Syslog-ng not working with tcp_wrappers
Syslog-ng doesn't seem to be respecting tcp_wrappers security. I compiled syslog-ng (v. 3) with $ ./configure --sysconfdir=/etc/syslog-ng/ --enable-tcp-wrapper -- enable-sql --enable-dynamic-linking Although, I do notice this warning in config.log: configure:7282: gcc -o conftest -g -O2 -Wall conftest.c -lwrap >&5 conftest.c: In function 'main': conftest.c:43: warning: control reaches end of non-void function configure:7288: $? = 0 configure:7309: result: -lwrap However, the compile is successful. My hosts.allow file is: # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd: ALL #syslog-ng: localhost, p3.mydomain.com, p4.mydomain.com # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. ALL: ALL Note that the syslog-ng process is commented out, but syslog-ng still works. Apparently, it's not checking the hosts.* files. Any idea ? Liam
On Thu, 2009-03-12 at 13:40 -0700, Liam Kirsher wrote:
Syslog-ng doesn't seem to be respecting tcp_wrappers security.
I compiled syslog-ng (v. 3) with $ ./configure --sysconfdir=/etc/syslog-ng/ --enable-tcp-wrapper -- enable-sql --enable-dynamic-linking
Although, I do notice this warning in config.log: configure:7282: gcc -o conftest -g -O2 -Wall conftest.c -lwrap >&5 conftest.c: In function 'main': conftest.c:43: warning: control reaches end of non-void function configure:7288: $? = 0 configure:7309: result: -lwrap
However, the compile is successful.
My hosts.allow file is: # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd: ALL #syslog-ng: localhost, p3.mydomain.com, p4.mydomain.com
# # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. ALL: ALL
Note that the syslog-ng process is commented out, but syslog-ng still works. Apparently, it's not checking the hosts.* files.
Any idea ?
Well, I haven't tested tcpd support for ages, but after a quick test with your configuration it works for me: Syslog connection rejected by tcpd; from='AF_INET(127.0.0.1:53905)' Do you have ENABLE_TCP_WRAPPER defined in config.h after the configure run? Also, please make sure that you have an empty line at the end of the hosts.allow & hosts.deny files as the last line is not interpreted by libwrap if it has no NL character at the end. -- Bazsi
Balazs, Thanks. I got it working. I think the problem was a combination of the missing newline and also reverse DNS doesn't work correctly for EC2 instances (at least, I don't know how to get it to return our name and not the Amazon name). Putting in the ip addresses solved that problem. Liam Balazs Scheidler wrote:
On Thu, 2009-03-12 at 13:40 -0700, Liam Kirsher wrote:
Syslog-ng doesn't seem to be respecting tcp_wrappers security.
I compiled syslog-ng (v. 3) with $ ./configure --sysconfdir=/etc/syslog-ng/ --enable-tcp-wrapper -- enable-sql --enable-dynamic-linking
Although, I do notice this warning in config.log: configure:7282: gcc -o conftest -g -O2 -Wall conftest.c -lwrap >&5 conftest.c: In function 'main': conftest.c:43: warning: control reaches end of non-void function configure:7288: $? = 0 configure:7309: result: -lwrap
However, the compile is successful.
My hosts.allow file is: # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd: ALL #syslog-ng: localhost, p3.mydomain.com, p4.mydomain.com
# # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. ALL: ALL
Note that the syslog-ng process is commented out, but syslog-ng still works. Apparently, it's not checking the hosts.* files.
Any idea ?
Well, I haven't tested tcpd support for ages, but after a quick test with your configuration it works for me:
Syslog connection rejected by tcpd; from='AF_INET(127.0.0.1:53905)'
Do you have ENABLE_TCP_WRAPPER defined in config.h after the configure run?
Also, please make sure that you have an empty line at the end of the hosts.allow & hosts.deny files as the last line is not interpreted by libwrap if it has no NL character at the end.
-- Liam Kirsher PGP: http://liam.numenet.com/pgp/
-----Original Message----- From: Liam Kirsher [mailto:liamk@numenet.com] Sent: Thursday, March 12, 2009 4:41 PM To: syslog-ng@lists.balabit.hu Subject: [syslog-ng] Syslog-ng not working with tcp_wrappers Syslog-ng doesn't seem to be respecting tcp_wrappers security. I compiled syslog-ng (v. 3) with $ ./configure --sysconfdir=/etc/syslog-ng/ --enable-tcp-wrapper -- enable-sql --enable-dynamic-linking Although, I do notice this warning in config.log: configure:7282: gcc -o conftest -g -O2 -Wall conftest.c -lwrap >&5 conftest.c: In function 'main': conftest.c:43: warning: control reaches end of non-void function configure:7288: $? = 0 configure:7309: result: -lwrap However, the compile is successful. My hosts.allow file is: # # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # sshd: ALL #syslog-ng: localhost, p3.mydomain.com, p4.mydomain.com # # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. ALL: ALL Note that the syslog-ng process is commented out, but syslog-ng still works. Apparently, it's not checking the hosts.* files. Any idea ? Liam You need to get rid of the ALL: ALL line which allows everything from everywhere. ______________________________________________________________________________ This email has been scanned at wxwatcher.com and is believed to be virus free.
participants (3)
-
Balazs Scheidler
-
Liam Kirsher
-
w3euu