interesting tidbit about denyhosts and tcp-wrappers

Paul Vixie paul at
Tue Mar 31 04:40:26 UTC 2015

see here. there is a mismatch between what denyhosts thinks is the
format of /etc/hosts.deniedssh, and the actual format used by
tcp-wrappers. every token (word) on every line of this file is a host
address or host name, according to tcp-wrappers. whereas denyhosts
believes that it is in the same format as /etc/hosts.allow. so, if the
file contains lines like these:

> # DenyHosts: Thu Jan 29 02:26:08 2015 | ALL: : deny
> ALL: : deny

then what tcp-wrappers will actually match as a host name is any of the
following tokens:

> [#]
> [DenyHosts:]
> [Thu]
> [Jan]
> [29]
> [02:26:08]
> [2015]
> [|]
> [ALL:]
> []
> [:]
> [deny]
> [ALL:]
> []
> [:]
> [deny]

in these days of fully qualified host names and IP addresses, this is
probably not a security problem, but it is certainly a performance
problem. what this file should contain is just host names and ip
addresses -- no comments, and certainly not "rules".




       o      A string that begins with a `/' character is treated as 
a  file
              name.  A  host name or address is matched if it matches
any host
              name or address pattern listed in the named file. The
file  for-
              mat is zero or more lines with zero or more host name or
              patterns separated by whitespace.  A file name  pattern 
can  be
              used anywhere a host name or address pattern can be used.

--- /usr/src/contrib/tcp_wrappers/hosts_access.c::

/* hostfile_match - look up host patterns from file */

static int hostfile_match(path, host)
char   *path;
struct hosts_info *host;
    char    tok[BUFSIZ];
    int     match = NO;
    FILE   *fp;

    if ((fp = fopen(path, "r")) != 0) {
        while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok,
             /* void */ ;
    } else if (errno != ENOENT) {
        tcpd_warn("open %s: %m", path);
    return (match);

Paul Vixie

More information about the freebsd-questions mailing list