[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sheflug] TCP wrappers




> exim initially bounced incoming mail (I hope none to this list) because of
> these lines in hosts.allow:
> (I tacked on the exim line on the end, rather than above)
> 
> # Set a default deny stance with back finger "booby trap" (Venema's term)
> # Allow finger to prevent deadly finger wars, whereby another booby
> trapped
> # box answers our finger with its own, spawning another from us, ad
> infinitum
> 
> in.fingerd: ALL : ALLOW
> 
> ALL : ALL : spawn (/usr/sbin/safe_finger -l  [at] %h | /bin/mail root) & : DENY
> 
> What exactly does this do? It seems to me like it may not be that
> sensible.
> 

It's using the extended syntax for hosts.allow (see host_options(5)), and 
very nice they are to as you can do away with hosts.deny and add lots of 
fancy stuff (like connection banners).

hosts.allow is processed line-by-line and incoming connections are 
matched against each rule until one is found.

What happens above...the first rule: "in.fingerd: ALL: ALLOW" basically 
allows finger through from all hosts. If you don't want anyone to get a 
finger daemon in, make sure you either (a) firewall port 79, (b) remove 
fingerd from inetd.conf or (c) change the rule to read "in.fingered: ALL: 
DENY". A combination of the (a), (b) or (c) is also good. :)

The second rule, and one I use in all my hosts.allow - or a variation 
thereof, is a catch-all. If a connection comes in and doesn't match any 
other rule, it will reach this last one.

It's saying connections to ALL services from ALL hosts are DENY'd. But 
when a connection comes in, it runs a trap-door program, safe_finger, 
that attempts to get a user-list from the remote host and mail it to 
root. These days, it's not an effective method as most sites block 
finger, but in ye olde days you could get the user list and email it to 
the admin of the server saying "one of these users is trying to get into 
my box".

The reason for the seperate finger rule above: consider what would happen 
if <x> connected and was denied access...you're machine sends a finger 
back...ig your finger is denied and they have a similar trap-door, 
they'll try and finger you back. If you dodn't have the finger rule, the 
trap door would catch it, send a finger back, and so on. You can set DENY 
on the finger rule instead of ALLOW - that'll ensure no loop starts and 
it also prevents anyone fingering your box.

The rule I use is:
ALL:ALL:rfc931 10: banners /etc/access/denied: spawn 
(/etc/access/bin/deny_log %a %h %u %d &): DENY

This tries to do a user-lookup with rfc931 with a 10-second time-out. It 
also sends a banner back to the connecting host (if a banner for the 
service exists), and it spawns a script called 'deny_log', which is a 
little shell script I wrote to log inetd connection attempts.

Put any entries you want in hosts.allow /before/ the ALL: ALL: DENY rule 
else your rule will never be reached.

If you want an example of a working hosts.allow (ie, the one sitting on 
my box) let me know. It's got a few nice things: use of PARANOID, setting 
environement variables, rfc in every rule etc...

Chris...



-- 
Chris Johnson            \  "If not for me then, do it for yourself. If not
sixie@nccnet.co.uk        \  for then do it for the world." -- Stevie Nicks
www.nccnet.co.uk/~sixie/   ~---------------------------------------+
Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000   \______


---------------------------------------------------------------------
Sheffield Linux User's Group - http://www.sheflug.co.uk
To unsubscribe from this list send mail to
- <sheflug-request [at] vuw.ac.nz> - with the word 
 "unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.