On Wed, Jan 12, 2005 at 02:27:43PM -1000, Dwight Victor wrote: > Are you sure about that Vince?
Almost certain, yes. > The way I understand how tcp_wrappers works is that the wrapper > is actually listening on the service port and when the attempt > is successfully authenticated against the /etc/hosts.allow and > /etc/hosts.deny files, the wrapper passes control to the actual > service. To get tcp-wrapper support for an application, you either add the checks directly to the application or run a process that has been compiled with libwrap to perform the host checks before handing off to the application. > A quick google gives me this from Red Hat: > http://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/ref-guide/ch-tcpwrappers.html The link you posted lists sshd as a network service that is compiled with libwrap, which is what I assert. > The tcpd manpage says this: > NAME > tcpd - access control facility for internet services You list tcpd, but that is only required when you run something without tcp-wrapper support. I believe most inetd and xinetd packages ship with libwrap compiled in, so there is no need for tcpd in this case either. I doubt you will find tcpd running on a default install of any current OS. And if you kill all your supersupers (inetd|xinetd) you should still find sshd running. I could be wrong about a denied host being able to buffer overflow sshd, but if sshd is the one providing the tcp-wrapper support, I think the possibility is very real. Therefore, I tend to only use tcp-wrappers when firewalling is not an option. > If I'm wrong, then I'm wrong...but I don't think so. Ditto. An interesting discussion, nonetheless! -Vince
