Is this a tcpwrapper bug?
John Summerfield
debian at herakles.homelinux.org
Mon Dec 17 23:05:04 UTC 2007
Tom Horsley wrote:
> While trying to make my ssh connection maximally secure,
> I decided to use the /etc/hosts.allow and /etc/hosts.deny
> files, and was able to get them working without too much
> trouble, so now the only external site that can connect to
> my home system is the address of what is probably my work
> system's firewall.
>
> Here's the bug: The DNS setup for the IP address of the
> firewall gives it two names, both (examples only)
> users.example.com and corpvpn.example.com are in the
> DNS database as the same IP.
>
> If I try to use either name (or both names) in the hosts.allow
> file, I always get rejected with a log message that claims
> users.example.com != corpvpn.example.com.
>
> If I use the IP address in hosts.allow, I still get the message
> in the log, but I am allowed to connect.
>
> Is the tcpwrapper code being too paranoid here? Shouldn't
> it lookup all the names for the IP and accept any match
> rather than (appapently) only looking up the 1st name?
I don't see that tcpwrappers does a lot for you in this case than you
can also do with iptables.
Assuming your iptables policy is set to deny, than add something like this:
iptables -I INPUT --source there.example.com --dport 22 -j ACCEPT
The problem with such a rule is that if one end changes its address, or
if you need to connect from different places, perhaps because of dynamic
IP addresses or because you're travelling, it fails you.
I use these rules (from iptables-save) to allow me to connect from
anywhere, while limiting the possibility of enumerating passwords:
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit
--limit 5/hour -j LOG --log-prefix "SSH connexion "
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m limit
--limit 5/hour -j ACCEPT
I have other rules for other, more likely, places. I find I get very few
attempts to enumerate accounts from the Australian addresses I allow.
--
Cheers
John
-- spambait
1aaaaaaa at coco.merseine.nu Z1aaaaaaa at coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
More information about the users
mailing list