That's exactly the information I was looking for. I just checked and
sshd and mysql are compiled with libwrap on Ubuntu. I will test out the
hosts file on ssh and see how it works.
> On Mon, Aug 28, 2006 at 01:36:12PM +0100, Kevin Philp wrote:
>> So far I have installed Apache2, Mysql, SSH, Postfix, NIS, NFS and Squid and
>> the configuration is still empty. Am I missing something, this was originally
>> a default desktop installation? They were all installed with sudo aptitude
>> install XXXXX
>>>> This area of access control is a bit complicated so bear with me and
> I'll try and depart my (relativly basic) understanding of it.
>> First off, the files hosts.allow and hosts.deny are a part of the
> Tcp Wrappers package not the Inetd package. They come into play when
> using inetd through the use of the tcpd program. So, if you wanted to
> apply access control to an rsync daemon, you would specify the program
> to call as "/usr/sbin/tcpd /sbin/rsyncd --daemon" in your inetd.conf.
>> Now, the tcpd program is not the only way to get tcp-wrappers to carry
> out access control checks on incoming connections. The tcp-wrappers
> package also ships with a library called libwrap. A standalone server
> (such as SSH, MySQL, or Apache2), which is a server that doesn't use
> inetd can still avail of the Tcp Wrappers access control by using the
> libwrap library. For instance, on my system (fedora), the sshd daemon
> was built to use Tcp Wrappers via the libwrap library. This allows me to
> write something like this in my hosts.deny file to deny access from a
> particular host on my network:
>> sshd: 172.16.55.5
>> Then when I try and connect from that machine I am denied access (mind
> you, if truth be told, I never actually use this stuff in practice).
>> If you want to find out what other servers are compiled with support for
> Tcp Wrappers - and hence, that can have access controlled by hosts.allow
> and hosts.deny - I recommend that you check their library dependencies
> using the ldd tool. To test sshd for example do:
>> $ ldd /usr/sbin/sshd
> linux-gate.so.1 => (0xffffe000)
> libwrap.so.0 => /lib/libwrap.so.0 (0xb7f20000)
> libpam.so.0 => /lib/libpam.so.0 (0xb7f18000)
> libdl.so.2 => /lib/libdl.so.2 (0xb7f14000)
>> You're looking for libwrap obviously. There may be some other way to
> find out, but this is what I'd do.
>> Incidentally, Inetd (and even Xinetd) have been found buggy and
> suseptible to various security exploits in the past. You will find that
> most servers (Apache, sshd, etc) are standalone servers, but every now
> and then you will come accross servers that do use inetd (or xinetd)
> which is probably why it was installed on your machine. Examples of
> servers which use inetd on my machine are cupsd (print server), rsyncd,
> and many of the kerberos servers (klogin, etc). Personally, I wouldn't
> expose any such servers on an Internet facing machine without giving it
> a whole lot of thought, but I'm fairly risk averse.
>> - badge
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!