AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:<20071214153311.1655c6bb@ripper.onstor.net>
CFG:
PT:0
S:andy.sharp@onstor.com
RQ:
SSV:onstor-exch02.onstor.net
NSV:
SSH:
R:<charissa.willard@onstor.com>,<tim.gardner@onstor.com>
MAID:1
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/andys@onstor.net@onstor-exch02.onstor.net/INBOX	0	BB375AF679D4A34E9CA8DFA650E2B04E0714FF41@onstor-exch02.onstor.net
X-Sylpheed-End-Special-Headers: 1
Date: Fri, 14 Dec 2007 15:33:39 -0800
From: Andrew Sharp <andy.sharp@onstor.com>
To: "Charissa Willard" <charissa.willard@onstor.com>
Cc: "Tim Gardner" <tim.gardner@onstor.com>
Subject: Re: restricting access to the sscccc daemon (port 443)
Message-ID: <20071214153339.5659f246@ripper.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E0714FF41@onstor-exch02.onstor.net>
References: <BB375AF679D4A34E9CA8DFA650E2B04E0714FF41@onstor-exch02.onstor.net>
Organization: Onstor
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Fri, 14 Dec 2007 15:26:17 -0800 "Charissa Willard"
<charissa.willard@onstor.com> wrote:

> Andy,
> 
>  
> 
> I'm writing the functional spec for restricting access to specified IP
> addresses. Currently we require an admin to manually enter up to 32 IP
> addresses in the /onstor/etc/sscccc_hosts_deny file. Ed put this code
> in a patch to allow customers to limit access to sscccc for cases
> when port scanners are continuously pinging port 443 (SSL). This
> resulted in the WebUI being non-responsive. There is also the
> requirement to provide an allow file to limit access to just those IP
> addresses in that file. In addition, we must provide the capability
> to manage a filer using only the sc ports and not the vsvr
> interfaces. 
> 
>  
> 
> It seems like we should be able to use the standard /etc/host.allow
> and /etc/host.deny files to limit access to TCP services, assuming we
> support tcp wrappers. I believe the services correspond to those
> listed in the inetd.conf file, so we would have to add the sscccc
> daemon to this file. This also allows us to support any other service
> with allow and deny capabilities. What do you think about this
> approach?

On S-W I believe all you have to do is run sssssssccccccccc from tcpd.
So, if you would otherwise have sscccc in some config file, like
pmtab?, then you would put "tcpd ssscccc" instead and all the stuff
in hosts.{allow,deny} would apply.  But I don't know if that will work
for us right out of the gate as there may be issues with signals.
Testing would tell.

This is all that is done in inetd.conf, there is no special magic there.

There is also a libtcpwrappers that allows you to program in
tcp-wrapper functionality to your application.  I don't currently have
my hands on a BSD filer so I don't know if we include that library or
not.
