<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> <meta name=Generator content="Microsoft Word 11 (filtered medium)"> <o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="Street"/> <o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="address"/> <o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="City"/>  <style>  </style> </head> <body lang=EN-US link=blue vlink=blue> <div class=Section1> Agreed, I use tcp wrappers for ssh and other apps that are supported in conjunction with iptables for added protection. One can never be to careful J or is that paranoia….<o:p></o:p> <o:p> </o:p> <div> <div class=MsoNormal align=center style='text-align:center'> <hr size=2 width="100%" align=center tabindex=-1> </div> From: rhn-users-bounces@redhat.com [mailto:rhn-users-bounces@redhat.com] On Behalf Of x6d696168 . Sent: Tuesday, March 28, 2006 4:14 PM To: Red Hat Network Users List Subject: Re: [rhn-users] I need help with hosts.deny - doesn't work asIexpected<o:p></o:p> </div> <o:p> </o:p> yes, you generally need to include the daemons name, but when i said link, i ment when compiling the program needs to have been compiled with support for tcpwrappers, which means it gets linked to libwrap.a =). Just sticking "mydaemon: ALL: ip" will not work if the application does not support tcpwrappers. I don't recommend tcpwrappers because of this issue, and instead recommend iptables as it will allways work. -miah<o:p></o:p> <div> On 3/28/06, Tom Foucha <<a href="mailto:tom.foucha@neoaccel.com">tom.foucha@neoaccel.com</a>> wrote:<o:p></o:p> <div> <div> To make the TCP Wrappers active you must as –miah stated link it to the deamon. Example allow:<o:p></o:p> <o:p></o:p> <application/daemon> : <ip address> : allow<o:p></o:p> <o:p></o:p> vsftpd : x.x.x.x : allow<o:p></o:p> <o:p></o:p> You could also put a deny all at the end of the hosts.allow list instead of using the hosts.deny file since the hosts.allow file is applied before hosts.deny<o:p></o:p> <o:p></o:p> vsftpd : ALL : deny<o:p></o:p> <o:p></o:p> <o:p></o:p> --good luck<o:p></o:p> <o:p></o:p> <o:p></o:p> <o:p></o:p> <div> <div class=MsoNormal align=center style='text-align:center'> <hr size=2 width="100%" align=center> </div> From: <a href="mailto:rhn-users-bounces@redhat.com" target="_blank">rhn-users-bounces@redhat.com</a> [mailto:<a href="mailto:rhn-users-bounces@redhat.com" target="_blank">rhn-users-bounces@redhat.com</a>] On Behalf Of x6d696168 . Sent: Tuesday, March 28, 2006 4:02 PM<o:p></o:p> </div> <div> To: Red Hat Network Users List Subject: Re: [rhn-users] I need help with hosts.deny - doesn't work asIexpected<o:p></o:p> </div> </div> <div> <o:p></o:p> No, thats wrong. TCP Wrappers only protects programs that are linked against libwrap. Xinetd provides a similar filtering functionality, but it doesn't require tcpwrappers, but it only protects applications running via xinetd. IPtables is the best way to go, since its kernel based and can handle anything you throw at it, and doesn't require tcpwrappers, or xinetd since it sits above them. -miah<o:p></o:p> <div> On 3/28/06, Kvetch <<a href="mailto:kvetch@gmail.com" target="_blank">kvetch@gmail.com</a>> wrote:<o:p></o:p> <div> try testing using an IP you have access to. You can log attempts by doing something like this in your wrappers ALL: <a href="http://219.106.229.178" target="_blank">219.106.229.178</a> : spawn /bin/echo `/bin/date` access denied>>/var/log/messages : deny I haven't done this in a while so you might want to do a google on logging tcp wrappers If this doesn't give you what you want you might try using iptables, since wrappers only protects against services under xinetd. Nick Baronian <o:p></o:p> <div> On 3/28/06, Bill Watson <<a href="mailto:bill@magicdigits.com" target="_blank"> bill@magicdigits.com</a>> wrote: <o:p></o:p> <div> <div> I did a:<o:p></o:p> </div> <div> service vsftpd stop<o:p></o:p> </div> <div> service vsftpd start<o:p></o:p> </div> <div> <o:p></o:p> </div> <div> and the non-stop hacking on vsftpd stopped. Could be one of 2 things, either this solved my problem permanently, or stopping the service for a few seconds caused his automatic hack program to hang. Dunno which for now, nor know how to tell which did it. Is stuff nuked by hosts.deny logged somewhere?<o:p></o:p> </div> <div> <o:p></o:p> </div> <div> Thanks for you help!<o:p></o:p> </div> <div> Bill<o:p></o:p> </div> <blockquote style='margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'> <div> -----Original Message----- From: <a href="mailto:rhn-users-bounces@redhat.com" target="_blank">rhn-users-bounces@redhat.com</a> [mailto:<a href="mailto:rhn-users-bounces@redhat.com" target="_blank"> rhn-users-bounces@redhat.com</a>] On Behalf Of Kvetch<o:p></o:p> </div> <div> Sent: Tuesday, March 28, 2006 11:26 AM To: Red Hat Network Users List Subject: Re: [rhn-users] I need help with hosts.deny - doesn't work asIexpected<o:p></o:p> </div> </blockquote> </div> <div> tcp wrappers are automatic and no service needs restarting. Try restarting vsftd then try again. If you have nothing in your hosts.allow and in your hosts.deny you have ALL: <a href="http://219.106.229.178/" target="_blank">219.106.229.178</a> ALL: <a href="http://72.129.200.46/" target="_blank">72.129.200.46</a> ALL: 200.38. ALL: 64.182. It should block them. Can you retest? Nick Baronian<o:p></o:p> <div> On 3/28/06, Bill Watson <<a href="mailto:bill@magicdigits.com" target="_blank">bill@magicdigits.com</a>> wrote: <o:p></o:p> <div> <div> Yes I do have tcp_wrappers=YES in vsftpd.conf<o:p></o:p> </div> </div> <div> <div> <o:p></o:p> </div> <div> Bill<o:p></o:p> </div> </div> <div> <blockquote style='margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'> -----Original Message----- From: <a href="mailto:rhn-users-bounces@redhat.com" target="_blank">rhn-users-bounces@redhat.com</a> [mailto:<a href="mailto:rhn-users-bounces@redhat.com" target="_blank"> rhn-users-bounces@redhat.com</a>] On Behalf Of Kvetch Sent: Tuesday, March 28, 2006 10:56 AM To: Red Hat Network Users List Subject: Re: [rhn-users] I need help with hosts.deny - doesn't work as Iexpected<o:p></o:p> Do you have tcp_wrappers=YES in your vsftpd.conf? Nick Baronian<o:p></o:p> <div> On 3/28/06, Bill Watson <<a href="mailto:bill@magicdigits.com" target="_blank">bill@magicdigits.com </a>> wrote: <o:p></o:p> I have /etc/hosts.allow that has no entries. I have /etc/hosts.deny that has: ALL: <a href="http://219.106.229.178" target="_blank">219.106.229.178</a> ALL: <a href="http://72.129.200.46" target="_blank">72.129.200.46</a> ALL: 200.38. ALL: 64.182. >From my readings, I should not be getting any messages from 200.38.x.x, yet my /var/log/messages shows: Mar 28 10:50:36 helmethouse vsftpd(pam_unix)[23790]: check pass; user unknown Mar 28 10:50:36 helmethouse vsftpd(pam_unix)[23790]: authentication failure; log name= uid=0 euid=0 tty= ruser= rhost=<a href="http://200.38.16.6" target="_blank">200.38.16.6</a> Mar 28 10:50:40 helmethouse vsftpd(pam_unix)[23790]: check pass; user unknown Mar 28 10:50:40 helmethouse vsftpd(pam_unix)[23790]: authentication failure; log name= uid=0 euid=0 tty= ruser= rhost=<a href="http://200.38.16.6" target="_blank">200.38.16.6</a> And keeps going with a new entry every few seconds. Is /etc/hosts.deny properly set up? Is /etc/hosts.deny immediately active or must some service be restarted to make it go? Does vsftpd bypass /etc/hosts.deny? Thanks! Bill Watson <a href="mailto:bill@magicdigits.com" target="_blank">bill@magicdigits.com</a> _______________________________________________ rhn-users mailing list <a href="mailto:rhn-users@redhat.com" target="_blank">rhn-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/rhn-users" target="_blank">https://www.redhat.com/mailman/listinfo/rhn-users</a><o:p></o:p> </div> <o:p></o:p> </blockquote> </div> _______________________________________________ rhn-users mailing list <a href="mailto:rhn-users@redhat.com" target="_blank">rhn-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/rhn-users" target="_blank">https://www.redhat.com/mailman/listinfo/rhn-users</a><o:p></o:p> </div> <o:p></o:p> </div> _______________________________________________ rhn-users mailing list <a href="mailto:rhn-users@redhat.com" target="_blank">rhn-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/rhn-users" target="_blank">https://www.redhat.com/mailman/listinfo/rhn-users</a><o:p></o:p> </div> <o:p></o:p> </div> _______________________________________________ rhn-users mailing list <a href="mailto:rhn-users@redhat.com" target="_blank">rhn-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/rhn-users" target="_blank">https://www.redhat.com/mailman/listinfo/rhn-users</a><o:p></o:p> </div> <o:p></o:p> </div> This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. <o:p></o:p> NeoAccel, Inc., <st1:address w:st="on"><st1:Street w:st="on">2055 Gateway Place #240</st1:Street>, <st1:City w:st="on">San Jose</st1:City></st1:address>, CA. 95110 (408) 436-1000<o:p></o:p> </div> _______________________________________________ rhn-users mailing list <a href="mailto:rhn-users@redhat.com">rhn-users@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/rhn-users" target="_blank">https://www.redhat.com/mailman/listinfo/rhn-users</a><o:p></o:p> </div> <o:p> </o:p> </div> </body>  This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. NeoAccel, Inc., 2055 Gateway Place #240, San Jose, CA. 95110 (408) 436-1000</html>