[ILUG] Ubuntu and inet.d

Kevin Philp kevin at cybercolloids.net
Mon Aug 28 18:19:27 IST 2006 

That's exactly the information I was looking for. I just checked and 
sshd and mysql are compiled with libwrap on Ubuntu. I will test out the 
hosts file on ssh and see how it works.

Thanks

Kevin.

Badger wrote:
> On Mon, Aug 28, 2006 at 01:36:12PM +0100, Kevin Philp wrote:
>> So far I have installed Apache2, Mysql, SSH, Postfix, NIS, NFS and Squid and 
>> the configuration is still empty. Am I missing something, this was originally 
>> a default desktop installation? They were all installed with sudo aptitude 
>> install XXXXX
>>
>> Kevin.
>>
> 
> This area of access control is a bit complicated so bear with me and
> I'll try and depart my (relativly basic) understanding of it. 
> 
> First off, the files hosts.allow and hosts.deny are a part of the
> Tcp Wrappers package not the Inetd package. They come into play when
> using inetd through the use of the tcpd program. So, if you wanted to 
> apply access control to an rsync daemon, you would specify the program
> to call as "/usr/sbin/tcpd /sbin/rsyncd --daemon" in your inetd.conf.
> 
> Now, the tcpd program is not the only way to get tcp-wrappers to carry
> out access control checks on incoming connections. The tcp-wrappers
> package also ships with a library called libwrap. A standalone server
> (such as SSH, MySQL, or Apache2), which is a server that doesn't use
> inetd can still avail of the Tcp Wrappers access control by using the
> libwrap library. For instance, on my system (fedora), the sshd daemon
> was built to use Tcp Wrappers via the libwrap library. This allows me to
> write something like this in my hosts.deny file to deny access from a
> particular host on my network:
> 
>     sshd: 172.16.55.5
> 
> Then when I try and connect from that machine I am denied access (mind
> you, if truth be told, I never actually use this stuff in practice). 
> 
> If you want to find out what other servers are compiled with support for
> Tcp Wrappers - and hence, that can have access controlled by hosts.allow
> and hosts.deny - I recommend that you check their library dependencies
> using the ldd tool. To test sshd for example do:
> 
> $ ldd /usr/sbin/sshd
>         linux-gate.so.1 =>  (0xffffe000)
>         libwrap.so.0 => /lib/libwrap.so.0 (0xb7f20000)
>         libpam.so.0 => /lib/libpam.so.0 (0xb7f18000)
>         libdl.so.2 => /lib/libdl.so.2 (0xb7f14000)
>         ....
> 
> You're looking for libwrap obviously. There may be some other way to
> find out, but this is what I'd do.
> 
> Incidentally, Inetd (and even Xinetd) have been found buggy and
> suseptible to various security exploits in the past. You will find that
> most servers (Apache, sshd, etc) are standalone servers, but every now
> and then you will come accross servers that do use inetd (or xinetd)
> which is probably why it was installed on your machine. Examples of
> servers which use inetd on my machine are cupsd (print server), rsyncd,
> and many of the kerberos servers (klogin, etc). Personally, I wouldn't
> expose any such servers on an Internet facing machine without giving it
> a whole lot of thought, but I'm fairly risk averse.
> 
> - badge
>

More information about the ILUG mailing list