tcpwrappers
George Toft
plug-discuss@lists.plug.phoenix.az.us
Fri, 18 Oct 2002 20:53:56 -0400
# cat
hosts
127.0.0.1 localhost
# 10.0.1.10 donelle.georgetoft.com donelle
10.0.1.10 donelle donelle
# cat hosts.allow
# ALL: LOCAL, 127.0.0.1, 192.168.55.#, 10.0.1.
ALL: LOCAL, 192.168.55.#, 10.0.1.
# ldapsearch -x -D "cn=DeanWormer,o=delta" -w password -b
"ou=1960,o=delta" "sn=Toft223*"
ldap_bind: Can't contact LDAP server
Even if I change /etc/hosts to:
127.0.0.1 localhost
# 10.0.1.10 donelle.georgetoft.com donelle
10.0.1.10 donelle
it fails. Now, if I change /etc/hosts.allow to:
ALL: LOCAL, 127.0.0.1, 192.168.55.#, 10.0.1.
# ALL: LOCAL, 192.168.55.#, 10.0.1.
# ldapsearch -x -D "cn=DeanWormer,o=delta" -w password -b
"ou=1960,o=delta" "sn=Toft223*" | grep -c "dn:"
111
Regardless of the contents of hosts, I need 127.0.0.1 explicitly spelled
out in hosts.allow.
As to your other comment, I start hosts.allow and hosts.deny out the
same way, and open up as necessary.
George
Mike Starke wrote:
>
> I bet if you had an entry in /etc/hosts such as:
>
> 127.0.0.1 localhost
> 10.0.1.10 your_pc_name
>
> The wildcard 'LOCAL' would work? Perhaps the wildcards couldn't give
> a darn about localhost? Perhaps they need something other than
> 127.0.0.1?
>
> I am amazed this topic hasn't come up earlier than this. One of the first
> things I do when installing any *nix box is to set hosts.allow & hosts.deny
> hosts.deny always has ALL:ALL listed in it, nothing else.
>
> my 2cents
>
> v/r
> -Mike
>
> On Fri, Oct 18, 2002 at 07:15:04PM -0400, George Toft wrote:
> Yet, with this entry, I still had to add 127.0.0.1 to /etc/hosts.allow.
>
> Hmm...
>
> George
>
>
>
> Mike Starke wrote:
> >
> > Looks good to me.
> >
> > On Fri, Oct 18, 2002 at 01:03:45AM -0400, George Toft wrote:
> > What do you think?
> >
> > 127.0.0.1 localhost
> > 10.0.1.10 donelle.georgetoft.com donelle
> >
> > George
> >
> >
> > Mike Starke wrote:
> > >
> > > I am assuming you mean the /etc/hosts.allow file that you had
> > > to add an entry? If so, here is what I have learned:
> > >
> > > 1. If slapd has been compiled against libwrap, then it will be under
> > > tcpwrapper control and does not have to run under inetd.
> > >
> > > ldd `which slapd`|grep libwrap
> > > libwrap.so.0 => /lib/libwrap.so.0 (0x4016f000)
> > >
> > > I assume this explains why some services from some distros
> > > react differantly.
> > >
> > > 2. As the hosts_access man page reports:
> > > LOCAL Matches any host whose name does not contain a dot
> > > character.
> > >
> > > Therefore, I would check your /etc/hosts file. I haven't tested this theory,
> > > but I wonder if you had an entry(s) such as
> > >
> > > 127.0.0.1 localhost localhost.mydomain.com
> > > 192.168.1.1 myhost myhost.mydomain.com
> > > 192.168.1.2 anotherhost
> > >
> > > Perhaps, the 'dots' in the first two entries exclude you from
> > > using the LOCAL wildcard, whereas the third entry would work
> > > as expected?
> > >
> > > HTH
> > >
> > > v/r
> > > -Mike
> > >
> > > On Tue, Oct 15, 2002 at 10:35:20PM -0400, George Toft wrote:
> > > You bring up a good point. LDAP is not under inetd control, but I had
> > > to add 127.0.0.1 (LOCAL wasn't good enough) to connect to my local LDAP
> > > server.
> > >
> > > What's the explanation for this?
> > >
> > > George
> > >
> > >
> > > Mike Starke wrote:
> > > >
> > > > No need to eat crow......I think this was the point I
> > > > was trying to make. Some services are (undr wrapper control),
> > > > some are not, some used to be and no longer are, and then
> > > > some behave just as I expect, those that are only run
> > > > under inetd. It is the inconsistencies from service to
> > > > service, and from year to year (your case) that I find
> > > > confusing. I think you mentioned chasing down an issue
> > > > with SNMP and I with ldap; seems to me one should just
> > > > 'know' what's under wrapper control and what is not.
> > > >
> > > > v/r
> > > > Mike
> > > >
> > > > On Tue, Oct 15, 2002 at 12:18:04AM -0400, George Toft wrote:
> > > > Crow chomp chomp
> > > >
> > > > I do not understand . . .
> > > >
> > > > I have tested your theory and your are right (as of 2002). I know for a
> > > > fact that in 2000, what I described worked as described. I have seen it
> > > > in action - I tossed IP's into /etc/hosts.deny because they were abusing
> > > > our machines an as soon as I did so, the abuse stopped. We did not have
> > > > Apache under inetd control.
> > > >
> > > > I stand corrected.
> > > >
> > > > George
> > > >
> > > >
> > > > Digital Wokan wrote:
> > > > >
> > > > > Apache is only under the control of /etc/hosts.allow|deny when you set it up
> > > > > to start as an inetd service instead of in standalone mode. For a low use or
> > > > > testing site, this may be okay, but it is a large bottleneck to high-usage
> > > > > sites, where a firewall-based blocking solution would make more sense to use
> > > > > against abusers.
> > > > >
> > > > > On Thursday 10 October 2002 20:40, George Toft wrote:
> > > > > > What makes you think Apache is not? Whe I was at the .com in LA, we had
> > > > > > a script that analyzed Apache log files, and dropped the abuser's IP
> > > > > > netowrk into /etc/host.deny for 48 hours. That locked him (and a chunk
> > > > > > of his ISP) out so he couldn't redial and continue the attack.
> > > > > >
> > > > > > I know for a fact that SNMP is under tpc wrapper control - that was one
> > > > > > of the biggest bitches to solve.
> > > > > >
> > > > > > SSH is also controlled by TCP wrappers - I use it as redundancy in case
> > > > > > I make stupid typos and open SSH to my $EXTIF instead of my $INTIF. I
> > > > > > did this, and I discovered it through looking at my logs.
> > > > > >
> > > > > > What I discovered two weeks ago about OpenLDAP was that LOCAL is not the
> > > > > > same as 127.0.0.1. To every other service I have used in the last 6
> > > > > > years it was, but noooo - not OpenLDAP.
> > > > > >
> > > > > > Anyway, it's called TCP wrappers, not inet wrappers, because it affects
> > > > > > all TCP services. My hosts.allow file looks like this:
> > > > > > ALL: LOCAL, 127.0.0.1, 192.168.55.
> > > > > > which supports my LDAP, MySQL, Apache and DNS servers. The 192.196.55
> > > > > > LAN is another interface that needs DNS and HTTP services.
> > > > > >
> > > > > > George
> > > > > >
> > > > > > Mike Starke wrote:
> > > > > > > Years ago, I seem to recall that the only services
> > > > > > > under control of hosts.allow & hosts.deny were those
> > > > > > > under inetd (/etc/inetd.conf).
> > > > > > >
> > > > > > > I just spent the past hour trying to figure out why I couldn't
> > > > > > > connect to my new ldap server from a remote site; come to find
> > > > > > > out all I needed was a simple entry in /etc/hosts.allow Being that
> > > > > > > slapd runs as a deamon, I stared at my slapd.conf file and couldn't
> > > > > > > find any reason why a connection was denied.
> > > > > > >
> > > > > > > Simple question: How does one know when a service is under
> > > > > > > tcpwrappers? Apache & Bind are not, what should have made
> > > > > > > me think slapd was?
> > > > > > >
> > > > > > > v/r
> > > > > > > Mike
> > > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > > > > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > > > > > > To subscribe, unsubscribe, or to change you mail settings:
> > > > > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > > > >
> > > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > > > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > > > > > To subscribe, unsubscribe, or to change you mail settings:
> > > > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > > >
> > > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > > > > To subscribe, unsubscribe, or to change you mail settings:
> > > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > > > To subscribe, unsubscribe, or to change you mail settings:
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > > > To subscribe, unsubscribe, or to change you mail settings:
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > > To subscribe, unsubscribe, or to change you mail settings:
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > > To subscribe, unsubscribe, or to change you mail settings:
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> > --
> > __ __ ___ __ __ __ ___ ___
> > | | | | | \ | | | | | | \ \ / /
> > -o) | | | | | \| | | | | | \ \/ / (o-
> > /\\ | |__ | | | |\ | | |_| | / /\ \ //\
> > _\_v |_____||__| |__| \___| \_______| /__/ \__\ v_/_
> >
> > Don't Fear The Penguins
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss