Nick,
I found that SSHd was being unreasonably slow in authorising logins..
Found the problem to be that SSH was doing DNS lookups on IP's.
So I setup an internal reverse DNS for my local lan, and shebang, it's
almost instant now.
Jason
----- Original Message -----
From: "Nick Boyce" <>
To: <debian-security@lists.debian.org>
Sent: Thursday, August 29, 2002 11:51 AM
Subject: Permissions Required On hosts.allow ?
[hope this isn't too lame a question for this list]
I decided to start locking down permissions on "sensitive" files on a
recently installed Woody box, and discovered that when I changed the
permissions on "hosts.allow" (and "hosts.deny") to 640 then I could no
longer Telnet into the box from the permitted IP address (never mind
denied addresses). /var/log/daemon.log had messages in it to the
effect that tcpd couldn't read hosts.allow, so was denying the
connection.
So I've opened perms up to 644 again, but this seems the wrong thing
to do. I realise I was only gaining a minor layer of
security-thru-obscurity, but every little helps - surely we don't want
this file to be world-readable ?
I note from inetd.conf that in.telnetd runs as uid.gid
telnetd.telnetd, whereas hosts.allow has uid.gid root.root, which I
guess is the cause of this. Can I change this around a bit to achieve
my goal - maybe make a new group called "foo" (say) and give that gid
to in.telnetd and hosts.allow ... ?
[ BTW: I *do* use SSH for all network access - I only have 127.0.0.1
listed for in.telnetd in hosts.allow, to allow myself to "telnet 0" -
sometimes I like to start a new session like that, and ssh takes so
much longer to start up a session ... ]
TIA,
Nick Boyce
Bristol, UK
--
The universe is entering maintenance mode in 2 minutes. Please logout.
-- Your administrator
