[Tfug] hosts.allow

Brian Murphy murphy+tfug at email.arizona.edu
Mon Jul 7 14:26:31 MST 2008 

According to the hosts_access man page, tcpwrappers are built with
PARANOID compiled in by default.  This means a mismatched host/IP is
dropped before it even runs through the access checks.  So PARANOID
only works if you compiled tcpwrappers explicitly excluding the
-DPARANOID option.

PARANOID does a DNS lookup for the client IP address to get a hostname.
It then looks up the hostname it got from DNS.  The IP returned for the
hostname must match the original client IP.

To block hosts that match the PARANOID wildcard, put ALL:PARANOID in
your /etc/hosts.deny instead of hosts.allow.  The main catch is that
allows are matched before denies.  So you might need to append EXCEPT
PARANOID to get things that would normally match an allow to fall into
deny processing depending on how you set your hosts.allow clause.


The man page does a pretty good job at explaining how matches are done:

"ACCESS CONTROL FILES
The access control software consults two files. The search stops at the
first match:

  · Access will be granted when a (daemon,client) pair matches an entry
in the /etc/hosts.allow file.

  · Otherwise, access will be denied when a (daemon,client) pair matches
an entry in the /etc/hosts.deny file.

  ·  Otherwise, access will be granted.

A  non-existing  access  control file is treated as if it were an empty
file. Thus, access control can be turned off by providing no access
control files."


Brian

Quoting Jim Secan <jim at nwra.com>:
> How does PARANOID work in a hosts.allow file?  I read the FM as PARANOID
> matches whenever a reverse look-up on an incoming request shows a mismatch
> between the avowed hostname and the one returned from the look-up.  If this
> is correct, then if you want to drop anything that has this mismatch you
> would put
>
> ALL : PARANOID : deny
>
> in your hosts.allow file.  Guidance I had from elsewhere was that you 
> use just
>
> ALL : PARANOID
>
> which seems to me that this would allow any visitor who didn't match
> his/her reverse look-up.  Which is correct usage for the hosts.allow file?
>
> TIA
> Jim
> *---------------------*-------------------------------*
> | Jim Secan           | Northwest Research Assoc, Inc |
> | (jim at nwra.com)      | 2455 E. Speedway, Suite 204   |
> | (520) 319-7773      | Tucson, Arizona 85719         |
> *---------------------*-------------------------------*
>
> _______________________________________________
> Tucson Free Unix Group - tfug at tfug.org
> Subscription Options:
> http://www.tfug.org/mailman/listinfo/tfug_tfug.org




The opinions or statements expressed herein are my own and should not be
taken as a position, opinion, or endorsement of the University of
Arizona.

More information about the tfug mailing list