[rhn-users] I need help with hosts.deny - doesn't work asIexpected

Tue Mar 28 22:34:38 UTC 2006

Agreed, I use tcp wrappers for ssh and other apps that are supported in
conjunction with iptables for added protection. One can never be to
careful :-) or is that paranoia....

________________________________

From: rhn-users-bounces at redhat.com [mailto:rhn-users-bounces at redhat.com]
On Behalf Of x6d696168 .
Sent: Tuesday, March 28, 2006 4:14 PM
To: Red Hat Network Users List
Subject: Re: [rhn-users] I need help with hosts.deny - doesn't work
asIexpected

yes, you generally need to include the daemons name, but when i said
link, i ment when compiling the program needs to have been compiled with
support for tcpwrappers, which means it gets linked to libwrap.a =).
Just sticking "mydaemon: ALL: ip" will not work if the application does
not support tcpwrappers.  I don't recommend tcpwrappers because of this
issue, and instead recommend iptables as it will allways work.

-miah

On 3/28/06, Tom Foucha <tom.foucha at neoaccel.com> wrote:

To make the TCP Wrappers active you must as -miah stated link it to the
deamon. Example allow:

<application/daemon> : <ip address> : allow

vsftpd : x.x.x.x : allow

You could also put a deny all at the end of the hosts.allow list instead
of using the hosts.deny file since the hosts.allow file is applied
before hosts.deny

vsftpd : ALL : deny

--good luck

________________________________

From: rhn-users-bounces at redhat.com [mailto:rhn-users-bounces at redhat.com]
On Behalf Of x6d696168 .
Sent: Tuesday, March 28, 2006 4:02 PM

To: Red Hat Network Users List
Subject: Re: [rhn-users] I need help with hosts.deny - doesn't work
asIexpected

No, thats wrong.

TCP Wrappers only protects programs that are linked against libwrap.
Xinetd provides a similar filtering functionality, but it doesn't
require tcpwrappers, but it only protects applications running via
xinetd.  IPtables is the best way to go, since its kernel based and can
handle anything you throw at it, and doesn't require tcpwrappers, or
xinetd since it sits above them.

-miah

On 3/28/06, Kvetch <kvetch at gmail.com> wrote:

try testing using an IP you have access to.
You can log attempts by doing something like this in your wrappers
ALL:  219.106.229.178 : spawn /bin/echo `/bin/date` access
denied>>/var/log/messages : deny

I haven't done this in a while so you might want to do a google on
logging tcp wrappers
If this doesn't give you what you want you might try using iptables,
since wrappers only protects against services under xinetd. 

Nick Baronian

On 3/28/06, Bill Watson < bill at magicdigits.com
<mailto:bill at magicdigits.com> > wrote: 

I did a:

service vsftpd stop

service vsftpd start

and the non-stop hacking on vsftpd stopped. Could be one of 2 things,
either this solved my problem permanently, or stopping the service for a
few seconds caused his automatic hack program to hang. Dunno which for
now, nor know how to tell which did it. Is stuff nuked by hosts.deny
logged somewhere?

Thanks for you help!

Bill

	-----Original Message----- 
	From: rhn-users-bounces at redhat.com [mailto:
rhn-users-bounces at redhat.com <mailto:rhn-users-bounces at redhat.com> ] On
Behalf Of Kvetch

	Sent: Tuesday, March 28, 2006 11:26 AM
	To: Red Hat Network Users List
	Subject: Re: [rhn-users] I need help with hosts.deny - doesn't
work asIexpected

tcp wrappers are automatic and no service needs restarting.  Try
restarting vsftd then try again.
If you have nothing in your hosts.allow and in your hosts.deny you have

ALL:  219.106.229.178 <http://219.106.229.178/> 
ALL:  72.129.200.46 <http://72.129.200.46/> 
ALL:  200.38.
ALL:  64.182.

It should block them.
Can you retest?
Nick Baronian

On 3/28/06, Bill Watson <bill at magicdigits.com> wrote: 

Yes I do have tcp_wrappers=YES in vsftpd.conf

Bill

	-----Original Message-----
	From: rhn-users-bounces at redhat.com [mailto:
rhn-users-bounces at redhat.com <mailto:rhn-users-bounces at redhat.com> ] On
Behalf Of Kvetch
	Sent: Tuesday, March 28, 2006 10:56 AM
	To: Red Hat Network Users List
	Subject: Re: [rhn-users] I need help with hosts.deny - doesn't
work as Iexpected

	Do you have 
	tcp_wrappers=YES
	in your vsftpd.conf?

	Nick Baronian

	On 3/28/06, Bill Watson <bill at magicdigits.com > wrote: 

	I have /etc/hosts.allow that has no entries. I have
/etc/hosts.deny that 
	has:

	ALL: 219.106.229.178
	ALL: 72.129.200.46
	ALL: 200.38.
	ALL: 64.182.

	>From my readings, I should not be getting any messages from
200.38.x.x, yet
	my /var/log/messages shows:
	Mar 28 10:50:36 helmethouse vsftpd(pam_unix)[23790]: check pass;
user
	unknown
	Mar 28 10:50:36 helmethouse vsftpd(pam_unix)[23790]:
authentication failure;
	log
	name= uid=0 euid=0 tty= ruser= rhost=200.38.16.6
	Mar 28 10:50:40 helmethouse vsftpd(pam_unix)[23790]: check pass;
user
	unknown
	Mar 28 10:50:40 helmethouse vsftpd(pam_unix)[23790]:
authentication failure; 
	log
	name= uid=0 euid=0 tty= ruser= rhost=200.38.16.6

	And keeps going with a new entry every few seconds.

	Is /etc/hosts.deny properly set up?
	Is /etc/hosts.deny immediately active or must some service be
restarted to 
	make it go?
	Does vsftpd bypass /etc/hosts.deny?

	Thanks!
	Bill Watson
	bill at magicdigits.com

	_______________________________________________ 
	rhn-users mailing list 
	rhn-users at redhat.com
	https://www.redhat.com/mailman/listinfo/rhn-users

_______________________________________________
rhn-users mailing list
rhn-users at redhat.com
https://www.redhat.com/mailman/listinfo/rhn-users

_______________________________________________
rhn-users mailing list
rhn-users at redhat.com 
https://www.redhat.com/mailman/listinfo/rhn-users

_______________________________________________
rhn-users mailing list
rhn-users at redhat.com
https://www.redhat.com/mailman/listinfo/rhn-users

This message contains confidential information and is intended only for
the individual named. If you are not the named addressee you should not
disseminate, distribute or copy this e-mail. Please notify the sender
immediately by e-mail if you have received this e-mail by mistake and
delete this e-mail from your system. E-mail transmission cannot be
guaranteed to be secure or error-free as information could be
intercepted, corrupted, lost, destroyed, arrive late or incomplete, or
contain viruses. The sender therefore does not accept liability for any
errors or omissions in the contents of this message, which arise as a
result of e-mail transmission. If verification is required please
request a hard-copy version. 

NeoAccel, Inc., 2055 Gateway Place #240, San Jose, CA. 95110 (408)
436-1000

_______________________________________________
rhn-users mailing list
rhn-users at redhat.com
https://www.redhat.com/mailman/listinfo/rhn-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhn-users/attachments/20060328/68ba53ba/attachment.htm>