[NTLUG:Discuss] Killing Bad People
Bug Hunter
bughuntr at one.ctelcom.net
Wed Feb 6 21:57:22 CST 2002
On Wed, 6 Feb 2002, m m wrote:
>
>
>
> >From: Bug Hunter <bughuntr at one.ctelcom.net>
>
> >
> > OOPS! I did not read your comment closely enough before sending the
> >last message. Some scenarios:
> >
> > 1.2.3.4 in hosts.allow, hosts.deny : ALLOWED (hosts.allowed checked
> >first)
> this one confused me, if an ip in both hosts.allow and hosts.deny, the
> result is ALLOWED?
>
Yes, because of the search order. hosts.allow is searched first. If
hosts.allow matches an allowed ip, the connection is allowed.
that is why you can have ALL : ALL In hosts.deny, which matches ALL IP's
for ALL services.
It makes a lot of sense when you realize it allows you to do a default
paranoid "deny all", with exceptions for "allowed" clients.
doing it this way also allows the reverse concept: "allow all, deny
none", by putting the ALL:ALL In hosts.allow.
by putting the default ALL:ALL in hosts.deny, then if hosts.allow is
left blank, no one gets in.
Then, if you add ALL: 127.0.0.1 in hosts.allow, your local machine has
full access to all services, but no one else. ditto for any other ip
address you set up.
remember, hosts.allow is searched first, and the permissions there are
used. if those permissions are not found, look in hosts.deny and deny
based on those rules. if you don't find anything in hosts.deny that
denies it, then allow the service.
I once had a perp use a buffer overflow in bind 8.2 to execute the
command that deleted /etc/hosts.deny. Once the perp did that, the same
overflow was used to create the "rewt" account with superuser priv.
The perp then telnetted into the box from some location on the internet,
because hosts.deny no longer denied the telnet.
Fortunately, the /etc/skel script had an exit in a .bashxxx script which
logged the perp out. I found the results of the escapade in /etc/password
and /var/log/messages the next day.
bug
More information about the Discuss
mailing list