[Tfug] hosts.allow
Jim Secan
jim at nwra.com
Mon Jul 7 14:35:32 MST 2008
Thanks. I misread the part about PARANOID being part of the built-in check
(assuming the default compilation). I read the description to mean that
the PARANOID wildcard only works if -DPARANOID was used in the compliation,
but that you still needed to invoke it in your hosts file.
Jim
At 02:26 PM 07/07/2008 -0700, you wrote:
>According to the hosts_access man page, tcpwrappers are built with
>PARANOID compiled in by default. This means a mismatched host/IP is
>dropped before it even runs through the access checks. So PARANOID
>only works if you compiled tcpwrappers explicitly excluding the
>-DPARANOID option.
>
>PARANOID does a DNS lookup for the client IP address to get a hostname.
>It then looks up the hostname it got from DNS. The IP returned for the
>hostname must match the original client IP.
>
>To block hosts that match the PARANOID wildcard, put ALL:PARANOID in
>your /etc/hosts.deny instead of hosts.allow. The main catch is that
>allows are matched before denies. So you might need to append EXCEPT
>PARANOID to get things that would normally match an allow to fall into
>deny processing depending on how you set your hosts.allow clause.
>
>
>The man page does a pretty good job at explaining how matches are done:
>
>"ACCESS CONTROL FILES
>The access control software consults two files. The search stops at the
>first match:
>
> · Access will be granted when a (daemon,client) pair matches an entry
>in the /etc/hosts.allow file.
>
> · Otherwise, access will be denied when a (daemon,client) pair matches
>an entry in the /etc/hosts.deny file.
>
> · Otherwise, access will be granted.
>
>A non-existing access control file is treated as if it were an empty
>file. Thus, access control can be turned off by providing no access
>control files."
>
>
>Brian
>
>Quoting Jim Secan <jim at nwra.com>:
>> How does PARANOID work in a hosts.allow file? I read the FM as PARANOID
>> matches whenever a reverse look-up on an incoming request shows a mismatch
>> between the avowed hostname and the one returned from the look-up. If this
>> is correct, then if you want to drop anything that has this mismatch you
>> would put
>>
>> ALL : PARANOID : deny
>>
>> in your hosts.allow file. Guidance I had from elsewhere was that you
>> use just
>>
>> ALL : PARANOID
>>
>> which seems to me that this would allow any visitor who didn't match
>> his/her reverse look-up. Which is correct usage for the hosts.allow file?
>>
>> TIA
>> Jim
>> *---------------------*-------------------------------*
>> | Jim Secan | Northwest Research Assoc, Inc |
>> | (jim at nwra.com) | 2455 E. Speedway, Suite 204 |
>> | (520) 319-7773 | Tucson, Arizona 85719 |
>> *---------------------*-------------------------------*
>>
>> _______________________________________________
>> Tucson Free Unix Group - tfug at tfug.org
>> Subscription Options:
>> http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
>
>
>
>The opinions or statements expressed herein are my own and should not be
>taken as a position, opinion, or endorsement of the University of
>Arizona.
>
>
>
>_______________________________________________
>Tucson Free Unix Group - tfug at tfug.org
>Subscription Options:
>http://www.tfug.org/mailman/listinfo/tfug_tfug.org
>
*---------------------*-------------------------------*
| Jim Secan | Northwest Research Assoc, Inc |
| (jim at nwra.com) | 2455 E. Speedway, Suite 204 |
| (520) 319-7773 | Tucson, Arizona 85719 |
*---------------------*-------------------------------*
More information about the tfug
mailing list