X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: by onstor-exch02.onstor.net 
	id <01C83EA8.BA24E71A@onstor-exch02.onstor.net>; Fri, 14 Dec 2007 15:26:17 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----_=_NextPart_001_01C83EA8.BA24E71A"
Content-class: urn:content-classes:message
Subject: restricting access to the sscccc daemon (port 443)
Date: Fri, 14 Dec 2007 15:26:17 -0800
Message-ID: <BB375AF679D4A34E9CA8DFA650E2B04E0714FF41@onstor-exch02.onstor.net>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: restricting access to the sscccc daemon (port 443)
Thread-Index: Acg+qLoBKxYppzxtQF2HhKZiPwKFtw==
From: "Charissa Willard" <charissa.willard@onstor.com>
To: "Andy Sharp" <andy.sharp@onstor.com>
Cc: "Tim Gardner" <tim.gardner@onstor.com>

This is a multi-part message in MIME format.

------_=_NextPart_001_01C83EA8.BA24E71A
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Andy,

=20

I'm writing the functional spec for restricting access to specified IP
addresses. Currently we require an admin to manually enter up to 32 IP
addresses in the /onstor/etc/sscccc_hosts_deny file. Ed put this code in
a patch to allow customers to limit access to sscccc for cases when port
scanners are continuously pinging port 443 (SSL). This resulted in the
WebUI being non-responsive. There is also the requirement to provide an
allow file to limit access to just those IP addresses in that file. In
addition, we must provide the capability to manage a filer using only
the sc ports and not the vsvr interfaces.=20

=20

It seems like we should be able to use the standard /etc/host.allow and
/etc/host.deny files to limit access to TCP services, assuming we
support tcp wrappers. I believe the services correspond to those listed
in the inetd.conf file, so we would have to add the sscccc daemon to
this file. This also allows us to support any other service with allow
and deny capabilities. What do you think about this approach?

=20

Thanks,

Charissa


------_=_NextPart_001_01C83EA8.BA24E71A
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Courier New";
	color:windowtext;
	font-weight:normal;
	font-style:normal;
	text-decoration:none none;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:9.0pt'>Andy,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:9.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:9.0pt'>I&#8217;m
writing the functional spec for restricting access to specified IP =
addresses. Currently
we require an admin to manually enter up to 32 IP addresses in the =
/onstor/etc/sscccc_hosts_deny
file. Ed put this code in a patch to allow customers to limit access to =
sscccc
for cases when port scanners are continuously pinging port 443 (SSL). =
This
resulted in the WebUI being non-responsive. There is also the =
requirement to
provide an allow file to limit access to just those IP addresses in that =
file.
In addition, we must provide the capability to manage a filer using only =
the sc
ports and not the vsvr interfaces. <o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:9.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:9.0pt'>It
seems like we should be able to use the standard /etc/host.allow and =
/etc/host.deny
files to limit access to TCP services, assuming we support tcp wrappers. =
I
believe the services correspond to those listed in the inetd.conf file, =
so we
would have to add the sscccc daemon to this file. This also allows us to
support any other service with allow and deny capabilities. What do you =
think
about this approach?<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:9.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:9.0pt'>Thanks,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D1 face=3D"Courier New"><span =
style=3D'font-size:9.0pt'>Charissa<o:p></o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C83EA8.BA24E71A--
