How to deny client access using domain in TCP Wrapper?
I appreciate if someone can help me out with TCP Wrapper.
I want to deny all client access from .ywlocal.net domain to vsftpd server.
My environment is below. I use RHEL 7.3.
| role | hostname | ip address |
|---|---|---|
| vsftpd server | server1 | 192.168.11.16 |
| ftp client | tester1 | 192.168.11.17 |
As the document describes, I have defined the /etc/hosts.deny file on the ftp server (vsftpd) side as below.
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
#vsftpd : ALL EXCEPT 192.168.11.
vsftpd : .ywlocal.net
I also have my /etc/hosts as below
[root@server1 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.11.17 tester1 tester1.ywlocal.net
I have opened firewall port as well.
[root@server1 ~]# firewall-cmd --list-rich-rule
rule family="ipv4" port port="21" protocol="tcp" accept
rule family="ipv4" port port="10000-10001" protocol="tcp" accept
However, I still can access vsftpd server from client side .
[ywatanabe@tester1 ~]$ lftp 192.168.11.16
lftp 192.168.11.16:~> ls
drwxr-xr-x 2 0 0 6 Jun 23 2016 pub
lftp 192.168.11.16:/>
How can I deny client access using domain?
Responses
Is there deny rule defined in your firewall? If you wish to restrict access to a service using tcpwrappers then best way is to deny everyone and allow access to only domain to whichever is required. If I wish to block vsftpd service access to domain1.example.com and allow allow rest then I would add "vsftpd: ALL" into /etc/hosts.deny and "vsftpd: ALL EXCEPT 192.168.11." (as in your case) into /etc/hosts.allow files. This should work. However, this could be best achieved using firewall which is the recommended way.
You should note that domain-based access control only works if the server can successfully resolve the client hostname from the IP address. A reverse DNS lookup returns the fully-qualified domain name, but if the hostname gets resolved from /etc/hosts, the lookup result will be the first name on the line with the client's IP address.
I see you've added this line to your /etc/hosts:
192.168.11.17 tester1 tester1.ywlocal.net
The problem here is that it says the system's canonical, primary name is "tester1", and "tester1.ywlocal.net" is just an alias for it. The ordering of names on the /etc/hosts line is important.
Make the fully-qualified name be the first on the line, and then tcpwrappers should work as you expect:
192.168.11.17 tester1.ywlocal.net tester1
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
