SUMMARY: block one IP with tcp wrappers

From: Christopher Barnard <cbarnar1_at_earthlink.net>
Date: Tue Sep 14 2010 - 22:08:56 EDT
I asked

> I use the "mostly closed" philosophy of tcp wrappers on my Sun Solaris
> servers.  My etc/hosts.deny file is ALL:ALL and then I allow specific IP
> ranges and specific protocols with my /etc/hosts.allow file.  I have an
> interesting conundrum.  I  want to block one specific IP from connecting
(via
> ssh, in this case), but I still want to allow the rest of the subnet.  I do
> not have access to the problem child in question, so I can only make
changes
> on the destination host.
>
> Right now in my /etc/hosts.allow file is the rule
> sshd: 144.74.: severity daemon.info
>
> I want to prohibit 144.74.75.76 from connecting, but still allow the rest
of
> 144.74 to connect.  Can anyone think of a way to do this short of adding an
> "allow" entry for every IP in the hosts.allow file except for that one?


The answer:

EXCEPT is your friend.

In my /etc/hosts.allow I changed the rule to
sshd: 144.74. EXCEPT 144.74.75.76: severity daemon.info
and it works like a charm.

Several people has misconceptions about the tcpd access files. For every
connection, the hosts.allow file is processed first and hosts.deny second.  As
soon as a match is made, it is followed and no more parsing of the files is
done.  So having sshd:144.74. in the hosts.allow means that anything meeting
that definition would be allowed, regardless of the hosts.deny file contents.
The "except" does exactly what it sounds like -- it ignores the rule to see if
there are subsequent matches... like the deny ALL:ALL In the hosts.deny file.

Several people also mentioned using ipfilter / iptables instead, since that is
installed wtih Solaris 10.  It is, and I use it (on my linux boxes too).  But
this particular problem was Solaris 9 and Solaris 8 where tcp wrappers had
already been built and deployed.  Since most of these servers are EOL, I
figured it is not worthwhile to port iptables to a server that will go away in
six months or so ...

Thanks to
	alanpae@ilkda.com
 	Andrew Brennan <andrew.brennan@drexel.edu>
 	Ric Anderson <ric@Opus1.COM>
 	Stier, Matthew <Matthew.Stier@us.fujitsu.com>
 	grove@zeta.org.au
 	Casper.Dik@Sun.COM
	Francisco Puente <fpuente00@gmail.com>
	Chris Hoogendyk <hoogendyk@bio.umass.edu>
 	Juraj Lutter <juraj@lutter.sk>
 	Emmanuel Mejias <emmanuel.mejias@gmail.com>
	brian.l.jester@accenture.com
 	Emmanuel Mejias <emmanuel.mejias@gmail.com>
	JULIAN, JOHN C (ATTSI) <jj2195@att.com>
	Belford, Joseph A II CTR USAF ACC 82 CSS/SCOG
<Joseph.Belford.Ctr@langley.af.mil>
 	Chris C <mazzystr@gmail.com>
 	Hackett, Peter <PHackett@talisman-energy.com>
 	Batey, Everett II NAVSEA <everett.batey@navy.mil>
 	D. Ratliff <ddratliff@yahoo.com>
	Karl Vogel <vogelke+unix@pobox.com>

Christopher L. Barnard
-------------------
comment your code as if the maintainer is a homicidal maniac who knows where
you live.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue Sep 14 22:10:09 2010

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:17 EST