[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] [RaQ3i] hosts.deny
- Subject: Re: [cobalt-users] [RaQ3i] hosts.deny
- From: Theodore Jones <theoj@xxxxxxxxxxxxx>
- Date: Sun Oct 8 21:07:01 2000
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Brandon,
Thanks for the info.
Yah, security didn't seem to be at the top of their list when stirring
the "special sauce"...
I've allready got PortSentry running for my regular inet services, just
didn't know it didn't cover httpd as well... Unfortunately I'm probably
not bold enough to recompile IPFWADM
into my kernal at this time either.
Has anyone else out there attempted this kernal recompile, and would
they like to report the results?
~ Theo
Brandon Wheaton wrote:
> On Sun, 8 Oct 2000, a remote ECHELON node intercepted, flagged and
> forwarded the following transmission from Theodore Jones:
> > when I add and IP to the "hosts.deny" file under /etc,
> > ALL: 209.74.20.34
> > then do a:
> > /etc/rc.d/init.d/inet reload
> > then watch my /home/log/httpd/error file (tail -f), I
> > don't seem to see that this IP/person is blocked from
> > making random guesses at my CGI files....
>
> Hi Theo.
>
> Hosts.deny is a component of TCP Wrappers. TCP Wrappers
> only protects services running under inet (for a list of
> inet services, look in /etc/inetd.conf) hence any entries
> you add to your hosts.deny and hosts.allow file will only
> block traffic for those services. (i.e. pop and telnet)
>
> If you want to block traffic to your entire box (short
> of utilizing an external firewall) you will need to
> utilize a kernel-level filter called IPFWADM. Use of
> IPFWADM requires Kernel recompilation, which will no
> doubt void your warranty. I can't imagine why Cobalt
> would leave this critical component out of it's OS. But
> if you are a brave soul, here is the rundown. IPFWADM
> is the basic Linux firewall tool. (Kernel 2.102+ uses
> IPCHAINS) To utilize it to block an IP, all you have
> to do is /sbin/ipfwadm -I -i deny -S 209.74.20.34 -o
> With the -o option, all access attempts will be entered
> into /var/log/messages for your viewing pleasure. The
> "deny" makes it look to your attacker as if you have
> fallen off the Internet. You can also use the "reject"
> option, which gives attackers a "connection refused"
> message if that's what you prefer. Either way - the result
> is that you won't need to worry about them any longer.
> Until they get smart and attack you from another IP,
> that is ;^) That is where Portsentry comes into play
> - but that's another e-mail entirely.
>
> Have fun.
>
> Brandon Wheaton
> UNIX Systems Engineer
> ValiCert, Inc.
> 1215 Terra Bella Ave.
> Mountain View, CA 94043
> 650.567.5430
> ----
> Computers are useless; they can only provide answers.
> ~Pablo Picasso
>
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users