Hullo there,
I've got ("have taken over") a hosts.allow file as below:
ftp: ALL cvspserver: ALL svn: ALL sshd: ALL telnet: ALL ALL: <domain-we-allow>.co.uk ALL: LOCAL
I don't understand why if the ALL keyword is called in the first half, aliases are then described in the second. Surely ALL means just that?
What I want is for the cvspserver to be ALL and the others to be restricted to LOCAL and <domain-we-allow>.co.uk. No matter what I try with wildcard *, UNKNOWN, etc, the hosts.allow will only allow anonymous cvs log in with adding ALL:ALL at the bottom, which I don't want to do obviously.
Sorry to not rtfm; I have done but it sort of went in one ear and out of the other leaving a puffy pink cloud in the middle.
Thanks,
Jenny
On Wed, 2008-01-30 at 09:48 +0000, Jenny Hopkins wrote:
Hullo there,
I've got ("have taken over") a hosts.allow file as below:
ftp: ALL cvspserver: ALL svn: ALL sshd: ALL telnet: ALL ALL: <domain-we-allow>.co.uk ALL: LOCAL
I don't understand why if the ALL keyword is called in the first half, aliases are then described in the second. Surely ALL means just that?
What I want is for the cvspserver to be ALL and the others to be restricted to LOCAL and <domain-we-allow>.co.uk. No matter what I try with wildcard *, UNKNOWN, etc, the hosts.allow will only allow anonymous cvs log in with adding ALL:ALL at the bottom, which I don't want to do obviously.
Sorry to not rtfm; I have done but it sort of went in one ear and out of the other leaving a puffy pink cloud in the middle.
According to the friendly manual, that file should permit any system access to ftp, cvspserver, svn, sshd & telnet while restricting every other service to LOCAL (no domain component when looked up in reverse DNS and/or the hosts file) and the specified domain.
Is there a matching hosts.deny file?
I think you need the following to achieve your aim:
cvspserver: ALL ALL: LOCAL .<domain-we-allow>.co.uk
Note the leading '.' in the allowed domain, since that matters. The magic word 'ALL' is a wildcard that matches all services or hosts depending whihc side of the ':' it's on, it's certainly not an alias.
HTH, Phil.
On 30/01/2008, Phil Ashby phil.ashby@bt.com wrote:
On Wed, 2008-01-30 at 09:48 +0000, Jenny Hopkins wrote:
Hullo there,
I've got ("have taken over") a hosts.allow file as below:
ftp: ALL cvspserver: ALL svn: ALL sshd: ALL telnet: ALL ALL: <domain-we-allow>.co.uk ALL: LOCAL
I don't understand why if the ALL keyword is called in the first half, aliases are then described in the second. Surely ALL means just that?
What I want is for the cvspserver to be ALL and the others to be restricted to LOCAL and <domain-we-allow>.co.uk. No matter what I try with wildcard *, UNKNOWN, etc, the hosts.allow will only allow anonymous cvs log in with adding ALL:ALL at the bottom, which I don't want to do obviously.
Sorry to not rtfm; I have done but it sort of went in one ear and out of the other leaving a puffy pink cloud in the middle.
According to the friendly manual, that file should permit any system access to ftp, cvspserver, svn, sshd & telnet while restricting every other service to LOCAL (no domain component when looked up in reverse DNS and/or the hosts file) and the specified domain.
Is there a matching hosts.deny file?
I think you need the following to achieve your aim:
cvspserver: ALL ALL: LOCAL .<domain-we-allow>.co.uk
Note the leading '.' in the allowed domain, since that matters. The magic word 'ALL' is a wildcard that matches all services or hosts depending whihc side of the ':' it's on, it's certainly not an alias.
Phil,
Thankyou. Looking further, I see this in the syslog when a connection to the cvspserver is attempted from any other than addresses stated after "ALL:" -
Jan 30 10:59:52 stoneboat xinetd[30584]: warning: /etc/hosts.allow, line 21: can't verify hostname: getaddrinfo(unknown.asdl.nitrex.net, AF_INET) failed Jan 30 10:59:52 stoneboat xinetd[30584]: libwrap refused connection to cvspserver (libwrap=cvs) from 213.165.225.128
This means I need to tell hosts.allow not to bother with reverse DNS lookups somehow, as some of them are broken?
I am 213.165.225.128, and if I add ALL:213.165.225.128 I can access, but otherwise not.
The hosts.deny says ALL: PARANOID
Thanks,
Jenny
On Wed, 2008-01-30 at 11:10 +0000, Jenny Hopkins wrote:
Thankyou. Looking further, I see this in the syslog when a connection to the cvspserver is attempted from any other than addresses stated after "ALL:" -
Jan 30 10:59:52 stoneboat xinetd[30584]: warning: /etc/hosts.allow, line 21: can't verify hostname: getaddrinfo(unknown.asdl.nitrex.net, AF_INET) failed Jan 30 10:59:52 stoneboat xinetd[30584]: libwrap refused connection to cvspserver (libwrap=cvs) from 213.165.225.128
This means I need to tell hosts.allow not to bother with reverse DNS lookups somehow, as some of them are broken?
I am 213.165.225.128, and if I add ALL:213.165.225.128 I can access, but otherwise not.
The hosts.deny says ALL: PARANOID
Well spotted Jenny.. could you limit access by IP address range instead of domain names (or are your clients on DHCP, so you have no guarantees of addresses)?
If you don't have reliable reverse DNS or fixed IP's hosts.allow isn't going to work for you.
P
On 30/01/2008, Phil Ashby phil.ashby@bt.com wrote:
Well spotted Jenny.. could you limit access by IP address range instead of domain names (or are your clients on DHCP, so you have no guarantees of addresses)?
The trouble is that everyone should have access to the cvs repository.
If you don't have reliable reverse DNS or fixed IP's hosts.allow isn't going to work for you.
Is it the ADSL provider that has the broken reverse DNS? Nitrex, in this case. It would explain why the cvspserver anonymous access used to work for anyone and now doesn't, as the provider changed last autumn.
Thanks, Phil,
Jenny
On 30/01/2008, Jenny Hopkins hopkins.jenny@gmail.com wrote:
The trouble is that everyone should have access to the cvs repository.
If you don't have reliable reverse DNS or fixed IP's hosts.allow isn't going to work for you.
Putting ALL:* at the end of the file has fixed the problem, but I have a worry that all I've done is cancel out the hosts.deny file so anyone can access anything. Or can they just access the services that are listed in the hosts.allow file i.e. ftp, svn, sshd, telnet?
Jen, missing the point somewhere.
On Wed, 2008-01-30 at 12:11 +0000, Jenny Hopkins wrote:
Putting ALL:* at the end of the file has fixed the problem, but I have a worry that all I've done is cancel out the hosts.deny file so anyone can access anything.
Yup - that's what you have done.
Or can they just access the services that are listed in the hosts.allow file i.e. ftp, svn, sshd, telnet?
Nope - you have permitted anyone access to any service.
Phil.
On 30/01/2008, Phil Ashby phil.ashby@bt.com wrote:
On Wed, 2008-01-30 at 12:11 +0000, Jenny Hopkins wrote:
Putting ALL:* at the end of the file has fixed the problem, but I have a worry that all I've done is cancel out the hosts.deny file so anyone can access anything.
Yup - that's what you have done.
Or can they just access the services that are listed in the hosts.allow file i.e. ftp, svn, sshd, telnet?
Nope - you have permitted anyone access to any service.
Best not do that then! Googling, it looks like I need to tell libwrap not to bother with reverse DNS lookups, with various arguments about whether or not this is a good thing.
Thanks for the help,
Jenny
On 30 Jan 2008, at 11:50 am, Phil Ashby wrote:
Well spotted Jenny.. could you limit access by IP address range instead of domain names (or are your clients on DHCP, so you have no guarantees of addresses)?
Just as an aside..
You can be on DHCP and have fixed IP addresses, you know - that is what I do with most dhcp servers I run.
Cheers,
David
On 30/01/2008, Jenny Hopkins hopkins.jenny@gmail.com wrote:
Hullo there,
I've got ("have taken over") a hosts.allow file as below:
ftp: ALL cvspserver: ALL svn: ALL sshd: ALL telnet: ALL ALL: <domain-we-allow>.co.uk ALL: LOCAL
As a follow up to this, it turned out that the line cvspserver: ALL should have read cvs: ALL
Ha!
Thanks,
Jenny
-
David Reynolds -
Jenny Hopkins -
Phil Ashby