Very good questions ... On Nov 19, 2007 9:11 PM, Mark <[EMAIL PROTECTED]> wrote: > I think it would be cool to have a filter that loaded > /etc/hosts.(deny|allow). The one question I do have; why would a MINA based > applications require such a filter if the OS should be handling this?
In order for the OS to handle this the application needs to be linked with libwrap.so :(. This is the way automatic lookups into the blacklist (just /etc/hosts.deny) is done and enforcement is handled automatically. So it's probably non-trivial to leverage this most excellent facility to benefit Java network servers. The > other concern I have is what would the efficacy of the filter be in a > non-unix environment? It probably still has value. You don't necessarily have to load the rules from a file named /etc/hosts.deny and /etc/hosts.allow. BTW the allows file has rules which still impact the effective blacklist derived from these rules. If you want the blacklist filter to persist rules across restarts you're going to need some framework for it to report and store rules where the parts are made pluggable. In this case if the MINA server is deployed on *NIX it may default to attempt to use these standard files. If not you may define your own format and have a way to load and store the rules from some file. The benefit this has regardless on the OS is that it is a somewhat familiar and accepted format and in *NIX land it's useful (more than just familiar). However who knows how many problems the format has. I know you can do all sorts of crazy things with this stuff. Also when trying to make something like tcp_wrappers in MINA I don't think we have the store load concept. tcp_wrappers is just for read access to rules. I guess this is more complex than it seems as usual. Nothing is as straight forward as I would like to be. <OT> Funny I got these desires sitting here watching a firewall I just setup before putting the machine into DNS. Right after adding it the onslaught of port scans began. I guess many of these goons look forward to new records showing up in DNS and firing off automated scans. Luckily I had DenyHosts [0] setup. After a few hours I had 25-50 new entries added to my hosts.deny file for sshd. Then DenyHosts loaded 7K of entries into the file after pulling a bunch of culprits from a central server. It's pretty sweet!!! This goes up and down as the threats disappear globally. I stepped back and prematurely felt safe. Then I realized not everything (especially my Java servers can do this). That's when I got worried and posted my messages hehe. Heck I'd just feel safe if the blacklist filter could pull all the IP's in the hosts.deny file and use them. If these guys are trying to rip into sshd it's only a matter of time before they find other protocols that are not so lucky. </OT> Alex ----------- [0] -- http://denyhosts.sourceforge.net/ > On Nov 19, 2007 8:47 PM, Alex Karasulu <[EMAIL PROTECTED]> wrote: > > > See I'm just trying to think of ways in which better UNIX integration > > can be optionally incorporated. Another thing I like is logging to > > /var/log/secure which get's picked up by things like DenyHosts to > > feedback into these primitive access lists. > > > > I was thinking about how to do this for ApacheDS but it seemed to me > > like it might benefit more than just LDAP. It's something that might > > benefit several protocols that run on *NIX systems. > > > > Perhaps this is unnecessary don't know. Hence the request for feedback. > > > > Alex > > > > On Nov 19, 2007 8:44 PM, Alex Karasulu <[EMAIL PROTECTED]> wrote: > > > Right that's what I thought. > > > > > > Does anyone think it would it be worth adding some pluggable means to > > > load the blacklisted IPs from files with the same format? > > > > > > Alex > > > > > > > > > On Nov 19, 2007 8:39 PM, Mark <[EMAIL PROTECTED]> wrote: > > > > I would say that the BlacklistFilter is much like /etc/hosts.deny. We > > do > > > > not have a filter that mimics the functionality of /etc/hosts.allow > > > > > > > > > > > > > > > > > > > > On Nov 19, 2007 8:32 PM, Alex Karasulu <[EMAIL PROTECTED]> wrote: > > > > > > > > > Hi guys, > > > > > > > > > > I know we have a blacklist filter but does anyone know if a tcp > > > > > wrappers like filter has been written for MINA which uses > > > > > /etc/hosts.allow and /etc/hosts deny files or something similar? > > > > > > > > > > Thanks, > > > > > Alex > > > > > > > > > > > > > > > > > > > > > -- > > > > -------------------------------- > > > > The adjuration to be "normal" seems shockingly repellent to me; I see > > > > neither hope nor comfort in sinking to that low level. I think it is > > > > ignorance that makes people think of abnormality only with horror and > > allows > > > > them to remain undismayed at the proximity of "normal" to average and > > > > mediocre. For surely anyone who achieves anything is, essentially, > > abnormal. > > > > Dr. Karl Menninger > > > > > > > > > > > > > -- > > -------------------------------- > The adjuration to be "normal" seems shockingly repellent to me; I see > neither hope nor comfort in sinking to that low level. I think it is > ignorance that makes people think of abnormality only with horror and allows > them to remain undismayed at the proximity of "normal" to average and > mediocre. For surely anyone who achieves anything is, essentially, abnormal. > Dr. Karl Menninger >
