Re: Is this a tcpwrapper bug?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tom Horsley wrote:
While trying to make my ssh connection maximally secure,
I decided to use the /etc/hosts.allow and /etc/hosts.deny
files, and was able to get them working without too much
trouble, so now the only external site that can connect to
my home system is the address of what is probably my work
system's firewall.

Here's the bug: The DNS setup for the IP address of the
firewall gives it two names, both (examples only)
users.example.com and corpvpn.example.com are in the
DNS database as the same IP.

If I try to use either name (or both names) in the hosts.allow
file, I always get rejected with a log message that claims
users.example.com != corpvpn.example.com.

If I use the IP address in hosts.allow, I still get the message
in the log, but I am allowed to connect.

Is the tcpwrapper code being too paranoid here? Shouldn't
it lookup all the names for the IP and accept any match
rather than (appapently) only looking up the 1st name?


I don't see that tcpwrappers does a lot for you in this case than you can also do with iptables.

Assuming your iptables policy is set to deny, than add something like this:
iptables -I INPUT --source there.example.com --dport 22 -j ACCEPT

The problem with such a rule is that if one end changes its address, or if you need to connect from different places, perhaps because of dynamic IP addresses or because you're travelling, it fails you.


I use these rules (from iptables-save) to allow me to connect from anywhere, while limiting the possibility of enumerating passwords: -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 5/hour -j LOG --log-prefix "SSH connexion " -A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 5/hour -j ACCEPT

I have other rules for other, more likely, places. I find I get very few attempts to enumerate accounts from the Australian addresses I allow.

--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux