Is anyone going to continue with the tcpd thread or is it over? I think that there is a lot more to be covered.
----- Original Message ----- From: Philip S Tellis philip.tellis@iname.com Subject: [ILUG-BOM] tcpd thread
Is anyone going to continue with the tcpd thread or is it over? I
think
that there is a lot more to be covered.
i was about to ask the same question! anyhow, Venema, the creator of tcpd, also developed a 'language' for specifying the access control rules which are specified in hosts.allow and hosts.deny. these provide a rudimentary sort of protection for your services. The normal strategy is to deny all connections, and explicitly allow only those you want to. for eg: your hosts.deny would read like ALL: ALL this means deny all services to requests from all addresses. remember that hosts.allow is checked first, then hosts.deny. The first rule that matches is applied. Now all you need to do is specify what you want to allow.
food for next mail : can tcpd work for UDP? what about tcpd + xinetd? what kinds of servers can tcpd not protect?
regards, kishor
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
On Thu, 23 Aug 2001, Kishor Bhagwat spewed into the ether: <snip>
food for next mail : can tcpd work for UDP?
No.
what about tcpd + xinetd?
xinetd has its own syntax like tcp wrappers, but it does not use libwrap.
what kinds of servers can tcpd notprotect?
Essentially, any server which is not called from tcpd will not be protectable. Hence, anything that runs standalone and forks children to handle requests (sendmail/apache, etc) cannot be protected by tcp wrappers.
Devdas Bhagat
Sometime Today, Devdas Bhagat assembled some asciibets to say:
what about tcpd + xinetd?xinetd has its own syntax like tcp wrappers, but it does not use libwrap.
Actually, you can compile xinetd with libwrap, and on redhat systems, it is by default. Xinetd also allows you to call tcpd with a program name.
Essentially, any server which is not called from tcpd will not be protectable. Hence, anything that runs standalone and forks children to handle requests (sendmail/apache, etc) cannot be protected by tcp
sendmail can be compiled with libwrap, ssh too. On RH7.1, sendmail is compiled with libwrap.
Many other daemons are also compiled with libwrap.
Philip
On Sun, 26 Aug 2001, Philip S Tellis spewed into the ether: <snip>
Actually, you can compile xinetd with libwrap, and on redhat systems, it is by default. Xinetd also allows you to call tcpd with a program name.
Not on RH 7.1, IIRC.
<snip>
sendmail can be compiled with libwrap, ssh too. On RH7.1, sendmail is compiled with libwrap. Many other daemons are also compiled with libwrap.
Daemons compiled with libwrap can parse the hosts.[allow|deny] files, but the actual denial has to be done by those executables. The original concept of tcp-wrappers was to defend the program by stopping the remote machine from being able to start the vulnerable daemon itself. This means that the protection offered by tcpd is lost.
Devdas Bhagat
----- Original Message ----- From: Devdas Bhagat dodobh@nettaxi.com Subject: Re: [ILUG-BOM] tcpd thread
On Thu, 23 Aug 2001, Kishor Bhagwat spewed into the ether:
<snip> > food for next mail : can tcpd work for UDP? No.
what kinds of servers can tcpd not protect?
Essentially, any server which is not called from tcpd will not be protectable. Hence, anything that runs standalone and forks children
to
handle requests (sendmail/apache, etc) cannot be protected by tcp wrappers.
Devdas Bhagat
tcpd can work for UDP also. There is no reason why not. A request comes in, tcpd validates it, and calls the appropriate executable. Also, why not mention smtp in the inetd configuration file for incoming requests, and call sendmail?(though that wont achieve much, but just for academic interest!) I'm not sure of NFS though..can tcpd keep track of sessions?dont think so.
regards, kishor
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
Sometime Today, Kishor Bhagwat assembled some asciibets to say:
tcpd can work for UDP also. There is no reason why not. A request comes in, tcpd validates it, and calls the appropriate executable.
udp has no source address, so although tcpd will work, there's no way it can do source ip based filtering.
Also, why not mention smtp in the inetd configuration file for incoming requests, and call sendmail?(though that wont achieve much,
sendmail -bs in /etc/inetd.conf.
Philip
----- Original Message ----- From: Philip S Tellis philip.tellis@iname.com Subject: Re: [ILUG-BOM] tcpd thread
Sometime Today, Kishor Bhagwat assembled some asciibets to say:
tcpd can work for UDP also. There is no reason why not. A request comes in, tcpd validates it, and calls the appropriate executable.
udp has no source address, so although tcpd will work, there's no way
it
can do source ip based filtering.
Philip
IP addresess belong below the Transport layer, where TCP and UDP belong. but,if i remember my basics correctly, both TCP and UDP use a pseudo-header for checksums, which has source and destination address information, so there is a mechanism for their 'availability' at the transport layer. so i think source ip filtering would work for both.
regards, kishor
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
hi, in my file i have stored pdf and exec. file of each 7 mb in linux environment and it is on server how can i send this file to my e-mail id or any other way to save time.
bye
__________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
Sometime Today, ketan shah assembled some asciibets to say:
in my file i have stored pdf and exec. file of each 7 mb in linux environment and it is on server how can i send this file to my e-mail id or any other way to save time.
What? I don't understand. Please explain further. What server? What email address? How do you expect to save time? Email will increase your file size by 33%
Philip
i have joined a course which allows me to connect to their institution from home.they have unix server.where i have stored exec. and pdf files which is of 7 mb.now i want to store this above files into my computer.how can i get this files in my computer.
--- Philip S Tellis philip.tellis@iname.com wrote:
Sometime Today, ketan shah assembled some asciibets to say:
in my file i have stored pdf and exec. file of
each 7 mb in linux
environment and it is on server how can i send
this file to my
e-mail id or any other way to save time.
What? I don't understand. Please explain further. What server? What email address? How do you expect to save time? Email will increase your file size by 33%
Philip
-- Type louder, please.
Visit my webpage at http://www.ncst.ernet.in/~philip/ Read my writings at http://www.ncst.ernet.in/~philip/writings/
MSN philiptellis Yahoo! philiptellis
Next Online LUG Meet on 31st Aug @ 4:30pm Linuxers mailing list
Linuxers@mm.ilug-bom.org.in
__________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
Sometime today, ketan shah wrote:
i have joined a course which allows me to connect to their institution from home.they have unix server.where i have stored exec. and pdf files which is of 7 mb.now i want to store this above files into my computer.how can i get this files in my computer.
Ok, cool. Check with them if they allow FTP access. If they do, just do an FTP login and download the files to your home computer. If they don't, ask them to. Or tell them to put your files into their public HTML directories for some time.
One more option, you carry about 10 diskettes to your insti one day and split the files into exactly 1.44 megs (or a little less) and bring them home on the diskettes. At home, you'll have to join them together in order (on Windows, copy all files to one file with /b option (not sure, been long time)).
HTH.
Manish J.
hi, what are the setting should be done for ftp
--- Manish Jethani cruisecoder@yahoo.com wrote:
Sometime today, ketan shah wrote:
i have joined a course which allows me to connect
to
their institution from home.they have unix server.where i have stored exec. and pdf files
which
is of 7 mb.now i want to store this above files
into
my computer.how can i get this files in my
computer.
Ok, cool. Check with them if they allow FTP access. If they do, just do an FTP login and download the files to your home computer. If they don't, ask them to. Or tell them to put your files into their public HTML directories for some time.
One more option, you carry about 10 diskettes to your insti one day and split the files into exactly 1.44 megs (or a little less) and bring them home on the diskettes. At home, you'll have to join them together in order (on Windows, copy all files to one file with /b option (not sure, been long time)).
HTH.
Manish J.
Next Online LUG Meet on 31st Aug @ 4:30pm Linuxers mailing list
Linuxers@mm.ilug-bom.org.in
__________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/
Sometime yesterday, ketan shah wrote:
what are the setting should be done for ftp
Run ftp from the command line (in Windows as in UNIX).
$ ftp ftp.my.insti Connected to ftp.my.insti Username: me Password: **** ftp > cd mydir CD command successful. ftp > binary Using binary mode data transfer. ftp > get myfile Getting myfile [some progress info] Done! ftp > bye Connection closed. $ ls myfile myfile $ echo 'Me happy, me gay!'
You can use CuteFTP or similar FTP client.
Manish J.
Sometime on Aug 26, ketan shah assembled some asciibets to say:
institution from home.they have unix server.where i have stored exec. and pdf files which is of 7 mb.now i want to store this above files into my computer.how can i get this files in my computer.
How do you connect? Do you dial in or do you connect over the Internet?
If you connect over the Internet:
Do you use telnet? Do they allow ftp? If they do, then that's your best option. If they don't allow ftp, then do they allow rlogin/rsh? If they allow rsh, then you could try rcp.
If you dial-in:
Do you get an IP after dialling. If you do, then proceed as before. If not, then I assume that you have a terminal connection. What terminal emulator do you use? Can you zmodem/kermit the files through (If you've ever used vsnl's student shell account, you'll know what this is (thank you vsnl)).
Philip
Sometime today, ketan shah wrote:
in my file i have stored pdf and exec. file of each 7 mb in linux environment and it is on server how can i send this file to my e-mail id or any other way to save time.
I don't understand much of what you've written. I guess you have these 2 huge files on Linux that you want to transfer somewhere else (good guess?). The best way is to put them in your home directory and download them to some other location via FTP. Don't send these as attachments to your email ID.
Please consider rephrasing your question to make it clear.
Manish J.
ketan shah wrote:
hi, in my file i have stored pdf and exec. file of each 7 mb in linux environment and it is on server how can i send this file to my e-mail id or any other way to save time.
Hi ketan
I have a solution. Open an account at www.tripod.com. They will give you 50mb of free space for hosting ur website. How you use the 50mb space is upto you. connect to their ftp server at : ftp.tripod.com use your uid and pwd to login from your workplace.....upload your files....connect from your home and download the files.
kapil ------------------------------------------- Where there is a will there is a way!
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
At 03:06 PM 8/26/01 +0530, Philip wrote:
udp has no source address, so although tcpd will work, there's no way it can do source ip based filtering.
How does one respond to the UDP message (if you want to) then? UDP does not do handshakes and connection establishment but I think it has source address. In fact, is there any packet without source address?? Wouldnt it, then, be _very_ easy just send n number of packets to some particular destination to flood it? I used to think that for DoS or DDos they generally construct their own headers with _spoofed_ source IP's. But I also hear that newer Routers can be configured not to forward (outgoing) packets if their source IP's do not belong to their subnet.
quasi
_________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com
On Mon, 27 Aug 2001, Q u a s i wrote:
At 03:06 PM 8/26/01 +0530, Philip wrote:
udp has no source address, so although tcpd will work, there's no way it can do source ip based filtering.
How does one respond to the UDP message (if you want to) then? UDP does not do handshakes and connection establishment but I think it has source address. In fact, is there any packet without source
Ya, sorry, my bad. UDP does have a source address, because that's in the IP header. UDP however does not estabilish a connection, so there's just a single packet sent at a time.
_spoofed_ source IP's. But I also hear that newer Routers can be configured not to forward (outgoing) packets if their source IP's do not belong to their subnet.
One can also do a reverse lookup on the host to find out if the IP was spoofed or not. It is possible to spoof this too, but much much harder than just spoofing IPs. Remember, IP spoofing requires a very large amount of guesswork. Spoofing a reverse look up as well increases hardness exponentially.
Philip
On Sun, 26 Aug 2001, Kishor Bhagwat spewed into the ether: <snip>
Also, why not mention smtp in the inetd configuration file for incoming requests, and call sendmail?(though that wont achieve much, but just for academic interest!)
You can. Starting up a new instance of sendmail everytime is a major load on the system and hits performance. For similar reasons, Apache is also not called from inetd. Sendmail can be compiled with libwrap, and uinderstand hosts.allow and hosts.deny, but the protection offered by tcp-wrappers of preventing potentially hostile attackers from connecting to the server is not available in this case.
Devdas Bhagat
-
Devdas Bhagat -
Kapil Karekar -
ketan shah -
Kishor Bhagwat -
Manish Jethani -
Philip S Tellis -
Q u a s i