Quote:
Originally Posted by javier_ccs
i have no vsftpd
however
machine:/etc # ldd /usr/bin/ftp
linux-gate.so.1 => (0xffffe000)
libncurses.so.5 => /lib/libncurses.so.5 (0xb7eec000)
libc.so.6 => /lib/libc.so.6 (0xb7dbe000)
libdl.so.2 => /lib/libdl.so.2 (0xb7dba000)
/lib/ld-linux.so.2 (0xb7f5e000)
machine:/etc #
|
You are looking at the client and not a server. A client doesn't accept connections.
Code:
PARANOID
Matches any host whose name does not match its address. When tcpd is built with -DPARANOID
(default mode), it drops requests from such clients even before looking at the access control
tables. Build without -DPARANOID when you want more control over such requests.
I'm not certain how the PARANOID entry works. It may be what is tripping you up. Where does the hostname come from for incoming connections? Is it making DNS lookups on each host entry in the line, which your line doesn't have? Is it using using DNS to look up the hostname for the IP trying to make the connection?
If PARANOID fails then the hosts.allow might not even be checked. So your allow.hosts entries don't matter.
Programs that have tcp_wrappers support often have their own access control. I use the "AllowUsers" entry to exclude all other users. However, the patterns section of man 5 ssh_config is at a lower level (wildcards and number ranges), and I have never tried an entry of the form:
USERNAME@
HOSTNAME. This would allow access for a local user coming from remote host HOSTNAME, if this pattern is accepted. So some more research or testing may be needed to check if this would work. The "AllowUsers" entry or entries denies all other users including system users, which is very important.
I think that an AllowUsers entry of the form User@Host combined with "UseDNS yes" will do the same thing as your paranoid entry.