On 30/01/2008, Phil Ashby phil.ashby@bt.com wrote:
On Wed, 2008-01-30 at 09:48 +0000, Jenny Hopkins wrote:
Hullo there,
I've got ("have taken over") a hosts.allow file as below:
ftp: ALL cvspserver: ALL svn: ALL sshd: ALL telnet: ALL ALL: <domain-we-allow>.co.uk ALL: LOCAL
I don't understand why if the ALL keyword is called in the first half, aliases are then described in the second. Surely ALL means just that?
What I want is for the cvspserver to be ALL and the others to be restricted to LOCAL and <domain-we-allow>.co.uk. No matter what I try with wildcard *, UNKNOWN, etc, the hosts.allow will only allow anonymous cvs log in with adding ALL:ALL at the bottom, which I don't want to do obviously.
Sorry to not rtfm; I have done but it sort of went in one ear and out of the other leaving a puffy pink cloud in the middle.
According to the friendly manual, that file should permit any system access to ftp, cvspserver, svn, sshd & telnet while restricting every other service to LOCAL (no domain component when looked up in reverse DNS and/or the hosts file) and the specified domain.
Is there a matching hosts.deny file?
I think you need the following to achieve your aim:
cvspserver: ALL ALL: LOCAL .<domain-we-allow>.co.uk
Note the leading '.' in the allowed domain, since that matters. The magic word 'ALL' is a wildcard that matches all services or hosts depending whihc side of the ':' it's on, it's certainly not an alias.
Phil,
Thankyou. Looking further, I see this in the syslog when a connection to the cvspserver is attempted from any other than addresses stated after "ALL:" -
Jan 30 10:59:52 stoneboat xinetd[30584]: warning: /etc/hosts.allow, line 21: can't verify hostname: getaddrinfo(unknown.asdl.nitrex.net, AF_INET) failed Jan 30 10:59:52 stoneboat xinetd[30584]: libwrap refused connection to cvspserver (libwrap=cvs) from 213.165.225.128
This means I need to tell hosts.allow not to bother with reverse DNS lookups somehow, as some of them are broken?
I am 213.165.225.128, and if I add ALL:213.165.225.128 I can access, but otherwise not.
The hosts.deny says ALL: PARANOID
Thanks,
Jenny