net-snmp 5.5 tcp wrappers broken
Has anyone one else this behaviour /etc/hosts.allow ALL : X : allow ALL : ALL : deny do an simple system snmp query from host x fails remove the deny all line and it starts working. trussing the process shows snmpd calling lib wrap and accessing the hosts.allow fine, just no joy. Earlier version on net-snmp 5.3 i upgraded from works fine. Ports and src tree csup'd very recently. ssh does have these issues with the same hosts.allow file. Hosts reverse and forward dns matches FreeBSD xx 8.0-STABLE FreeBSD 8.0-STABLE #0: Wed Jun 9 10:52:17 BST 2010 x:/usr/obj/usr/src/sys/DTRACE amd64 # ls /etc/host* /etc/host.conf/etc/hosts/etc/hosts.allow /etc/hosts.equiv/etc/hosts.lpd [root]# /usr/local/sbin/snmpd -v NET-SNMP version: 5.5 Web: http://www.net-snmp.org/ Email: net-snmp-cod...@lists.sourceforge.net [root]# ls -l /usr/local/sbin/snmpd -rwxr-xr-x 1 root wheel 28880 Jun 9 12:30 /usr/local/sbin/snmpd [root]# ldd /usr/local/sbin/snmpd /usr/local/sbin/snmpd: libnetsnmpagent.so.20 = /usr/local/lib/libnetsnmpagent.so.20 (0x80064c000) libnetsnmphelpers.so.20 = /usr/local/lib/libnetsnmphelpers.so.20 (0x800793000) libnetsnmpmibs.so.20 = /usr/local/lib/libnetsnmpmibs.so.20 (0x8008b7000) libwrap.so.6 = /usr/lib/libwrap.so.6 (0x800abe000) libperl.so = /usr/local/lib/perl5/5.8.9/mach/CORE/libperl.so (0x800bc6000) libcrypt.so.5 = /lib/libcrypt.so.5 (0x800dec000) libutil.so.8 = /lib/libutil.so.8 (0x800f05000) libnetsnmp.so.20 = /usr/local/lib/libnetsnmp.so.20 (0x801015000) libm.so.5 = /lib/libm.so.5 (0x8011e3000) libkvm.so.5 = /lib/libkvm.so.5 (0x801302000) libdevstat.so.7 = /lib/libdevstat.so.7 (0x80140a000) libcrypto.so.6 = /lib/libcrypto.so.6 (0x80150f000) libelf.so.1 = /usr/lib/libelf.so.1 (0x8017a7000) libc.so.7 = /lib/libc.so.7 (0x8018bf000) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: net-snmp 5.5 tcp wrappers broken
On 06/09/10 17:12, krad wrote: Has anyone one else this behaviour Yep. /etc/hosts.allow ALL : X : allow ALL : ALL : deny snmpd: ALL : allow works. Googling around, it seems FreeBSD is not the only OS affected... bye av. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Bug in tcp wrappers?
I think I've found a bug in libwrap/tcpwrappers. Before filing an actual bug report I want to get some feedback here first. A hosts.allow file with ~1000 ips on a single line(Haven't experimented with other quantities yet), causes network daemons that use libwrap stop accepting incoming network connections and use 100% cpu on an incoming connection. This problem appeared because sshguard placed a large number of IPs in my hosts.allow file triggering this bug. I've left the affected daemons for a long period of time (once about 8 hours) and they don't seem to come back, so I think this is more than just it taking a while to loop through a 1000 item array of IPs The production system that was affected is FreeBSD 7.0-32bit Test system is FreeBSD 7.1-32bit Example hosts.allow file (IPs are randomly generated for purposes of example) sshd : 112.110.123.63 113.11.2.126 113.11.8.6 113.19.19.22 113.197.48.68 snipped 990+ IPs 116.48.108.244 116.48.11.19 : deny ALL : ALL : allow top output of affected system. sshd wcpu slowly crawls up to 100% over about 30 seconds or so. crash# top last pid: 692; load averages: 0.08, 0.04, 0.04up 0+00:12:13 15:42:30 24 processes: 2 running, 22 sleeping CPU: 49.7% user, 0.0% nice, 0.2% system, 0.2% interrupt, 49.9% idle Mem: 9304K Active, 6004K Inact, 21M Wired, 32K Cache, 10M Buf, 947M Free Swap: 1995M Total, 1995M Free PID USERNAME THR PRI NICE SIZERES STATE C TIME WCPU COMMAND 691 root1 1030 5760K 3660K CPU1 1 0:04 33.98% sshd 672 root1 40 8436K 3888K sbwait 1 0:00 0.00% sshd 677 cstdenis1 200 4460K 2288K pause 0 0:00 0.00% csh 682 root1 200 5484K 2632K pause 0 0:00 0.00% csh 675 cstdenis1 440 8436K 3896K select 0 0:00 0.00% sshd snip A backtrace shows crash# gdb /usr/sbin/sshd 691 GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type show copying to see the conditions. There is absolutely no warranty for GDB. Type show warranty for details. This GDB was configured as i386-marcel-freebsd... Attaching to program: /usr/sbin/sshd, process 691 Reading symbols from /usr/lib/libssh.so.4...done. Loaded symbols for /usr/lib/libssh.so.4 Reading symbols from /lib/libutil.so.7...done. Loaded symbols for /lib/libutil.so.7 Reading symbols from /lib/libz.so.4...done. Loaded symbols for /lib/libz.so.4 Reading symbols from /usr/lib/libwrap.so.5...done. Loaded symbols for /usr/lib/libwrap.so.5 snip other symbols for breviry Reading symbols from /libexec/ld-elf.so.1...done. Loaded symbols for /libexec/ld-elf.so.1 0x28373225 in fgets (buf=0xbfbfe67b , n=1, fp=0x283b8040) at /usr/src/lib/libc/stdio/fgets.c:56 56 { (gdb) bt #0 0x28373225 in fgets (buf=0xbfbfe67b , n=1, fp=0x283b8040) at /usr/src/lib/libc/stdio/fgets.c:56 #1 0x281124ee in xgets (ptr=0xbfbfe67b , len=1, fp=0x283b8040) at /usr/src/lib/libwrap/../../contrib/tcp_wrappers/misc.c:38 #2 0x28111410 in table_match (table=0x28112c5c /etc/hosts.allow, request=0xbfbfeb14) at /usr/src/lib/libwrap/../../contrib/tcp_wrappers/hosts_access.c:162 #3 0x28111540 in hosts_access (request=0xbfbfeb14) at /usr/src/lib/libwrap/../../contrib/tcp_wrappers/hosts_access.c:132 #4 0x08052b39 in main (ac=2, av=0xbfbfeecc) at /usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/sshd.c:1843 (gdb) bt #0 0x28373225 in fgets (buf=0xbfbfe67b , n=1, fp=0x283b8040) at /usr/src/lib/libc/stdio/fgets.c:56 #1 0x281124ee in xgets (ptr=0xbfbfe67b , len=1, fp=0x283b8040) at /usr/src/lib/libwrap/../../contrib/tcp_wrappers/misc.c:38 #2 0x28111410 in table_match (table=0x28112c5c /etc/hosts.allow, request=0xbfbfeb14) at /usr/src/lib/libwrap/../../contrib/tcp_wrappers/hosts_access.c:162 #3 0x28111540 in hosts_access (request=0xbfbfeb14) at /usr/src/lib/libwrap/../../contrib/tcp_wrappers/hosts_access.c:132 #4 0x08052b39 in main (ac=2, av=0xbfbfeecc) at /usr/src/secure/usr.sbin/sshd/../../../crypto/openssh/sshd.c:1843 (gdb) q The program is running. Quit anyway (and detach it)? (y or n) y Detaching from program: /usr/sbin/sshd, process 691 A few questions 1. Is this a known issue of any sort? I've done some searching on it, but haven't found anything of interest. 2. Should this be reported to FreeBSD bug tracker, or to libwrap (or both)? Basically, is FreeBSD's libwrap (more or less) in sync with the main one, or is it completely separate? -- Chris St Denis Programmer SmarttNet (www.smartt.com) Ph: 604-473-9700 Ext. 200
tcp wrappers
tcp wrappers does not seem to be compiled with the 'blacklist patch' which Wietse Venema provided some years back. I am curious if/why the implementor(s) within FreeBSD chose to ignore that useful patch? Would someone please point out to me how/where I could re-compile tcpd to include this patch? I am struggling trying to find the tcpd source on my system. Thanks Jim Pazarena ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tcp wrappers
Jim Pazarena wrote: tcp wrappers does not seem to be compiled with the 'blacklist patch' which Wietse Venema provided some years back. I am curious if/why the implementor(s) within FreeBSD chose to ignore that useful patch? Would someone please point out to me how/where I could re-compile tcpd to include this patch? I am struggling trying to find the tcpd source on my system. Umm I think we use /usr/src/contrib/tcp_wrappers, not idea about the lack of 'blacklist patch' though. Should be a case of patching the source there then cd /usr/src/libexec/tcpd make make install clean Although presumably you need to recompile anything that uses libwrap not just tcpd. Vince Thanks Jim Pazarena ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tcp wrappers getaddrinfo
Selon Lowell Gilbert [EMAIL PROTECTED]: Have you modified the rule at line 23 of /etc/hosts.allow? Normally, it's ALL : ALL : allow which as far as I recall, never does any hostname lookups at all. No, I never touched this line. this is why I'm asking some help. Thanks. Antoine ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: tcp wrappers getaddrinfo
Antoine Jacoutot [EMAIL PROTECTED] writes: I get a lot of those warning messages in my logs. Is there any way I could tell inetd / tcp wrappers to turn those off ? inetd[93598]: warning: /etc/hosts.allow, line 23: can't verify hostname: getaddrinfo(.imaginet.fr, AF_INET) failed I know what it means, the only thing I don't know how to achieve is to turn this off :) Have you modified the rule at line 23 of /etc/hosts.allow? Normally, it's ALL : ALL : allow which as far as I recall, never does any hostname lookups at all. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
tcp wrappers getaddrinfo
Hi :) I get a lot of those warning messages in my logs. Is there any way I could tell inetd / tcp wrappers to turn those off ? inetd[93598]: warning: /etc/hosts.allow, line 23: can't verify hostname: getaddrinfo(.imaginet.fr, AF_INET) failed I know what it means, the only thing I don't know how to achieve is to turn this off :) Thanks in advance. Antoine ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
tcp wrappers/twist
Dear all there used to be a way that one could use tcp wrappers and twist so that if per say you telnet'd to 127.0.0.1 telnetd would run but if you telnet'd to 127.0.0.2 tcp_d would spawn another process I forget the syntax for this anyone know it?? thanks To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: tcp wrappers/twist
Quoting Jer [EMAIL PROTECTED]: there used to be a way that one could use tcp wrappers and twist so that if per say you telnet'd to 127.0.0.1 telnetd would run but if you telnet'd to 127.0.0.2 tcp_d would spawn another process Have you looked here: man hosts_options look for twist. and man 5 hosts_access for the proper expansion escapes. --daxbert To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message