Changes to hosts.allow do no affect to inetd daemons some times

Matthew Seaman m.seaman at infracaninophile.co.uk
Mon Jun 2 05:29:10 PDT 2003 

On Mon, Jun 02, 2003 at 01:11:55PM +0200, Alexander wrote:

> I really know what tcp wrappers is. I just can't exactly get your point.
> I'm telling you that I shut the ftpd totaly, I've left just one line at
> /etc/hosts.allow: ALL : ALL : deny
> 
> and when I simply telnet-ed my.host.com 21 it opened a connection.

Ah.  If TCP wrappers is working correctly, you should see the
connection open and then close either almost immediately or as soon as
you try and pass any traffic.  A port scanner, like nmap(1) will show
the port as open.  You certainly shouldn't see any FTP banners or
other FTP traffic if you telnet to the port though, and you should see
a log message from TCP wrappers showing that it denied access.  If you
want to run an ftp service hidden completely from certain remote
sites, then ipfw(8) or ipf(8) is your friend.

What does 'tcpdmatch' say if you test it with various daemon names and
client addresses?

> I have also auth, pop3, smtp (qmail actually)
> 
> I've shutted the qmail totaly. The pop3 wasn't in use so it leaves to
> auth. According to you if the auth service is active while I change
> /etc/hosts.allow, there might be a problem with auth only ... but what
> about the others ?! Does this affect them too ? As I said, I tried even to
> kill inetd. Nothing helped

If you kill inetd entirely, then all of the ports managed by inetd
should be closed, as 'netstat -a' should show.

There are 5 different example lines for the 'auth' service in
/etc/inetd.conf, 4 of which are internal inetd services using
'nowait'.  Just use one or more of those, rather than the external
identd.

'auth' is meant to be a security thing, but honestly it's pretty much
useless --- correctly paranoid system administrators will worry that
it reveals entirely too much about the internal setup of their systems
and either shut it off or configure it to lie by default.  Personally
I tend to set up my firewalls to just reset connections to port 113
(nb. not drop, as that will lead to annoying delays) and not run any
auth service at all:

    % grep 113 /etc/happy-idiot-talk.ipfw 
    add 1300 reset tcp from any to 81.2.69.216/29{218,219} 113 setup in recv de0
> Again, it's not happening just to a single wrapped daemon, it's happening
> to all in /etc/inetd.conf

What flags are you supplying when you start up inetd? The default is:

    inetd_flags="-wW"

which turns on the TCP wrappers for internal (W) and external (w)
services via inetd.  If you've modified the inetd_flags setting in
/etc/rc.conf, you should make sure you include those two letters.  If
you're still flummoxed, try running inetd with the '-d' (debug) flag
and test making some connections.

	Cheers,

	Matthew
	
-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20030602/0bd7dca8/attachment.bin

More information about the freebsd-questions mailing list