered: Apr 2005
Location: Milton Keynes
Distribution: ubuntu 12.10
Posts: 90

Original Poster
Rep: Reputation: 15
i have no vsftpd

however

machine:/etc # ldd /usr/bin/ftp
linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb7eec000)
libc.so.6 => /lib/libc.so.6 (0xb7dbe000)
libdl.so.2 => /lib/libdl.so.2 (0xb7dba000)
/lib/ld-linux.so.2 (0xb7f5e000)
machine:/etc #
 
Old 03-22-2007, 04:28 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by javier_ccs
i have no vsftpd
i assumed you did, based on the fact that you tried to use "vsftpd" in the OP...

Quote:
machine:/etc # ldd /usr/bin/ftp
linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb7eec000)
libc.so.6 => /lib/libc.so.6 (0xb7dbe000)
libdl.so.2 => /lib/libdl.so.2 (0xb7dba000)
/lib/ld-linux.so.2 (0xb7f5e000)
machine:/etc #
well, no libwrap linked for your program there...

you might be able to check if it has built-in support with something like:
Code:
strings /usr/bin/ftp | grep "/etc/hosts"

Last edited by win32sux; 03-22-2007 at 04:29 PM.
 
Old 03-22-2007, 04:42 PM   #7
javier_ccs
Member
 
Registered: Apr 2005
Location: Milton Keynes
Distribution: ubuntu 12.10
Posts: 90

Original Poster
Rep: Reputation: 15
#strings /usr/bin/ftp | grep "/etc/hosts"
#

nothin...

but ssh does have libwrap

machine:~ # ldd /usr/sbin/sshd
libwrap.so.0 => /lib/libwrap.so.0 (0x0000002a9566d000)

how can i fix this??
 
Old 03-22-2007, 05:19 PM   #8
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
Quote:
Originally Posted by javier_ccs
i have no vsftpd

however

machine:/etc # ldd /usr/bin/ftp
linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb7eec000)
libc.so.6 => /lib/libc.so.6 (0xb7dbe000)
libdl.so.2 => /lib/libdl.so.2 (0xb7dba000)
/lib/ld-linux.so.2 (0xb7f5e000)
machine:/etc #
You are looking at the client and not a server. A client doesn't accept connections.


Code:
       PARANOID
              Matches  any  host  whose  name  does  not  match its address.  When tcpd is built with -DPARANOID
              (default mode), it drops requests from such clients even before  looking  at  the  access  control
              tables.  Build without -DPARANOID when you want more control over such requests.
I'm not certain how the PARANOID entry works. It may be what is tripping you up. Where does the hostname come from for incoming connections? Is it making DNS lookups on each host entry in the line, which your line doesn't have? Is it using using DNS to look up the hostname for the IP trying to make the connection?

If PARANOID fails then the hosts.allow might not even be checked. So your allow.hosts entries don't matter.

Programs that have tcp_wrappers support often have their own access control. I use the "AllowUsers" entry to exclude all other users. However, the patterns section of man 5 ssh_config is at a lower level (wildcards and number ranges), and I have never tried an entry of the form:
USERNAME@HOSTNAME. This would allow access for a local user coming from remote host HOSTNAME, if this pattern is accepted. So some more research or testing may be needed to check if this would work. The "AllowUsers" entry or entries denies all other users including system users, which is very important.

I think that an AllowUsers entry of the form User@Host combined with "UseDNS yes" will do the same thing as your paranoid entry.

Last edited by jschiwal; 03-22-2007 at 05:38 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Tcp wrappers sysconfig Linux - Security 4 09-08-2006 08:20 AM
TCP Wrappers ? juanb Linux - Newbie 1 01-31-2004 01:35 PM
Firewall vs. TCP-Wrappers Crashed_Again Linux - Security 8 01-31-2003 06:35 AM
tcp wrappers --with-tcp-wrappers ForumKid Linux - Security 2 01-04-2002 04:01 PM
TCP Wrappers ltrain Linux - Security 6 05-31-2001 10:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:51 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration