Searching \ for '[OT:] Linux Host Deny Help' in subject line. ()
Make payments with PayPal - it's fast, free and secure! Help us get a faster server
FAQ page: www.piclist.com/techref/index.htm?key=linux+host+deny
Search entire site for: 'Linux Host Deny Help'.

Exact match. Not showing close matches.
PICList Thread
'[OT:] Linux Host Deny Help'
2004\02\12@113125 by Josh Koffman

flavicon
face
Ok, I'm desperate. I've tried everything I know how to try, and it's not
working. And I can't figure out why.

I am running Debian with a 2.2.19 kernel. I know 2.6 is out, but I don't
want to upgrade right now. There is going to be a major overhaul coming
in a month or so, and I don't want to waste time upgrading this machine
right now.

Here is what I am trying to do. I am attempting to block access to my
linux box from all addresses starting with 141.117.*.* except the few
within that range that I specify. So, my first thought was hosts.allow
and hosts.deny. I added the address above (with netmask) to hosts.deny,
(ALL:141.117.0.0/255.255.0.0), and the address I want to be able to
access the box (ALL:141.117.*.*) to hosts.allow. Then I started testing.
The address I want to work worked fine. However, I am having issues with
the blocked addresses. They won't connect to some services (ie the POP
server) which is perfect, but they still connect to others, such as
SMTP. I've even tried explicitly denying the IP of the machine I'm
testing with, and I can still send mail through SMTP perfectly. I tried
adding (ALL smtp: 141.117.0.0/255.255.0.0) or ALL exim:
141.117.0.0/255.255.0.0) but neither seem to work.

I just don't understand how I can explicitly deny access, and it works
for some things but SMTP works great.

HELP!

Thank you

Josh
--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
       -Douglas Adams

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\02\12@120809 by Byron A Jeff

face picon face
On Thu, Feb 12, 2004 at 11:33:10AM -0500, Josh Koffman wrote:

Way off topic.

> Ok, I'm desperate. I've tried everything I know how to try, and it's not
> working. And I can't figure out why.

I can help.

>
> I am running Debian with a 2.2.19 kernel. I know 2.6 is out, but I don't
> want to upgrade right now. There is going to be a major overhaul coming
> in a month or so, and I don't want to waste time upgrading this machine
> right now.

OK.

>
> Here is what I am trying to do. I am attempting to block access to my
> linux box from all addresses starting with 141.117.*.* except the few
> within that range that I specify.

Typical.

> So, my first thought was hosts.allow
> and hosts.deny. I added the address above (with netmask) to hosts.deny,
> (ALL:141.117.0.0/255.255.0.0), and the address I want to be able to
> access the box (ALL:141.117.*.*) to hosts.allow.

OK. Here's the question you need to ask yourself before we move on: How
is host.allow and host.deny utilized? Answer coming up.


> Then I started testing.
> The address I want to work worked fine. However, I am having issues with
> the blocked addresses. They won't connect to some services (ie the POP
> server) which is perfect, but they still connect to others, such as
> SMTP. I've even tried explicitly denying the IP of the machine I'm
> testing with, and I can still send mail through SMTP perfectly. I tried
> adding (ALL smtp: 141.117.0.0/255.255.0.0) or ALL exim:
> 141.117.0.0/255.255.0.0) but neither seem to work.

Right. And the reason is that answer to my question above: hosts.allow and
hosts.deny are used by the tcpd program. tcpd is invoked by inetd and is
configured via the /etc/inetd.conf file. For example on one of my machines
here is the POP3 entry in /etc/inetd.conf:

pop3    stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/popa3d

Note that tcpd is invoked, which checks the hosts.allow/hosts.deny and either
allows access by invoking popa3d or denies it.

But it only works if tcpd is invoked.

So now here the second question: What happens when you have a service that
doesn't use inetd, and therefore doesn't invoke tcpd?

Well you've seen your answer from the behavior above. sendmail runs all the
time, owns port 25, and is not invoked by inetd. So the hosts.allow and
hosts.deny files are never checked.

>
> I just don't understand how I can explicitly deny access, and it works
> for some things but SMTP works great.

See above. Now how to solve the problem. You need another tool that operates
at the kernel level: packet filtering. And the tools for doing this have
evolved over the years. 2.2 kernels used IPChains, 2.4 kernels use IPTables,
and I'm not sure how in the heck 2.6 kernels do it yet.

Take a read of this HOWTO, then take another crack at it:

http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html

>
> HELP!
Hope this helps,

>
> Thank you

You are welcome.

BAJ

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\02\12@123341 by Sergio Masci

picon face
Byron A Jeff wrote:

> On Thu, Feb 12, 2004 at 11:33:10AM -0500, Josh Koffman wrote:
> >
> > I just don't understand how I can explicitly deny access, and it works
> > for some things but SMTP works great.

Everything Byron said plus:
sendmail uses a file called "access.db". This is created from a text file called
"access" which you edit to ACCEPT or REJECT specific addresses and domains.

Regards
Sergio Masci

http://www.xcprod.com/titan/XCSB - optimising structured PIC BASIC compiler

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\02\12@132152 by Josh Koffman

flavicon
face
AHA! I had a feeling something like this was happening...I just didn't
know that hosts.allow and hosts.deny were only used by inetd. So, I took
your advice and looked into ipchains. Sure enough, it'll do what I need,
and true to form with my luck, it's not compiled into my kernel.

I'm now looking into finding a precompiled kernel with it in (2.2.x),
and while there are a bunch on the debian site, I can't figure out
wether they have ipchains compiled in. I'm really trying to avoid having
to recompile my kernel, it will take a long time on this machine, and I
don't have another machine handy that can do it. Plus I haven't
recompiled a kernel for years and I don't want to risk screwing up this
machine. As always, this needs to be fixed asap.

So, does anyone know of a precompiled 2.2 kernel with ipchains in for
Debian? I think the kernel-image-2.2.20 (no suffix) might have it, but
I'm not sure. Alternatively, is there a way to get inetd to call exim
(my SMTP daemon)? That way I could handle everything using hosts.allow
and hosts.deny in the short term, and recompile my kernel and use
ipchains in a little while without worrying.

Thanks,

Josh
--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
       -Douglas Adams

Byron A Jeff wrote:
{Quote hidden}

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\02\12@165146 by Byron A Jeff

face picon face
On Thu, Feb 12, 2004 at 01:24:26PM -0500, Josh Koffman wrote:
> AHA! I had a feeling something like this was happening...I just didn't
> know that hosts.allow and hosts.deny were only used by inetd. So, I took
> your advice and looked into ipchains. Sure enough, it'll do what I need,
> and true to form with my luck, it's not compiled into my kernel.

It doesn't have to be IIRC. You can use a module. I don't think I have any
2.2 kernel machines available anymore, so I can't be certain though.

>
> I'm now looking into finding a precompiled kernel with it in (2.2.x),
> and while there are a bunch on the debian site, I can't figure out
> wether they have ipchains compiled in.

You may have a tough time finding a site with the right kernel.

> I'm really trying to avoid having
> to recompile my kernel, it will take a long time on this machine, and I
> don't have another machine handy that can do it. Plus I haven't
> recompiled a kernel for years and I don't want to risk screwing up this
> machine. As always, this needs to be fixed asap.

Check you modules directory /lib/modules/2.2.20/net/ipv4. The modules you
need may be there.

>
> So, does anyone know of a precompiled 2.2 kernel with ipchains in for
> Debian? I think the kernel-image-2.2.20 (no suffix) might have it, but
> I'm not sure. Alternatively, is there a way to get inetd to call exim
> (my SMTP daemon)? That way I could handle everything using hosts.allow
> and hosts.deny in the short term, and recompile my kernel and use
> ipchains in a little while without worrying.

Google, yung grasshoppa, Google. Pop "exim inetd tcpd" into Google Groups and
you get immediate benefits.

BAJ

--
http://www.piclist.com hint: The list server can filter out subtopics
(like ads or off topics) for you. See http://www.piclist.com/#topics

2004\02\13@033541 by Hulatt, Jon

flavicon
face
Compiling a new kernel isn't hard and IMHO it's a much better idea that
using someone else precompiled kernel. It's not even risky, provided you
make your bootloader (probbly lilo) still default to your old (known good)
kernel. it should take you 15 mins to configure it (use "make menuconfig" -
you'll need ncurses installed). make bzImage, make modules, make
modules_install, then copy the ./arch/i386/boot/bzImage to your boot slice,
and you're done.

> {Original Message removed}

2004\02\14@100124 by Josh Koffman
flavicon
face
Ok, just an update. First of all, thank you all for your advice. As this
is just a temporary thing, I have solved it for now by getting exim to
be called by inetd. Works fine, and now listens to hosts.deny. Another
cool (IMO) solution suggested to me offlist was to set up a route table
on my machine that rerouted packets to the address I wished to block to
127.0.0.1. The outside machines could try to connect to my machine, but
since all the packets returning from my machine would never reach them,
they'd think my machine was gone.

Anyway, thanks all!

Josh
--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
       -Douglas Adams

--
http://www.piclist.com#nomail Going offline? Don't AutoReply us!
email spam_OUTlistservTakeThisOuTspammitvma.mit.edu with SET PICList DIGEST in the body

2004\02\14@100124 by Josh Koffman

flavicon
face
Ok, just an update. First of all, thank you all for your advice. As this
is just a temporary thing, I have solved it for now by getting exim to
be called by inetd. Works fine, and now listens to hosts.deny. Another
cool (IMO) solution suggested to me offlist was to set up a route table
on my machine that rerouted packets to the address I wished to block to
127.0.0.1. The outside machines could try to connect to my machine, but
since all the packets returning from my machine would never reach them,
they'd think my machine was gone.

Anyway, thanks all!

Josh
--
A common mistake that people make when trying to design something
completely foolproof is to underestimate the ingenuity of complete
fools.
       -Douglas Adams

--
http://www.piclist.com#nomail Going offline? Don't AutoReply us!
email .....listservKILLspamspam@spam@mitvma.mit.edu with SET PICList DIGEST in the body

More... (looser matching)
- Last day of these posts
- In 2004 , 2005 only
- Today
- New search...