I'm currently trying to secure a LAMP server (Slackware 10.1) and have plenty of questions. First one (this thread) is that I'm trying to understand hosts.deny and hosts.allow . With the setup shown below I can still remotely connect to the mysql server application (port 3306). So question is why this is still possible? Where and how do the files influence the system?

So I'm looking for an explanation, not a solution.

PS My initial thoughts were that it had to do with inetd, but when I started using sshd (which is not started through inetd), this does not make sense. Can it have to do with portnumbers (below 1024)?

Can You be a little elaborate how you are connecting to the Mysql server.Have you installed mysql client in the remote machine and trying to connect

I've used SQLyog as well as 'telnet btd-techweb01 3306' from a Win2K machine. Both show that I can connect to the server. It will be refused after connecting as MySQL itself is configured to refuse connections from the outside world, and the result of the telnet session is a reply from the mysql server:

I believe the mysql is probably built with it's own tcwrappers interface. So the service isn't started as an xinetd service and access is configured according to mysql instructions.
Look in the pdf manual at /usr/share/doc/packages/mysql/manual.pdf

You probably want to uninstall the telnetd service on the server in any case.

OK, don't know exactly what tc(p?)wrapper is. But your reference to (x)inetd makes me think that this is not the explanation. Both mysql and sshd are not started from inetd. I had to add sshd to hosts.allow before the box allowed me secure access.

PS The telnet server will be disabled in inetd once the setup is complete.

tc_wrappers is the library that xinetd uses to provide access restrictions based on hosts.allow and hosts.deny. If a program is built with tc_wrappers, then the program is able to have allow and deny restricted by the library based on its own configuration.

Samba uses tc_wrappers this way. Samba is a stand alone service. The allow/deny configuration is done in the samba.conf file. Authentication of passwords may be done by PAM on your server.

The /etc/hosts.allow and /etc/hosts.deny files are used by configuration. The effected services are the ones that are started by configuration. Stand alone services are not. As you said, muscled is a stand-alone service and not controlled by xinetd. Therefore you need to configure similar access restricts by entries in the privilege table as per MySQL instructions given in the manual. You can use the "mysqladmin" program to set up access, or use SQL commands.

Usually, sshd is not an xinetd controlled service and access is controlled by setting up /etc/sshd/ssh_config and /etc/sshd_config. Authentication may be provided by configuring /etc/pam/ssh.
You can do other things like restrict times of access or resource limits by editing PAM configuration files in /etc/security/.

Most of these files such as ssh_config and sshd_config have their own man pages.

----

The MySQL administrators manual I referred to on my last post has a section with a check list on what you need to do to secure the server. Be sure to study that section and follow its advice.

Thanks. If I understand you correctly, mysqld does not use tc_wrappers and sshd does (as does (x)inetd)).
Leaves the question how to know which programs use tc_wrappers? Trial and error is not really a nice way.

Probably download the source code and check

AFAIK it's tcp_wrappers, the library to compile against is "libwrap" so, ldd binary|grep libwrap

Thank you unSpawn for the correction.
Wim Sturkenboom, I think you may have it backwards.
xinetd is used for services that don't use tcp_wrappers on their own.
Some other services use the tcp_wrappers library ( sometimes it's an option in the ./configure phase of installation )
and are started on their own in /etc/init.d/rc.#/. Access control for these services might be configured in their own respective configuration files rather than in /etc/hosts.allow and /etc/hosts.deny. It depends on how the service is written.

Some services are started in /etc/init.d/rc.# on your system, and don't use tcp_wrappers. If a tcp_wrappers enabled program reads /etc/hosts.allow or /etc/hosts.deny is determined whether that option was included when the program was built. It's possible a service was compiled without using tcp_wrappers.

Some servers rely on the firewall(s) setup, or the programs config files to control access and don't have any xinetd controlled services. I.E. they don't run xinetd at all.

Maybe my way of expressing was not right. I understand that (x)inetd implements the wrapper and that for that reason services started from there are 'sensitive to' hosts.allow.
In Slackware, both mysqld and sshd are started from /etc/rc.d (similar to your /etc/init.d/rc.#). sshd required an entry in hosts.allow while mysqld did not. And that was what I tried to understand.

I think that we can consider this thread as solved.

Thanks