| View previous topic :: View next topic |
| Author |
Message |
powie
n00b
Joined: 14 May 2004
Posts: 6
Location: Denver, CO
|
 Posted: Mon Jun 21, 2004 10:20 pm Post subject: hosts.deny broken??? |
 |
|
Okay please bare with me, even though I've used Linux for many years now, I never had to build one from scratch like I have with Gentoo. (Which is what I wanted). So by running Redhat for many years, it simply just worked for me, but I really didn't learn much... Any way on with the show...
I am trying to block access to a Vnc server via Xinetd using the hosts.deny file. Here's what I have in there:
| Code: | /etc/hosts.deny
vnc-800x600x8 : ALL
|
| Code: | /etc/services
vnc-800x600x8 5951/tcp
|
I know the Xinetd daemon is spawning fine VNC because it keeps letting me connect. To allow some protection I forced IP blocking by adding "only_from = x.x.x.x" into the /etc/xinetd.d/xvncserver file:
| Code: |
service vnc-800x600x8
{
protocol = tcp
socket_type = stream
wait = no
user = nobody
only_from = x.x.x.x
server = /usr/bin/Xvnc
server_args = -inetd -query localhost -once -geometry 800x600 -depth 8
}
|
Of course x.x.x.x = my IP I want allowed. I added there and it works perfect. No hosts but that IP can connect.
As far as I've read so far portmap and Xinetd must be running, which of course they are. What am I missing? I'm also running 2.6.6 kernel, is there a kernel option I forgot to compile in? Must there be a hosts.allow file too? (I haven't created one yet, was first just trying to get xinetd to block everything before I worked on who it allowed)
Thanks for your time! |
|
| Back to top |
|
 |
switchblade1983
n00b
Joined: 21 Jun 2004
Posts: 12
|
| Posted: Mon Jun 21, 2004 11:48 pm Post subject: |
|
|
you got anything allowing it in hosts.allow?
not entirely sure which way hosts.deny and hosts.allow get checked... |
|
| Back to top |
|
|
powie
n00b
Joined: 14 May 2004
Posts: 6
Location: Denver, CO
|
| Posted: Tue Jun 22, 2004 12:06 am Post subject: |
|
|
| Quote: | you got anything allowing it in hosts.allow?
not entirely sure which way hosts.deny and hosts.allow get checked... |
Well according to "man hosts.allow". 1st is allow, 2nd deny, 3rd (neither file lol) allows all...
I was assuming if the hosts.allow file didn't exist, it would still be okay. And taking a break from that prob, as I have a work around. |
|
| Back to top |
|
|
switchblade1983
n00b
Joined: 21 Jun 2004
Posts: 12
|
| Posted: Tue Jun 22, 2004 12:56 am Post subject: |
|
|
| what is your work around? |
|
| Back to top |
|
|
powie
n00b
Joined: 14 May 2004
Posts: 6
Location: Denver, CO
|
| Posted: Tue Jun 22, 2004 1:05 am Post subject: |
|
|
| switchblade1983 wrote: | | what is your work around? |
I added "only_from = x.x.x.x" to the actual /etc/xinetd.d/xvncserver file. Of course putting in my IP. 
| Quote: | service vnc-800x600x8
{
protocol = tcp
socket_type = stream
wait = no
user = nobody
only_from = x.x.x.x
server = /usr/bin/Xvnc
server_args = -inetd -query localhost -once -geometry 800x600 -depth 8
}
|
|
|
| Back to top |
|
|
banzoo
n00b
Joined: 21 Apr 2004
Posts: 20
|
| Posted: Mon Jul 12, 2004 2:26 pm Post subject: |
|
|
i have same problem - /etc/hosts.allow doesn't work. There is a line portmap : ALL which should deny connections from everywhere, but it does\t work. Also i have hosts.allow with line
portmap : x.x.x.x (x.x.x.x- one ip)
But i when i do telnet ip.where.portmap.works 111 it connects.
_________________
l.m.s.m.a. |
|
| Back to top |
|
|
tntgentoo
n00b
Joined: 01 Apr 2004
Posts: 31
|
| Posted: Thu Jul 29, 2004 1:10 pm Post subject: Same here... |
|
|
I just installed 2004.2 for AMD 64 and I think the tcpwrapper functionlity is broken.
The hosts.allow file does not allow access - the hosts.deny with "ALL: ALL" is killing all my connections.
So, it seems that any attempt to use the standard tcp wrappers security functions is broken.
This is a major isue for our organization, especially since we are trying to move from Red Hat to Gentoo.
We can work around this with iptables. What's the preferred method for securing a Gentoo box?
The thread talked a lot about going around to each daemon and setting security for each one, but this is impractical, and in sshd it seems to be a very clunky approach when compared to the tcp wrappers approach. Secondly, daemon level security is not very secure, in fact, because malicious people can still interact with the daemon. With tcp wrappers or with iptables, only the authorized users can get to the daemon to even attempt login. |
|
| Back to top |
|
|
|
Networking & Security
