tech-security archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
libwrap blacklist feature
Hi,
The attached patch is a port of Wietse Wenema's tcpd-blacklist-patch
(see [1]).
This allows to specify a file as a pattern, which contains a list of
patterns, one by line. This is very useful when using an automatically
generated list and you don't want the daemon to modify your
/etc/hosts.allow or /etc/hosts.deny directly. FYI, FreeBSD has this
information.
Let me give an example: security/py-denyhosts is a Python script that
looks after your authlog and blocks IP addresses performing SSH scans,
using hosts_access(5). Currently, there is no other way on NetBSD than
letting it modify /etc/hosts.allow itself. With this patch, you can add
the following lines in hosts.allow:
% sshd : /var/db/hosts.evil : deny
% sshd : ALL : allow
And let Denyhosts manage /var/db/hosts.evil only.
For the record, here is the relevant configuration for Denyhosts on
NetBSD with this patch:
% SECURE_LOG = /var/log/authlog
% HOSTS_DENY = /var/db/hosts.evil
% # http://denyhosts.sourceforge.net/faq.html#2_7
% BLOCK_SERVICE =
% WORK_DIR = /var/db/denyhosts/data
Thank you for your work.
Regards,
[1] ftp://ftp.porcupine.org/pub/security/tcpd-blacklist-patch
--
Jeremie Le Hen
Index: hosts_access.5
===================================================================
RCS file: /cvsroot/src/lib/libwrap/hosts_access.5,v
retrieving revision 1.15
diff -u -p -r1.15 hosts_access.5
--- hosts_access.5 7 Sep 2003 16:22:22 -0000 1.15
+++ hosts_access.5 18 Dec 2008 15:21:37 -0000
@@ -117,6 +117,13 @@ An expression of the form `ipv6-addr/pre
masked IPv6 address match (with mask specified by numeric prefixlen),
just like masked IPv4 address match (see above).
Note that `prefixlen\' portion must always be specified.
+.IP \(bu
+A string that begins with a `/\' character is treated as a file
+name. A host name or address is matched if it matches any host name
+or address pattern listed in the named file. The file format is
+zero or more lines with zero or more host name or address patterns
+separated by whitespace. A file name pattern can be used anywhere
+a host name or address pattern can be used.
.SH WILDCARDS
The access control language supports explicit wildcards:
.IP ALL
Index: hosts_access.c
===================================================================
RCS file: /cvsroot/src/lib/libwrap/hosts_access.c,v
retrieving revision 1.18
diff -u -p -r1.18 hosts_access.c
--- hosts_access.c 8 Jan 2006 17:20:28 -0000 1.18
+++ hosts_access.c 18 Dec 2008 15:21:37 -0000
@@ -90,6 +90,7 @@ static int list_match __P((char *, struc
static int server_match __P((char *, struct request_info *));
static int client_match __P((char *, struct request_info *));
static int host_match __P((char *, struct host_info *));
+static int hostfile_match __P((char *, struct host_info *));
static int rbl_match __P((char *, char *));
static int string_match __P((char *, char *));
static int masked_match __P((char *, char *, char *));
@@ -290,6 +291,8 @@ struct host_info *host;
tcpd_warn("netgroup support is disabled"); /* not tcpd_jump() */
return (NO);
#endif
+ } else if (tok[0] == '/') { /* /file hack */
+ return (hostfile_match(tok, host));
} else if (STR_EQ(tok, "KNOWN")) { /* check address and name */
char *name = eval_hostname(host);
return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
@@ -306,6 +309,26 @@ struct host_info *host;
}
}
+/* hostfile_match - look up host patterns from file */
+
+static int hostfile_match(path, host)
+char *path;
+struct host_info *host;
+{
+ char tok[BUFSIZ];
+ int match = NO;
+ FILE *fp;
+
+ if ((fp = fopen(path, "r")) != 0) {
+ while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
+ /* void */ ;
+ fclose(fp);
+ } else if (errno != ENOENT) {
+ tcpd_warn("open %s: %m", path);
+ }
+ return (match);
+}
+
/* rbl_match() - match host by looking up in RBL domain */
static int rbl_match(rbl_domain, rbl_hostaddr)
Home |
Main Index |
Thread Index |
Old Index