FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 04-26-2012, 09:36 AM
Juan Sierra Pons
 
Default How /etc/hosts.allow /etc/hosts.deny and smb.conf play along

2012/4/26 Tuxoholic <tuxoholic@hotmail.de>:
> hi list
>
> Can somebody explain why smbd and nmbd are not affected by the following
> strict ruleset in /etc/hosts* ?
>
> /etc/hosts
> 127.0.0.1 * * * MYHOSTNAME localhost.localdomain localhost
> 127.0.1.1 * * * MYHOSTNAME
> 192.168.2.10 * *MYSERVER
>
> cat /etc/hosts.allow
> #ALL: localhost 127.0.1.1 192.168.2.0/24
> ALL: localhost 127.0.1.1 192.168.2.0/32
>
> /etc/hosts.deny
> ALL: ALL
>
> With this ruleset in place nmbd broadcasts still pull through and cifs mounts
> are still possible, whereas ssh/rsh access is no longer possible.
>
> To get rid of nmbd/smbd access I have to tweak smb.conf additionally:
>
> /etc/samba/smb.conf
>
> [global]
> * * * *bind interfaces only = Yes
> * * * *interfaces = 127.0.0.0/8, eth0
> * * * *;; hosts allow = 192.168.2.0/24, 127.
> * * * *hosts allow = 192.168.2.0/32, 127.
> * * * *hosts deny = ALL
>
> With this smb.conf tweaking it works fine, but why could smbd/nmbd run past
> /etc/hosts.allow and /etc/hosts.deny without those lines in smb.conf?
>
> To my limited CIDR understandig a /32 mask should restrict access to
> 192.168.2.0.0 and 192.168.2.1 - this should be fine for testing purposes.
>
> Once this denies all services I'd set it to /24 to have access to the whole
> "subnet" from 192.168.2.0-192.168.2.255 and 127.0.0.1 127.0.1.1
>
>
> --
> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> Archive: http://lists.debian.org/BLU0-SMTP149485F83CD3709473EA7D5D8240@phx.gbl
>
Hi,

My two cents:

I think the problem here is between tcpwrapper linux implementation
and the the samba package.
Are you running samba as a daemon or from then inetd?

I think you are running it as a daemon and I believe (check on the
internet) samba must be compiled in a tcpwrapper friendly way (I don't
know if this is the default)

Running samba from inetd must work OK as inetd is tcpwrapper friendly.

If this doesn't help you you can try iptables (but your workaround is OK too)

Best regards.

--------------------------------------------------------------------------------------
Juan Sierra Pons juan@elsotanillo.net
Linux User Registered: #257202 http://www.elsotanillo.net
GPG key = 0xA110F4FE
Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE
--------------------------------------------------------------------------------------


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: CABS=y9tfVZnzHrho8VFQYWPwtjTdfiOqpmmzRM_+e1UtXLu2P g@mail.gmail.com">http://lists.debian.org/CABS=y9tfVZnzHrho8VFQYWPwtjTdfiOqpmmzRM_+e1UtXLu2P g@mail.gmail.com
 
Old 04-26-2012, 10:54 AM
shawn wilson
 
Default How /etc/hosts.allow /etc/hosts.deny and smb.conf play along

Juan is correct. However my two cents - don't rely on hosts.allow and hosts.deny for anything. Just use iptables rules to do this type of thing.


Also, most don't consider samba to be a very secure service (last CVE was only a few weeks ago) so be very careful with this service.

On Apr 26, 2012 5:37 AM, "Juan Sierra Pons" <juan@elsotanillo.net> wrote:
2012/4/26 Tuxoholic <tuxoholic@hotmail.de>:

> hi list

>

> Can somebody explain why smbd and nmbd are not affected by the following

> strict ruleset in /etc/hosts* ?

>

> /etc/hosts

> 127.0.0.1 * * * MYHOSTNAME localhost.localdomain localhost

> 127.0.1.1 * * * MYHOSTNAME

> 192.168.2.10 * *MYSERVER

>

> cat /etc/hosts.allow

> #ALL: localhost 127.0.1.1 192.168.2.0/24

> ALL: localhost 127.0.1.1 192.168.2.0/32

>

> /etc/hosts.deny

> ALL: ALL

>

> With this ruleset in place nmbd broadcasts still pull through and cifs mounts

> are still possible, whereas ssh/rsh access is no longer possible.

>

> To get rid of nmbd/smbd access I have to tweak smb.conf additionally:

>

> /etc/samba/smb.conf

>

> [global]

> * * * *bind interfaces >
> * * * *interfaces = 127.0.0.0/8, eth0

> * * * *;; hosts allow = 192.168.2.0/24, 127.

> * * * *hosts allow = 192.168.2.0/32, 127.

> * * * *hosts deny = ALL

>

> With this smb.conf tweaking it works fine, but why could smbd/nmbd run past

> /etc/hosts.allow and /etc/hosts.deny without those lines in smb.conf?

>

> To my limited CIDR understandig a /32 mask should restrict access to

> 192.168.2.0.0 and 192.168.2.1 - this should be fine for testing purposes.

>

> Once this denies all services I'd set it to /24 to have access to the whole

> "subnet" from 192.168.2.0-192.168.2.255 and 127.0.0.1 127.0.1.1

>

>

> --

> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

> Archive: http://lists.debian.org/BLU0-SMTP149485F83CD3709473EA7D5D8240@phx.gbl

>

Hi,



My two cents:



I think the problem here is between tcpwrapper linux implementation

and the the samba package.

Are you running samba as a daemon or from then inetd?



I think you are running it as a daemon and I believe (check on the

internet) samba must be compiled in a tcpwrapper friendly way (I don't

know if this is the default)



Running samba from inetd must work OK as inetd is tcpwrapper friendly.



If this doesn't help you you can try iptables (but your workaround is OK too)



Best regards.



--------------------------------------------------------------------------------------

Juan Sierra Pons * * * * * * * * * * * * * * * * juan@elsotanillo.net

Linux User Registered: #257202 * * * http://www.elsotanillo.net

GPG key = 0xA110F4FE

Key Fingerprint = DF53 7415 0936 244E 9B00 *6E66 E934 3406 A110 F4FE

--------------------------------------------------------------------------------------





--

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: http://lists.debian.org/CABSy9tfVZnzHrho8VFQYWPwtjTdfiOqpmmzRM_+e1UtXLu2Pg @mail.gmail.com
 

Thread Tools




All times are GMT. The time now is 05:33 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org