X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: by onstor-exch02.onstor.net 
	id <01C83EAD.2769E454@onstor-exch02.onstor.net>; Fri, 14 Dec 2007 15:57:59 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C83EAD.2769E454"
Content-class: urn:content-classes:message
Subject: RE: restricting access to the sscccc daemon (port 443)
Date: Fri, 14 Dec 2007 15:57:58 -0800
Message-ID: <BB375AF679D4A34E9CA8DFA650E2B04E0714FF87@onstor-exch02.onstor.net>
In-Reply-To: <20071214153339.5659f246@ripper.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: restricting access to the sscccc daemon (port 443)
Thread-Index: Acg+qcIQ1tnKzx89QAWVUYHRsL9HJQAA0Nzg
References: <BB375AF679D4A34E9CA8DFA650E2B04E0714FF41@onstor-exch02.onstor.net> <20071214153339.5659f246@ripper.onstor.net>
From: "Charissa Willard" <charissa.willard@onstor.com>
To: "Andy Sharp" <andy.sharp@onstor.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C83EAD.2769E454
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Thanks, You can check g8r11 to see if that library is included.

=20

-----Original Message-----
From: Andy Sharp=20
Sent: Friday, December 14, 2007 3:34 PM
To: Charissa Willard
Cc: Tim Gardner
Subject: Re: restricting access to the sscccc daemon (port 443)

=20

On Fri, 14 Dec 2007 15:26:17 -0800 "Charissa Willard"

<charissa.willard@onstor.com> wrote:

=20

> Andy,

>=20

> =20

>=20

> I'm writing the functional spec for restricting access to specified IP

> addresses. Currently we require an admin to manually enter up to 32 IP

> addresses in the /onstor/etc/sscccc_hosts_deny file. Ed put this code

> in a patch to allow customers to limit access to sscccc for cases

> when port scanners are continuously pinging port 443 (SSL). This

> resulted in the WebUI being non-responsive. There is also the

> requirement to provide an allow file to limit access to just those IP

> addresses in that file. In addition, we must provide the capability

> to manage a filer using only the sc ports and not the vsvr

> interfaces.=20

>=20

> =20

>=20

> It seems like we should be able to use the standard /etc/host.allow

> and /etc/host.deny files to limit access to TCP services, assuming we

> support tcp wrappers. I believe the services correspond to those

> listed in the inetd.conf file, so we would have to add the sscccc

> daemon to this file. This also allows us to support any other service

> with allow and deny capabilities. What do you think about this

> approach?

=20

On S-W I believe all you have to do is run sssssssccccccccc from tcpd.

So, if you would otherwise have sscccc in some config file, like

pmtab?, then you would put "tcpd ssscccc" instead and all the stuff

in hosts.{allow,deny} would apply.  But I don't know if that will work

for us right out of the gate as there may be issues with signals.

Testing would tell.

=20

This is all that is done in inetd.conf, there is no special magic there.

=20

There is also a libtcpwrappers that allows you to program in

tcp-wrapper functionality to your application.  I don't currently have

my hands on a BSD filer so I don't know if we include that library or

not.


------_=_NextPart_001_01C83EAD.2769E454
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:9.0pt;
	font-family:"Courier New";}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 100.75pt 1.0in 100.75pt;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>Thanks, You can check g8r11 to see if that library is =
included.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>-----Original Message-----<br>
From: <st1:PersonName w:st=3D"on">Andy Sharp</st1:PersonName> <br>
Sent: Friday, December 14, 2007 3:34 PM<br>
To: Charissa Willard<br>
Cc: <st1:PersonName w:st=3D"on">Tim Gardner</st1:PersonName><br>
Subject: Re: restricting access to the sscccc daemon (port =
443)</span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>On Fri, 14 Dec 2007 15:26:17 -0800 &quot;Charissa =
Willard&quot;<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&lt;charissa.willard@onstor.com&gt; =
wrote:<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; Andy,<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; <o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt;&nbsp; <o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; <o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; I'm writing the functional spec for restricting access to =
specified
IP<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; addresses. Currently we require an admin to manually enter =
up to 32
IP<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; addresses in the /onstor/etc/sscccc_hosts_deny file. Ed put =
this
code<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; in a patch to allow customers to limit access to sscccc for =
cases<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; when port scanners are continuously pinging port 443 (SSL). =
This<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; resulted in the WebUI being non-responsive. There is also =
the<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; requirement to provide an allow file to limit access to just =
those
IP<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; addresses in that file. In addition, we must provide the =
capability<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; to manage a filer using only the sc ports and not the =
vsvr<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; interfaces. <o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; <o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt;&nbsp; <o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; <o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; It seems like we should be able to use the standard =
/etc/host.allow<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; and /etc/host.deny files to limit access to TCP services, =
assuming
we<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; support tcp wrappers. I believe the services correspond to =
those<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; listed in the inetd.conf file, so we would have to add the =
sscccc<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; daemon to this file. This also allows us to support any =
other
service<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; with allow and deny capabilities. What do you think about =
this<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>&gt; approach?<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>On S-W I believe all you have to do is run sssssssccccccccc from =
tcpd.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>So, if you would otherwise have sscccc in some config file, =
like<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>pmtab?, then you would put &quot;tcpd ssscccc&quot; instead and =
all the
stuff<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>in hosts.{allow,deny} would apply.&nbsp; But I don't know if that =
will work<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>for us right out of the gate as there may be issues with =
signals.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>Testing would tell.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>This is all that is done in inetd.conf, there is no special magic =
there.<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>There is also a libtcpwrappers that allows you to program =
in<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>tcp-wrapper functionality to your application.&nbsp; I don't =
currently have<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>my hands on a BSD filer so I don't know if we include that =
library or<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:
9.0pt'>not.<o:p></o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C83EAD.2769E454--
