From owner-freebsd-questions@FreeBSD.ORG Tue Mar 31 04:40:26 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A9D30437 for ; Tue, 31 Mar 2015 04:40:26 +0000 (UTC) Received: from family.redbarn.org (family.redbarn.org [IPv6:2001:559:8000:cd::5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 91215F36 for ; Tue, 31 Mar 2015 04:40:26 +0000 (UTC) Received: from [IPv6:2001:559:8000:cb:d465:b83:816b:5dd1] (unknown [IPv6:2001:559:8000:cb:d465:b83:816b:5dd1]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by family.redbarn.org (Postfix) with ESMTPSA id D0BA518136 for ; Tue, 31 Mar 2015 04:40:25 +0000 (UTC) Message-ID: <551A2536.1020504@redbarn.org> Date: Mon, 30 Mar 2015 21:40:22 -0700 From: Paul Vixie User-Agent: Postbox 3.0.11 (Windows/20140602) MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: interesting tidbit about denyhosts and tcp-wrappers X-Enigmail-Version: 1.2.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 31 Mar 2015 04:40:26 -0000 see here. there is a mismatch between what denyhosts thinks is the format of /etc/hosts.deniedssh, and the actual format used by tcp-wrappers. every token (word) on every line of this file is a host address or host name, according to tcp-wrappers. whereas denyhosts believes that it is in the same format as /etc/hosts.allow. so, if the file contains lines like these: > # DenyHosts: Thu Jan 29 02:26:08 2015 | ALL: mail.gt.com.vn : deny > ALL: mail.gt.com.vn : deny then what tcp-wrappers will actually match as a host name is any of the following tokens: > [#] > [DenyHosts:] > [Thu] > [Jan] > [29] > [02:26:08] > [2015] > [|] > [ALL:] > [mail.gt.com.vn] > [:] > [deny] > [ALL:] > [mail.gt.com.vn] > [:] > [deny] in these days of fully qualified host names and IP addresses, this is probably not a security problem, but it is certainly a performance problem. what this file should contain is just host names and ip addresses -- no comments, and certainly not "rules". vixie re: --- HOSTS_ACCESS(5):: o A string that begins with a `/' character is treated as a file name. A host name or address is matched if it matches any host name or address pattern listed in the named file. The file for- mat is zero or more lines with zero or more host name or address patterns separated by whitespace. A file name pattern can be used anywhere a host name or address pattern can be used. --- /usr/src/contrib/tcp_wrappers/hosts_access.c:: /* hostfile_match - look up host patterns from file */ static int hostfile_match(path, host) char *path; struct hosts_info *host; { char tok[BUFSIZ]; int match = NO; FILE *fp; if ((fp = fopen(path, "r")) != 0) { while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host))) /* void */ ; fclose(fp); } else if (errno != ENOENT) { tcpd_warn("open %s: %m", path); } return (match); } -- Paul Vixie