Post by thread:[OT:] Linux Host Deny Help

Ok, I'm desperate. I've tried everything I know how to try, and it's not working. And I can't figure out why. I am running Debian with a 2.2.19 kernel. I know 2.6 is out, but I don't want to upgrade right now. There is going to be a major overhaul coming in a month or so, and I don't want to waste time upgrading this machine right now. Here is what I am trying to do. I am attempting to block access to my linux box from all addresses starting with 141.117.*.* except the few within that range that I specify. So, my first thought was hosts.allow and hosts.deny. I added the address above (with netmask) to hosts.deny, (ALL:141.117.0.0/255.255.0.0), and the address I want to be able to access the box (ALL:141.117.*.*) to hosts.allow. Then I started testing. The address I want to work worked fine. However, I am having issues with the blocked addresses. They won't connect to some services (ie the POP server) which is perfect, but they still connect to others, such as SMTP. I've even tried explicitly denying the IP of the machine I'm testing with, and I can still send mail through SMTP perfectly. I tried adding (ALL smtp: 141.117.0.0/255.255.0.0) or ALL exim: 141.117.0.0/255.255.0.0) but neither seem to work. I just don't understand how I can explicitly deny access, and it works for some things but SMTP works great. HELP! Thank you Josh -- A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. -Douglas Adams -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

On Thu, Feb 12, 2004 at 11:33:10AM -0500, Josh Koffman wrote: Way off topic. > Ok, I'm desperate. I've tried everything I know how to try, and it's not > working. And I can't figure out why. I can help. > > I am running Debian with a 2.2.19 kernel. I know 2.6 is out, but I don't > want to upgrade right now. There is going to be a major overhaul coming > in a month or so, and I don't want to waste time upgrading this machine > right now. OK. > > Here is what I am trying to do. I am attempting to block access to my > linux box from all addresses starting with 141.117.*.* except the few > within that range that I specify. Typical. > So, my first thought was hosts.allow > and hosts.deny. I added the address above (with netmask) to hosts.deny, > (ALL:141.117.0.0/255.255.0.0), and the address I want to be able to > access the box (ALL:141.117.*.*) to hosts.allow. OK. Here's the question you need to ask yourself before we move on: How is host.allow and host.deny utilized? Answer coming up. > Then I started testing. > The address I want to work worked fine. However, I am having issues with > the blocked addresses. They won't connect to some services (ie the POP > server) which is perfect, but they still connect to others, such as > SMTP. I've even tried explicitly denying the IP of the machine I'm > testing with, and I can still send mail through SMTP perfectly. I tried > adding (ALL smtp: 141.117.0.0/255.255.0.0) or ALL exim: > 141.117.0.0/255.255.0.0) but neither seem to work. Right. And the reason is that answer to my question above: hosts.allow and hosts.deny are used by the tcpd program. tcpd is invoked by inetd and is configured via the /etc/inetd.conf file. For example on one of my machines here is the POP3 entry in /etc/inetd.conf: pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popa3d Note that tcpd is invoked, which checks the hosts.allow/hosts.deny and either allows access by invoking popa3d or denies it. But it only works if tcpd is invoked. So now here the second question: What happens when you have a service that doesn't use inetd, and therefore doesn't invoke tcpd? Well you've seen your answer from the behavior above. sendmail runs all the time, owns port 25, and is not invoked by inetd. So the hosts.allow and hosts.deny files are never checked. > > I just don't understand how I can explicitly deny access, and it works > for some things but SMTP works great. See above. Now how to solve the problem. You need another tool that operates at the kernel level: packet filtering. And the tools for doing this have evolved over the years. 2.2 kernels used IPChains, 2.4 kernels use IPTables, and I'm not sure how in the heck 2.6 kernels do it yet. Take a read of this HOWTO, then take another crack at it: http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html > > HELP! Hope this helps, > > Thank you You are welcome. BAJ -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

Byron A Jeff wrote: > On Thu, Feb 12, 2004 at 11:33:10AM -0500, Josh Koffman wrote: > > > > I just don't understand how I can explicitly deny access, and it works > > for some things but SMTP works great. Everything Byron said plus: sendmail uses a file called "access.db". This is created from a text file called "access" which you edit to ACCEPT or REJECT specific addresses and domains. Regards Sergio Masci http://www.xcprod.com/titan/XCSB - optimising structured PIC BASIC compiler -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

AHA! I had a feeling something like this was happening...I just didn't know that hosts.allow and hosts.deny were only used by inetd. So, I took your advice and looked into ipchains. Sure enough, it'll do what I need, and true to form with my luck, it's not compiled into my kernel. I'm now looking into finding a precompiled kernel with it in (2.2.x), and while there are a bunch on the debian site, I can't figure out wether they have ipchains compiled in. I'm really trying to avoid having to recompile my kernel, it will take a long time on this machine, and I don't have another machine handy that can do it. Plus I haven't recompiled a kernel for years and I don't want to risk screwing up this machine. As always, this needs to be fixed asap. So, does anyone know of a precompiled 2.2 kernel with ipchains in for Debian? I think the kernel-image-2.2.20 (no suffix) might have it, but I'm not sure. Alternatively, is there a way to get inetd to call exim (my SMTP daemon)? That way I could handle everything using hosts.allow and hosts.deny in the short term, and recompile my kernel and use ipchains in a little while without worrying. Thanks, Josh -- A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. -Douglas Adams Byron A Jeff wrote: {Quote hidden}> Right. And the reason is that answer to my question above: hosts.allow and > hosts.deny are used by the tcpd program. tcpd is invoked by inetd and is > configured via the /etc/inetd.conf file. For example on one of my machines > here is the POP3 entry in /etc/inetd.conf: > > pop3 stream tcp nowait root /usr/sbin/tcpd /usr/sbin/popa3d > > Note that tcpd is invoked, which checks the hosts.allow/hosts.deny and either > allows access by invoking popa3d or denies it. > > But it only works if tcpd is invoked. > > So now here the second question: What happens when you have a service that > doesn't use inetd, and therefore doesn't invoke tcpd? > > Well you've seen your answer from the behavior above. sendmail runs all the > time, owns port 25, and is not invoked by inetd. So the hosts.allow and > hosts.deny files are never checked. > > > > > I just don't understand how I can explicitly deny access, and it works > > for some things but SMTP works great. > > See above. Now how to solve the problem. You need another tool that operates > at the kernel level: packet filtering. And the tools for doing this have > evolved over the years. 2.2 kernels used IPChains, 2.4 kernels use IPTables, > and I'm not sure how in the heck 2.6 kernels do it yet. > > Take a read of this HOWTO, then take another crack at it: > > http://www.tldp.org/HOWTO/IPCHAINS-HOWTO.html -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

On Thu, Feb 12, 2004 at 01:24:26PM -0500, Josh Koffman wrote: > AHA! I had a feeling something like this was happening...I just didn't > know that hosts.allow and hosts.deny were only used by inetd. So, I took > your advice and looked into ipchains. Sure enough, it'll do what I need, > and true to form with my luck, it's not compiled into my kernel. It doesn't have to be IIRC. You can use a module. I don't think I have any 2.2 kernel machines available anymore, so I can't be certain though. > > I'm now looking into finding a precompiled kernel with it in (2.2.x), > and while there are a bunch on the debian site, I can't figure out > wether they have ipchains compiled in. You may have a tough time finding a site with the right kernel. > I'm really trying to avoid having > to recompile my kernel, it will take a long time on this machine, and I > don't have another machine handy that can do it. Plus I haven't > recompiled a kernel for years and I don't want to risk screwing up this > machine. As always, this needs to be fixed asap. Check you modules directory /lib/modules/2.2.20/net/ipv4. The modules you need may be there. > > So, does anyone know of a precompiled 2.2 kernel with ipchains in for > Debian? I think the kernel-image-2.2.20 (no suffix) might have it, but > I'm not sure. Alternatively, is there a way to get inetd to call exim > (my SMTP daemon)? That way I could handle everything using hosts.allow > and hosts.deny in the short term, and recompile my kernel and use > ipchains in a little while without worrying. Google, yung grasshoppa, Google. Pop "exim inetd tcpd" into Google Groups and you get immediate benefits. BAJ -- http://www.piclist.com hint: The list server can filter out subtopics (like ads or off topics) for you. See http://www.piclist.com/#topics

Ok, just an update. First of all, thank you all for your advice. As this is just a temporary thing, I have solved it for now by getting exim to be called by inetd. Works fine, and now listens to hosts.deny. Another cool (IMO) solution suggested to me offlist was to set up a route table on my machine that rerouted packets to the address I wished to block to 127.0.0.1. The outside machines could try to connect to my machine, but since all the packets returning from my machine would never reach them, they'd think my machine was gone. Anyway, thanks all! Josh -- A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. -Douglas Adams -- http://www.piclist.com#nomail Going offline? Don't AutoReply us! email spam_OUTlistservTakeThisOuTmitvma.mit.edu with SET PICList DIGEST in the body

Ok, just an update. First of all, thank you all for your advice. As this is just a temporary thing, I have solved it for now by getting exim to be called by inetd. Works fine, and now listens to hosts.deny. Another cool (IMO) solution suggested to me offlist was to set up a route table on my machine that rerouted packets to the address I wished to block to 127.0.0.1. The outside machines could try to connect to my machine, but since all the packets returning from my machine would never reach them, they'd think my machine was gone. Anyway, thanks all! Josh -- A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools. -Douglas Adams -- http://www.piclist.com#nomail Going offline? Don't AutoReply us! email .....listservKILLspam@spam@mitvma.mit.edu with SET PICList DIGEST in the body