[BlueOnyx:16545] Re: 5106 FTP and AM strangeness. (solved)
George F. Nemeyer
tigerwolf at tigerden.com
Sun Nov 23 15:29:29 -05 2014
> Both FTP and Email Server Active Monitors were red-balled, as was the
> main top-bar light. Of the various e-mail services, only the top one
> (main SMTP server) was red.
I got too focused on ActiveMonitor being wrong since both services seemed
to be functioning. Indeed, they were running, and you could connect from
an external site, so why was AM saying they weren't?
The problem was that neither service could be contacted from 'localhost'
127.0.0.1 because of tcpwrappers! So while sendmail seemed working, it
wasn't able to internally process/forward anything! Likewise, probes to
the FTP from AM, apparently, are using 127.0.0.1, which was blocked!
So, the solution was to enter localhost and 127.0.0.1 into
/etc/hosts.allow. Once that was done, both Mail and FTP monitor balls
became green on the next probe by AM.
However, the question becomes *why* was tcpwrappers suddenly acting
different?
The only thing I'd done lately was do a global change from the usual ssh:
<ip> blocks to ALL: <ip> to thwart those who were abusing ssh from getting
to anything else shielded by hosts.deny. Neither localhost nor 127.0.0.1,
nor any of our local network IPs were in the deny list.
The hosts.allow file had *always* been empty, but for the few
comment lines telling what goes in there.
The man page (which confirmed my understanding) says the order of the
process is
"Allow" if in hosts.allow
If not listed, then
"Deny" if in the deny file
If not listed, then "Allow"
Therefore, an *empty* hosts.allow should let everything through unless
explicitly listed in hosts.deny.
So while I've solved the immediate problem, it seems like a 'hack', and
there's still a concern over why it all suddenly broke and needs something
entered that wasn't there before.
We have had a *ton* of sites (cough..China..cough) pounding on the box
along with others lately...so the hosts.deny has been steadily growing
from using 'denyhosts' to automatically populate hosts.deny.
Is anyone aware of any odd behavior by tcpwrappers in this regard? Is
there some limit to the number of entries in hosts.deny that could be
confusing it?
Any insight would be appreciated.
=^_^= Tigerwolf
More information about the Blueonyx
mailing list