[svlug] /etc/hosts.deny tcpd problems

Dagmar d'Surreal dagmar at dsurreal.org
Sun Jun 24 21:53:02 PDT 2001

On Thu, 21 Jun 2001, Bill Jonas wrote:

> On Thu, Jun 21, 2001 at 06:15:36PM -0400, Galen J. Wilkerson wrote:
> > #/etc/hosts.deny
> > proftpd: ALL EXCEPT .garble.gen.ak.us
> > 
> > thoughts?
> In /etc/hosts.allow:
> proftpd: .garble.gen.ak.us
> In /etc/hosts.deny:
> proftpd: ALL
> I unsure if that's the exact syntax, but you get the idea.  It might be
> "ftp" or "FTP" instead of "proftpd".
> The way it works is that when an incoming connection is requested,
> tcpwrappers looks in /etc/hosts.allow, and if it's there, the connection
> is permitted.  If nothing matches in hosts.allow, the /etc/hosts.deny
> file is consulted; if there's a match, access is denied.  If neither
> matches, the the connection request is granted.
> Upon looking at hosts_access(5), it looks as though your construct would
> also work.  I believe you just need to change "proftpd" to "ftp".  If
> I'm not mistaken, it's the service name, not the daemon name.

That would be backwards if tcpd is being invoked.  If proftpd is running
standalone and is linked with libwrap (I have given up even TRYING to
maintain a non-compromiseable ftp daemon lately so I just don't know if it
does or not) then applications will usually be specifying their own name
for themselves, or their service name depending on how the program was
coded to invoke libwrap.  Tcpd only knows the filename of the binary being
invoked, and though the service name for port 21 is ftp, if the daemon
itself is named in.ftpd, then in.ftpd is the token that needs to be
invoked in the hosts_access files.

Since no one appears to have mentioned it, I'd just check the
/etc/inetd.conf (or xinetd.conf) to make certain tcpd is being called as
well, if it's not running standalone...  i.e., the line (for inetd
anyway) should read...

ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  wu.ftpd -l -i -a

...with wu.ftpd being the left-hand argument in hosts_access
files.  In this instance, inetd invokes /usr/sbin/tcpd with all the
arguments to the end of the line, and then after doing it's checking tcpd
will invoke the wu.ftpd binary in the daemon directory (typically
/usr/sbin but changeable at compile time to other things) with the rest of
the arguments passed on.

More information about the svlug mailing list