Re: inetd question
Thanks Peter. Now my hosts.allow file reads: # /etc/hosts.allow: list of hosts that are allowed to access the system. See # hosts_access(5) and /usr/doc/netbase/portmapper.txt.gz # # Example:ALL: LOCAL @some_netgroup # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu # http-gw: 172.26. @@ALL=20 ALL: @@ALL And it works nicely. Michael -- Dr. Michael Meskes, Projekt-Manager| topsystem Systemhaus GmbH [EMAIL PROTECTED]| Europark A2, Adenauerstr. 20 [EMAIL PROTECTED] | 52146 Wuerselen Go SF49ers! Go Rhein Fire! | Tel: (+49) 2405/4670-44 Use Debian GNU/Linux! | Fax: (+49) 2405/4670-10 -Original Message- From: Peter Tobias [SMTP:[EMAIL PROTECTED] Sent: Wednesday, June 18, 1997 2:16 PM To: Michael Meskes Cc: Die Adresse des Empf=E4ngers ist unbekannt. Subject: Re: inetd question On Jun 17, Michael Meskes wrote: Yes, I use a proxy and both proxy and www-client run on the same machine. But it appears the ident calls came from my firewall where I run a http-gw.=20 =20 You're absolutely right that I should get rid of that traffic. There = is no need for the firewall to ask identd on a local machine. But it = should ask identd for connections from outside. Can I configure tcpd so that = it only ask outside machines? Currently I have ALL:@@ALL in my /etc/hosts.allow file. Would it suffice to add a line http-gw: [EMAIL PROTECTED] Our local network is 172.26.0.0. I guess the following things would help: - replace ALL:@@ALL by ALL:ALL (no ident lookups by default) or maybe ALL EXCEPT http-gw:@@ALL (lookups for every service except = http-gw) or - http-gw:172.26. @@ALL (or http-gw:172.26. [EMAIL PROTECTED]) This line would allow access from 172.26.x.x without ident lookup. Every other address would cause an ident lookup. or - use ipfwadm to protect the ident port Thanks, Peter --=20 Peter Tobias [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] PGP ID EFAA400D, fingerprint =3D 06 89 EB 2E 01 7C B4 02 04 62 89 6C = 2F DD F1 3C=20 -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] .=20 Trouble? e-mail to [EMAIL PROTECTED] . -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: inetd question
On Jun 17, Michael Meskes wrote: Yes, I use a proxy and both proxy and www-client run on the same machine. But it appears the ident calls came from my firewall where I run a http-gw. You're absolutely right that I should get rid of that traffic. There is no need for the firewall to ask identd on a local machine. But it should ask identd for connections from outside. Can I configure tcpd so that it only ask outside machines? Currently I have ALL:@@ALL in my /etc/hosts.allow file. Would it suffice to add a line http-gw: [EMAIL PROTECTED] Our local network is 172.26.0.0. I guess the following things would help: - replace ALL:@@ALL by ALL:ALL (no ident lookups by default) or maybe ALL EXCEPT http-gw:@@ALL (lookups for every service except http-gw) or - http-gw:172.26. @@ALL (or http-gw:172.26. [EMAIL PROTECTED]) This line would allow access from 172.26.x.x without ident lookup. Every other address would cause an ident lookup. or - use ipfwadm to protect the ident port Thanks, Peter -- Peter Tobias [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] PGP ID EFAA400D, fingerprint = 06 89 EB 2E 01 7C B4 02 04 62 89 6C 2F DD F1 3C -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
RE: inetd question
Yes, I use a proxy and both proxy and www-client run on the same machine. But it appears the ident calls came from my firewall where I run a http-gw. You're absolutely right that I should get rid of that traffic. There is no need for the firewall to ask identd on a local machine. But it should ask identd for connections from outside. Can I configure tcpd so that it only ask outside machines? Currently I have ALL:@@ALL in my /etc/hosts.allow file. Would it suffice to add a line http-gw: [EMAIL PROTECTED] Our local network is 172.26.0.0. Michael -- Dr. Michael Meskes, Projekt-Manager| topsystem Systemhaus GmbH [EMAIL PROTECTED]| Europark A2, Adenauerstr. 20 [EMAIL PROTECTED] | 52146 Wuerselen Go SF49ers! Go Rhein Fire! | Tel: (+49) 2405/4670-44 Use Debian GNU/Linux! | Fax: (+49) 2405/4670-10 -Original Message- From: Peter Tobias [SMTP:[EMAIL PROTECTED] Sent: Tuesday, June 17, 1997 2:37 AM To:Kai Henningsen Cc:Die Adresse des Empfängers ist unbekannt. Subject: Re: inetd question As far as I know Michael uses a proxy in the same lan (maybe the client also runs on this machine). When you get some pages from the local proxy and the proxy does an ident lookup for each connection you'll get lots of ident lookups (getting pages from the proxy is quite fast so you'll get lots of lookups in a very short time). Using nowait.120 is of course a solution but it is probably better to find the application that is causing the problem. It is not clear that there is a problem, other than heavy use. There may be, of course, such as ident queries actually causing more ident queries, but we don't know yet if something like that happens. Getting more than 40 ident lookups a minute is not a usual situation. The best solution is to find the reason (the sender!) of the ident requests (if it is a local service/system the ident lookups for that service/system should probably be turned off). Setting the limit to 120 will keep the system running but won't reduce the (maybe unnecessary) traffic. If the number of requests can't be reduced the identd should be run in standalone mode. Thanks, Peter -- Peter Tobias [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] PGP ID EFAA400D, fingerprint = 06 89 EB 2E 01 7C B4 02 04 62 89 6C 2F DD F1 3C -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] . -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: inetd question
On Jun 15, Kai Henningsen wrote: I guess it's the ident service. So I try nowait.120 and see what happens. Of course it is the ident service (that's what the error message of inetd said). But the ident service is not a service that is used alone. You have an application/service which is called as often as the ident service. You should have a look at this application. Your problem could also be an entry in hosts.allow or hosts.deny. If you use a username ([EMAIL PROTECTED]) there the tcp_wrapper will do an ident/auth lookup for that service (or for all services if the ALL keyword has been used). You are somewhat confused here. I don't think so :-). The identd service is called from the _other_ end of the connection (to find out who sits on your end). If you actually do have a econd service called just as often, then either the ident connections are local (both ends on your machine), or else the second service is some sort of forwarder (like a web proxy), so every time it is called, it calls out to somewhere else, and that somewhere else then does an ident query. As far as I know Michael uses a proxy in the same lan (maybe the client also runs on this machine). When you get some pages from the local proxy and the proxy does an ident lookup for each connection you'll get lots of ident lookups (getting pages from the proxy is quite fast so you'll get lots of lookups in a very short time). Using nowait.120 is of course a solution but it is probably better to find the application that is causing the problem. It is not clear that there is a problem, other than heavy use. There may be, of course, such as ident queries actually causing more ident queries, but we don't know yet if something like that happens. Getting more than 40 ident lookups a minute is not a usual situation. The best solution is to find the reason (the sender!) of the ident requests (if it is a local service/system the ident lookups for that service/system should probably be turned off). Setting the limit to 120 will keep the system running but won't reduce the (maybe unnecessary) traffic. If the number of requests can't be reduced the identd should be run in standalone mode. Thanks, Peter -- Peter Tobias [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] PGP ID EFAA400D, fingerprint = 06 89 EB 2E 01 7C B4 02 04 62 89 6C 2F DD F1 3C -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: inetd question
[EMAIL PROTECTED] (Peter Tobias) wrote on 13.06.97 in [EMAIL PROTECTED]: On Jun 13, Michael Meskes wrote: Thanks Peter. I guess it's the ident service. So I try nowait.120 and see what happens. Of course it is the ident service (that's what the error message of inetd said). But the ident service is not a service that is used alone. You have an application/service which is called as often as the ident service. You should have a look at this application. Your problem could also be an entry in hosts.allow or hosts.deny. If you use a username ([EMAIL PROTECTED]) there the tcp_wrapper will do an ident/auth lookup for that service (or for all services if the ALL keyword has been used). You are somewhat confused here. The identd service is called from the _other_ end of the connection (to find out who sits on your end). If you actually do have a econd service called just as often, then either the ident connections are local (both ends on your machine), or else the second service is some sort of forwarder (like a web proxy), so every time it is called, it calls out to somewhere else, and that somewhere else then does an ident query. Using nowait.120 is of course a solution but it is probably better to find the application that is causing the problem. It is not clear that there is a problem, other than heavy use. There may be, of course, such as ident queries actually causing more ident queries, but we don't know yet if something like that happens. MfG Kai -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: inetd question
On Jun 13, Michael Meskes wrote: Thanks Peter. I guess it's the ident service. So I try nowait.120 and see what happens. Of course it is the ident service (that's what the error message of inetd said). But the ident service is not a service that is used alone. You have an application/service which is called as often as the ident service. You should have a look at this application. Your problem could also be an entry in hosts.allow or hosts.deny. If you use a username ([EMAIL PROTECTED]) there the tcp_wrapper will do an ident/auth lookup for that service (or for all services if the ALL keyword has been used). Using nowait.120 is of course a solution but it is probably better to find the application that is causing the problem. Thanks, Peter -- Peter Tobias [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] PGP ID EFAA400D, fingerprint = 06 89 EB 2E 01 7C B4 02 04 62 89 6C 2F DD F1 3C -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
RE: inetd question
Thanks Peter. I guess it's the ident service. So I try nowait.120 and see what happens. Michael -- Dr. Michael Meskes, Projekt-Manager| topsystem Systemhaus GmbH [EMAIL PROTECTED]| Europark A2, Adenauerstr. 20 [EMAIL PROTECTED] | 52146 Wuerselen Go SF49ers! Go Rhein Fire! | Tel: (+49) 2405/4670-44 Use Debian GNU/Linux! | Fax: (+49) 2405/4670-10 -Original Message- From: Peter Tobias [SMTP:[EMAIL PROTECTED] Sent: Thursday, June 12, 1997 11:52 PM To:Michael Meskes Cc:Die Adresse des Empfängers ist unbekannt. Subject: Re: inetd question On Jun 12, Michael Meskes wrote: I get quite a lot of these messages: inetd[153]: ident/tcp server failing (looping), service terminated How can I tell which service is the one that's asked for too often? Have you tried the -l (and maybe the -d) option of the identd? BTW: Never ever use the tcp_wrapper for the identd (you'll get a nice tcpd-identd-tcpd-... loop). You could also check (and count) the connect messages from the tcp_wrapper in /var/log/daemon.log. Another possibility would be to start inetd with the -d option. I tried tcplogd but all tcp requests logged are to auth and www-proxy both of which are not in /etc/inetd.conf. I don't know how auth is handled, is it an internal service? www-proxy was added by myself and points to a squid daemon so inetd shouldn't get a hand on it, or does it? If squid receives a request from a local user and squid wants to check the identity it will call the local ident/auth service (which will be called by inetd). Thanks, Peter -- Peter Tobias [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] PGP ID EFAA400D, fingerprint = 06 89 EB 2E 01 7C B4 02 04 62 89 6C 2F DD F1 3C -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] . -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: inetd question
On Jun 12, Michael Meskes wrote: I get quite a lot of these messages: inetd[153]: ident/tcp server failing (looping), service terminated How can I tell which service is the one that's asked for too often? Have you tried the -l (and maybe the -d) option of the identd? BTW: Never ever use the tcp_wrapper for the identd (you'll get a nice tcpd-identd-tcpd-... loop). You could also check (and count) the connect messages from the tcp_wrapper in /var/log/daemon.log. Another possibility would be to start inetd with the -d option. I tried tcplogd but all tcp requests logged are to auth and www-proxy both of which are not in /etc/inetd.conf. I don't know how auth is handled, is it an internal service? www-proxy was added by myself and points to a squid daemon so inetd shouldn't get a hand on it, or does it? If squid receives a request from a local user and squid wants to check the identity it will call the local ident/auth service (which will be called by inetd). Thanks, Peter -- Peter Tobias [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] PGP ID EFAA400D, fingerprint = 06 89 EB 2E 01 7C B4 02 04 62 89 6C 2F DD F1 3C -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: inetd question
You're right of course. I should have been more precise. There are two other services involved: squid as a standalone server and http-gw on the firewall and both call ident for each www request. That makes up for quite some traffic given that one www site is build by a lot of www requests. Thanks anyway, Peter. Later Michael -- Dr. Michael Meskes, Projekt-Manager| topystem Systemhaus GmbH [EMAIL PROTECTED]| Europark A2, Adenauerstr. 20 [EMAIL PROTECTED] | 52146 Wuerselen Go SF49ers! Use Debian GNU/Linux! | Tel: (+49) 2405/4670-44 -- Von: Peter Tobias[SMTP:[EMAIL PROTECTED] Gesendet: Freitag, 13. Juni 1997 12:53 An:Michael Meskes Cc:Die Adresse des Empfängers ist unbekannt. Betreff: Re: inetd question On Jun 13, Michael Meskes wrote: Thanks Peter. I guess it's the ident service. So I try nowait.120 and see what happens. Of course it is the ident service (that's what the error message of inetd said). But the ident service is not a service that is used alone. You have an application/service which is called as often as the ident service. You should have a look at this application. Your problem could also be an entry in hosts.allow or hosts.deny. If you use a username ([EMAIL PROTECTED]) there the tcp_wrapper will do an ident/auth lookup for that service (or for all services if the ALL keyword has been used). Using nowait.120 is of course a solution but it is probably better to find the application that is causing the problem. Thanks, Peter -- Peter Tobias [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] PGP ID EFAA400D, fingerprint = 06 89 EB 2E 01 7C B4 02 04 62 89 6C 2F DD F1 3C -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] . -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .
Re: inetd question
[EMAIL PROTECTED] (Michael Meskes) wrote on 12.06.97 in [EMAIL PROTECTED]: I get quite a lot of these messages: inetd[153]: ident/tcp server failing (looping), service terminated How can I tell which service is the one that's asked for too often? I'd say it's ident/tcp :-) I guess you're the second guy in this week (the other was a local co- admin) that sees ident or identd and reads inetd. I tried tcplogd but all tcp requests logged are to auth and www-proxy both of which are not in /etc/inetd.conf. I don't know how auth is handled, is it Actually, AFAIK, ident = auth. an internal service? www-proxy was added by myself and points to a squid daemon so inetd shouldn't get a hand on it, or does it? Squid may well be related to those ident queries. MfG Kai -- TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word unsubscribe to [EMAIL PROTECTED] . Trouble? e-mail to [EMAIL PROTECTED] .