tcpwrappers

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MMike Starke at <-
M\Mike Starke at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: George Toft
Date:  
Subject: tcpwrappers
You bring up a good point. LDAP is not under inetd control, but I had
to add 127.0.0.1 (LOCAL wasn't good enough) to connect to my local LDAP
server.

What's the explanation for this?

George


Mike Starke wrote:
>
> No need to eat crow......I think this was the point I
> was trying to make. Some services are (undr wrapper control),
> some are not, some used to be and no longer are, and then
> some behave just as I expect, those that are only run
> under inetd. It is the inconsistencies from service to
> service, and from year to year (your case) that I find
> confusing. I think you mentioned chasing down an issue
> with SNMP and I with ldap; seems to me one should just
> 'know' what's under wrapper control and what is not.
>
> v/r
> Mike
>
> On Tue, Oct 15, 2002 at 12:18:04AM -0400, George Toft wrote:
> Crow chomp chomp
>
> I do not understand . . .
>
> I have tested your theory and your are right (as of 2002). I know for a
> fact that in 2000, what I described worked as described. I have seen it
> in action - I tossed IP's into /etc/hosts.deny because they were abusing
> our machines an as soon as I did so, the abuse stopped. We did not have
> Apache under inetd control.
>
> I stand corrected.
>
> George
>
>
> Digital Wokan wrote:
> >
> > Apache is only under the control of /etc/hosts.allow|deny when you set it up
> > to start as an inetd service instead of in standalone mode. For a low use or
> > testing site, this may be okay, but it is a large bottleneck to high-usage
> > sites, where a firewall-based blocking solution would make more sense to use
> > against abusers.
> >
> > On Thursday 10 October 2002 20:40, George Toft wrote:
> > > What makes you think Apache is not? Whe I was at the .com in LA, we had
> > > a script that analyzed Apache log files, and dropped the abuser's IP
> > > netowrk into /etc/host.deny for 48 hours. That locked him (and a chunk
> > > of his ISP) out so he couldn't redial and continue the attack.
> > >
> > > I know for a fact that SNMP is under tpc wrapper control - that was one
> > > of the biggest bitches to solve.
> > >
> > > SSH is also controlled by TCP wrappers - I use it as redundancy in case
> > > I make stupid typos and open SSH to my $EXTIF instead of my $INTIF. I
> > > did this, and I discovered it through looking at my logs.
> > >
> > > What I discovered two weeks ago about OpenLDAP was that LOCAL is not the
> > > same as 127.0.0.1. To every other service I have used in the last 6
> > > years it was, but noooo - not OpenLDAP.
> > >
>  > > Anyway, it's called TCP wrappers, not inet wrappers, because it affects
>  > > all TCP services.  My hosts.allow file looks like this:
>  > >       ALL: LOCAL, 127.0.0.1, 192.168.55.
>  > > which supports my LDAP, MySQL, Apache and DNS servers.  The 192.196.55
>  > > LAN is another interface that needs DNS and HTTP services.

> > >
> > > George
> > >
> > > Mike Starke wrote:
> > > > Years ago, I seem to recall that the only services
> > > > under control of hosts.allow & hosts.deny were those
> > > > under inetd (/etc/inetd.conf).
> > > >
> > > > I just spent the past hour trying to figure out why I couldn't
> > > > connect to my new ldap server from a remote site; come to find
> > > > out all I needed was a simple entry in /etc/hosts.allow Being that
> > > > slapd runs as a deamon, I stared at my slapd.conf file and couldn't
> > > > find any reason why a connection was denied.
> > > >
> > > > Simple question: How does one know when a service is under
> > > > tcpwrappers? Apache & Bind are not, what should have made
> > > > me think slapd was?
> > > >
> > > > v/r
> > > > Mike
> > > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > > PLUG-discuss mailing list -
> > > > To subscribe, unsubscribe, or to change you mail settings:
> > > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > > PLUG-discuss mailing list -
> > > To subscribe, unsubscribe, or to change you mail settings:
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > PLUG-discuss mailing list -
> > To subscribe, unsubscribe, or to change you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Fwd: Newsletter from O'Reilly UG Program, October 15(no subject)->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)