interesting tidbit about denyhosts and tcp-wrappers
Paul Vixie
paul at redbarn.org
Tue Mar 31 04:40:26 UTC 2015
see here. there is a mismatch between what denyhosts thinks is the
format of /etc/hosts.deniedssh, and the actual format used by
tcp-wrappers. every token (word) on every line of this file is a host
address or host name, according to tcp-wrappers. whereas denyhosts
believes that it is in the same format as /etc/hosts.allow. so, if the
file contains lines like these:
> # DenyHosts: Thu Jan 29 02:26:08 2015 | ALL: mail.gt.com.vn : deny
> ALL: mail.gt.com.vn : deny
then what tcp-wrappers will actually match as a host name is any of the
following tokens:
> [#]
> [DenyHosts:]
> [Thu]
> [Jan]
> [29]
> [02:26:08]
> [2015]
> [|]
> [ALL:]
> [mail.gt.com.vn]
> [:]
> [deny]
> [ALL:]
> [mail.gt.com.vn]
> [:]
> [deny]
in these days of fully qualified host names and IP addresses, this is
probably not a security problem, but it is certainly a performance
problem. what this file should contain is just host names and ip
addresses -- no comments, and certainly not "rules".
vixie
re:
--- HOSTS_ACCESS(5)::
o A string that begins with a `/' character is treated as
a file
name. A host name or address is matched if it matches
any host
name or address pattern listed in the named file. The
file for-
mat is zero or more lines with zero or more host name or
address
patterns separated by whitespace. A file name pattern
can be
used anywhere a host name or address pattern can be used.
--- /usr/src/contrib/tcp_wrappers/hosts_access.c::
/* hostfile_match - look up host patterns from file */
static int hostfile_match(path, host)
char *path;
struct hosts_info *host;
{
char tok[BUFSIZ];
int match = NO;
FILE *fp;
if ((fp = fopen(path, "r")) != 0) {
while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok,
host)))
/* void */ ;
fclose(fp);
} else if (errno != ENOENT) {
tcpd_warn("open %s: %m", path);
}
return (match);
}
--
Paul Vixie
More information about the freebsd-questions
mailing list