Looking in the code I find - that while there is a ./configure --enable-tcpwrap option, there doesn't seem to be any code to support it.
The comments in ./configure are this: if test ".$ac_enable_tcpwrap" = ".yes"; then AC_MSG_WARN([TCP Wrap support enabled, if available, via command line option!]) AC_CHECK_LIB(wrap, request_init, MORELIBS="$MORELIBS -lwrap" && AC_DEFINE(HAVE_LIBWRAP)) fi I assume that libwrap.a basically replaces certain c library functions with ones that respect the restrictions in hosts.allow and hosts.deny. I don't know this for sure, but that's my guess. Certainly there isn't anything in main.c's usage() function, nor the getopts stuff... I think the comment is bogus - if you add the library, you get tcp wrapper protection... Look at http://rr.sans.org/unix/TCP_wrappers2.php You say you put ntop: ALL in hosts.deny But have you followed the instructions in "Installation Options" in the above memo to configure ntop for tcp-wrappers? TCP Wrappers has two installation options. The first is the easy installation and configuration method, which requires no changes to the existing software and configuration files. The second is the advanced installation method, which requires modifications of the inetd configuration file. The easy installation method has the user move the daemons they want to protect to the REAL_DAEMON_DIR directory and replaces them with copies of the tcpd. Here is an example of how to reset the telnet daemon: Mkdir REAL_DAEMON_DIR Mv /sbin/in.telnetd REAL_DAEMON_DIR Cp tcpd /sbin/in.telnetd All directories, paths and files used by TCP Wrappers should have read- or read-and-execute-only access (modes 755 of 555); they must not be writable. The advanced installation method does not modify the daemon executables, but the inetd configuration file, file/etc/inetd.conf, is modified. Tcpd should be executed in place of the original daemon for each service that you want to protect, passing the original daemon pathname as an argument to tcpd. Here is an example of the standard inetd.conf record for telenet: telnet stream tcp nowait root /sbin/in.telnetd /sbin/in.telnetd Here is the same service modified to support TCP Wrappers: telnet stream tcp nowait root /sbin/tcpd /sbin/in.telnetd After modifying the files/services that you want to protect, remember to tell inetd to re-read the file with kill (process id)-HUP. As with the easy installation, all files, paths and directories utilized by TCP Wrappers should have read- or read- and execute-only access (modes 755 or 555) they must not be writable. do you have an ntop entry in /etc/services???? What port??? Otherwise, how would tcp wrappers know what to intercept?? -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of joe Sent: Wednesday, February 20, 2002 2:28 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Ntop] (no subject) hi, > joe <[EMAIL PROTECTED]> writes: > > > I'm running ntop 2.0.0 on an Ultra 60 running Solaris 2.6. I'm having two > > problems: > > > > when I built ntop, it said that tcp wrapper support was there, however I > > need to enable it with a commandline option. maybe i'm tired or > > something, but i don't see anything in the man page regarding this > > commandline option. > > The "command line" refered to in configure is the *configure* command line hmm. I have tcp wrappers 7.6 installed. They work for other services, but putting ntop: ALL in hosts.deny does not work. > > > > the second problem i'm having is more serious. ntop seems to be crashing, > > especially when i'm using SSL (i.e., -W 3001). > > Did it produce a core dump? if so, can you use gdb to produce a stack trace > and report the error back. It could have been fixed in the CVS code. unfortunately it doesn't produce a core dump. if i don't run it in daemon mode, i just see a "Segmentation fault" message when it crashes. anymore thoughts? i _really_ want to get this working. Thanks _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listmanager.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listmanager.unipi.it/mailman/listinfo/ntop
