On Sun, Jun 08, 2003 at 10:48:39AM -0700, Todd A. Jacobs wrote: > > Actually, Nessus only checks the host IP, not the hostname. [Search for > > "hosts_ctl" in nessus-core/nessusd/nessusd.c.] > > I thought tcpwrappers supported hostnames. Are you saying that nessus > reads hosts.allow/hosts.deny, but doesn't really use the tcpwrappers > library to grant access?
While tcp_wrappers itself does support hostnames, the nessus daemon does
not make use of that support when checking access. Nessus uses
host_ctl() for checking access. That function takes four strings as
arguments:
- 1st is the name of the daemon
- 2nd is the hostname of the client
- 3rd is the IP address of the client
- 4th is the username on the client
The constant STRING_UNKNOWN can also be used if the argument should be
regarded as missing. Now take a look at the code I pointed you to
earlier and you'll see the following:
if(!(hosts_ctl("nessusd", STRING_UNKNOWN, asciiaddr, STRING_UNKNOWN)))
See? Nessus doesn't pass anything in for the 2nd argument (for the
hostname) when checking access. Thus, you need to list IP addresses
rather than hostnames in /etc/hosts.allow to grant access.
The patch that Renaud posted earlier today gets around this limitation.
If managing host access by IP is a pain, by all means apply it and use
hostnames. Just make sure you don't disable D_PARANOID -- you wouldn't
want someone else to play DNS tricks with hostname resolution and get
access inappropriately.
George
--
[EMAIL PROTECTED]
pgp00000.pgp
Description: PGP signature
