You are not logged in.

#1 2010-03-12 23:00:52

partner55083777
Member
Registered: 2010-02-02
Posts: 10

[SOLVED] how do hosts.allow and hosts.deny work?

I understand the basic concepts of hosts.allow and hosts.deny, but I am interested in how it works.  What actually blocks access to the services?  Do they do it themselves?  Or it is something in the kernel that does it?

For example, if I have this in my hosts.allow:

sshd:all
#mysqld: all

And this is my hosts.deny:

ALL: ALL: DENY


This will result in people being able to connect to sshd but not mysqld.  Are sshd and mysqld programmed to read these hosts.allow and hosts.deny files?  Or is there something stopping the connection before it even gets to the daemon?

The hosts.allow and hosts.deny man pages refer to tcpd, but it is not running on my system.  Also, hosts.allow and hosts.deny never show up in the output of `lsof`.  hosts.allow and hosts.deny belong to the tcp_wrappers package, but there is nothing else in the package that illuminates my question.

Last edited by partner55083777 (2010-03-15 12:35:51)

Offline

#2 2010-03-13 00:08:17

anonymous_user
Member
Registered: 2009-08-28
Posts: 3,059

Re: [SOLVED] how do hosts.allow and hosts.deny work?

The tarball includes a library named libwrap  that implements the actual functionality. Initially, only services that were spawned for each connection from a super-server  (such as inetd) got wrapped, utilizing the tcpd program. However most common network service daemons today can be linked against libwrap directly.

http://en.wikipedia.org/wiki/Tcpwrappers

Last edited by anonymous_user (2010-03-13 00:08:37)

Offline

#3 2010-03-14 05:15:06

thetrivialstuff
Member
Registered: 2006-05-10
Posts: 191

Re: [SOLVED] how do hosts.allow and hosts.deny work?

TCP wrappers syntax changed again, unannounced. The man page is now incorrect.

Try to find an up-to-date one somewhere on the 'net; if you're trying to call shell commands from hosts.allow, you now need the word 'spawn' in front of them. That seemed to fix the problem for me, anyway; there might be other differences.

~Felix.

Offline

#4 2010-03-15 12:33:33

partner55083777
Member
Registered: 2010-02-02
Posts: 10

Re: [SOLVED] how do hosts.allow and hosts.deny work?

Thanks guys.

However most common network service daemons today can be linked against libwrap directly.

Sure enough,

$ ldd /usr/sbin/sshd
    linux-vdso.so.1 =>  (0x00007123451ff000)
    libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00007fffbd6d000)
    libpam.so.0 => /lib/libpam.so.0 (0x00007f99765f1000)
    ....
$

Here is also a little bit more information about libwrap:
http://en.wikipedia.org/wiki/Libwrap

Last edited by partner55083777 (2010-03-15 20:03:11)

Offline

Board footer

Powered by FluxBB