AF:
NF:0
PS:10
SRH:1
SFN:
DSR:
MID:<20071214183128.619d3d2c@ripper.onstor.net>
CFG:
PT:0
S:andy.sharp@onstor.com
RQ:
SSV:onstor-exch02.onstor.net
NSV:
SSH:
R:<charissa.willard@onstor.com>
MAID:1
X-Sylpheed-Privacy-System:
X-Sylpheed-Sign:0
SCF:#mh/Mailbox/sent
RMID:#imap/andys@onstor.net@onstor-exch02.onstor.net/INBOX	0	BB375AF679D4A34E9CA8DFA650E2B04E0714FF87@onstor-exch02.onstor.net
X-Sylpheed-End-Special-Headers: 1
Date: Fri, 14 Dec 2007 18:31:41 -0800
From: Andrew Sharp <andy.sharp@onstor.com>
To: "Charissa Willard" <charissa.willard@onstor.com>
Subject: Re: restricting access to the sscccc daemon (port 443)
Message-ID: <20071214183141.1e2ce26d@ripper.onstor.net>
In-Reply-To: <BB375AF679D4A34E9CA8DFA650E2B04E0714FF87@onstor-exch02.onstor.net>
References: <BB375AF679D4A34E9CA8DFA650E2B04E0714FF41@onstor-exch02.onstor.net>
	<20071214153339.5659f246@ripper.onstor.net>
	<BB375AF679D4A34E9CA8DFA650E2B04E0714FF87@onstor-exch02.onstor.net>
Organization: Onstor
X-Mailer: Sylpheed-Claws 2.6.0 (GTK+ 2.8.20; x86_64-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Not there.  Neither is tcpd, so we're out of luck on both counts.
Until Cougar, that is ~:^)  Unless someone wants to add it.  </cough>

On Fri, 14 Dec 2007 15:57:58 -0800 "Charissa Willard"
<charissa.willard@onstor.com> wrote:

> Thanks, You can check g8r11 to see if that library is included.
> 
>  
> 
> -----Original Message-----
> From: Andy Sharp 
> Sent: Friday, December 14, 2007 3:34 PM
> To: Charissa Willard
> Cc: Tim Gardner
> Subject: Re: restricting access to the sscccc daemon (port 443)
> 
>  
> 
> On Fri, 14 Dec 2007 15:26:17 -0800 "Charissa Willard"
> 
> <charissa.willard@onstor.com> wrote:
> 
>  
> 
> > Andy,
> 
> > 
> 
> >  
> 
> > 
> 
> > I'm writing the functional spec for restricting access to specified
> > IP
> 
> > addresses. Currently we require an admin to manually enter up to 32
> > IP
> 
> > addresses in the /onstor/etc/sscccc_hosts_deny file. Ed put this
> > code
> 
> > in a patch to allow customers to limit access to sscccc for cases
> 
> > when port scanners are continuously pinging port 443 (SSL). This
> 
> > resulted in the WebUI being non-responsive. There is also the
> 
> > requirement to provide an allow file to limit access to just those
> > IP
> 
> > addresses in that file. In addition, we must provide the capability
> 
> > to manage a filer using only the sc ports and not the vsvr
> 
> > interfaces. 
> 
> > 
> 
> >  
> 
> > 
> 
> > It seems like we should be able to use the standard /etc/host.allow
> 
> > and /etc/host.deny files to limit access to TCP services, assuming
> > we
> 
> > support tcp wrappers. I believe the services correspond to those
> 
> > listed in the inetd.conf file, so we would have to add the sscccc
> 
> > daemon to this file. This also allows us to support any other
> > service
> 
> > with allow and deny capabilities. What do you think about this
> 
> > approach?
> 
>  
> 
> On S-W I believe all you have to do is run sssssssccccccccc from tcpd.
> 
> So, if you would otherwise have sscccc in some config file, like
> 
> pmtab?, then you would put "tcpd ssscccc" instead and all the stuff
> 
> in hosts.{allow,deny} would apply.  But I don't know if that will work
> 
> for us right out of the gate as there may be issues with signals.
> 
> Testing would tell.
> 
>  
> 
> This is all that is done in inetd.conf, there is no special magic
> there.
> 
>  
> 
> There is also a libtcpwrappers that allows you to program in
> 
> tcp-wrapper functionality to your application.  I don't currently have
> 
> my hands on a BSD filer so I don't know if we include that library or
> 
> not.
> 
