hosts.deny doesnt work for httpd requests
This is a discussion on hosts.deny doesnt work for httpd requests within the Linux Security forums, part of the System Security and Security Related category; i tried to disable all requests comming to my server except for sendmail using /etc/hosts.deny and /etc/hosts....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
08-21-2003
|
|||
|
|||
hosts.deny doesnt work for httpd requests
i tried to disable all requests comming to my server except for
sendmail using /etc/hosts.deny and /etc/hosts.allow so /etc/hosts.deny has ALL:ALL and /etc/hosts.allow has sendmail: ALL but when i try to access the server webpage using browser it works how very strange. shouldnt httpd server access be blocked ?? 
|
|
08-21-2003
|
|||
|
|||
|
Re: hosts.deny doesnt work for httpd requests
DukeNM wrote:
> i tried to disable all requests comming to my server except for > sendmail using /etc/hosts.deny and /etc/hosts.allow [...] > but when i try to access the server webpage using browser it works > > how very strange. shouldnt httpd server access be blocked ?? Only if run through (x)inetd. $ man 5 hosts.deny DESCRIPTION This manual page describes a simple access control language that is based on client (host name/address, user name), and server (process name, host name/address) patterns. Examples are given at the end. The impatient reader is encouraged to skip to the EXAMPLES section for a quick introduction. The extended version of the access control language is described in the hosts_options(5) document. Note that this language supersedes the meaning of shell_command as documented below. In the following text, daemon is the the process name of a network daemon process, and client is the name and/or address of a host requesting service. Network daemon process names are specified in the inetd configuration file. -- Met vriendelijke groet / Best regards, Jan Reilink Dutch Security Information Network, http://www.dsinet.org
|
|
08-21-2003
|
|||
|
|||
|
Re: hosts.deny doesnt work for httpd requests
tridentadm@netscape.net (DukeNM) writes:
]i tried to disable all requests comming to my server except for ]sendmail using /etc/hosts.deny and /etc/hosts.allow ]so ]/etc/hosts.deny ]has ]ALL:ALL ]and ]/etc/hosts.allow ]has ]sendmail: ALL ]but when i try to access the server webpage using browser it works ]how very strange. shouldnt httpd server access be blocked ?? No. Only programs launched through inet or xinet with tcpwrappers activated, or programs who have tcpwrappers included use host.deny/allow. But if you do not web access why in the world are you running the http daemon. That is the only way they can obtain access.If you do not want a service , DO NOT run the associated daemon.
|
|
08-22-2003
|
|||
|
|||
|
Re: hosts.deny doesnt work for httpd requests
> No. Only programs launched through inet or xinet with tcpwrappers activated, or
> programs who have tcpwrappers included use host.deny/allow. > But if you do not web access why in the world are you running the http daemon. > That is the only way they can obtain access.If you do not want a service , DO > NOT run the associated daemon. okie. i kinda figured it out a bit myself also. hmm. so my next questions would be how do i know if my package is libwrap compiled or not also considering that it maybe a rpm redhat linux
|
|
08-22-2003
|
|||
|
|||
|
Re: hosts.deny doesnt work for httpd requests
In article <6b07a80.0308220412.155c8fa3@posting.google.com> ,
DukeNM wrote: > how do i know if my package is libwrap compiled or not > also considering that it maybe a rpm redhat linux In addition to ldd as already suggested, you can consult the SRPM for the package and see how it was compiled. Typically options will be given to the "configure" script. -- /dev/rob0 - preferred_email=i$((28*28+28))@softhome.net or put "not-spam" or "/dev/rob0" in Subject header to reply
|
|
08-22-2003
|
|||
|
|||
|
Re: hosts.deny doesnt work for httpd requests
tridentadm@netscape.net (DukeNM) writes:
]> No. Only programs launched through inet or xinet with tcpwrappers activated, or ]> programs who have tcpwrappers included use host.deny/allow. ]> But if you do not web access why in the world are you running the http daemon. ]> That is the only way they can obtain access.If you do not want a service , DO ]> NOT run the associated daemon. ]okie. i kinda figured it out a bit myself also. ]hmm. so my next questions would be ]how do i know if my package is libwrap compiled or not ]also considering that it maybe a rpm redhat linux Almost none are. openssh is. I cannot thing of any others. If you start the program via xinetd or inetd, then those can be told to use libwrap befor handing control over to the daemon.
|
|
08-22-2003
|
|||
|
|||
|
Re: hosts.deny doesnt work for httpd requests
unruh@string.physics.ubc.ca (Bill Unruh) writes:
> ]how do i know if my package is libwrap compiled or not also considering > ]that it maybe a rpm redhat linux > > Almost none are. openssh is. I cannot thing of any others. Well you've omitted dgs, esound, nfs-utils (apparently) and portmap then, and that's just what I've got installed here. Maybe lpd too, although that traditionally used some hosts.lpd file instead, I thought. > If you start the program via xinetd or inetd, then those can be told to > use libwrap befor handing control over to the daemon. True. In the case of xinetd, tcp_wrappers are semi-optional anyway, as it has its own `only_from' directive as well. ~Tim -- So lead me to the river |piglet@stirfried.vegetable.org.uk Blood runs thicker than the water |http://spodzone.org.uk/
|
|
08-22-2003
|
|||
|
|||
|
Re: hosts.deny doesnt work for httpd requests
Bill Unruh wrote:
> tridentadm@netscape.net (DukeNM) writes: > > ]i tried to disable all requests comming to my server except for > ]sendmail using /etc/hosts.deny and /etc/hosts.allow > > ]so > ]/etc/hosts.deny > ]has > ]ALL:ALL > > ]and > ]/etc/hosts.allow > ]has > ]sendmail: ALL > > ]but when i try to access the server webpage using browser it works > > ]how very strange. shouldnt httpd server access be blocked ?? > > No. Only programs launched through inet or xinet with tcpwrappers > activated, or programs who have tcpwrappers included use host.deny/allow. > But if you do not web access why in the world are you running the http > daemon. That is the only way they can obtain access.If you do not want a > service , DO NOT run the associated daemon. sshd does. A.
|
|
08-23-2003
|
|||
|
|||
|
Re: hosts.deny doesnt work for httpd requests
Andreas Mueller <nospam@home.de> writes:
]Bill Unruh wrote: ]> tridentadm@netscape.net (DukeNM) writes: ]> ]> ]i tried to disable all requests comming to my server except for ]> ]sendmail using /etc/hosts.deny and /etc/hosts.allow ]> ]> ]so ]> ]/etc/hosts.deny ]> ]has ]> ]ALL:ALL ]> ]> ]and ]> ]/etc/hosts.allow ]> ]has ]> ]sendmail: ALL ]> ]> ]but when i try to access the server webpage using browser it works ]> ]> ]how very strange. shouldnt httpd server access be blocked ?? ]> ]> No. Only programs launched through inet or xinet with tcpwrappers ]> activated, or programs who have tcpwrappers included use host.deny/allow. ]> But if you do not web access why in the world are you running the http ]> daemon. That is the only way they can obtain access.If you do not want a ]> service , DO NOT run the associated daemon. ]sshd does. Yes. It has tcpwrappers compiled into sshd. I do not know of any others.
|
Linear Mode
