From: Stephen L Johnson Date: Wed, 14 Nov 2001 17:02:20 +0000 (+0000) Subject: added patch to allow tcp wrappers to be used for connection authentiction X-Git-Tag: spong-2_7_7~32 X-Git-Url: http://git.etc.gen.nz/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f336609504ce2645636ca4fdbe146bc2e408f7f4;p=spong.git added patch to allow tcp wrappers to be used for connection authentiction --- diff --git a/src/spong-server.pl b/src/spong-server.pl index 4a15fc0..944c58d 100755 --- a/src/spong-server.pl +++ b/src/spong-server.pl @@ -6,7 +6,7 @@ # There are one or more update processes that listen for status updates # from client programs. -# $Id: spong-server.pl,v 1.45 2001/08/16 13:08:29 sljohnson Exp $ +# $Id: spong-server.pl,v 1.46 2001/11/14 17:02:20 sljohnson Exp $ use lib "@@LIBDIR@@"; @@ -30,6 +30,13 @@ use Time::Local; use Getopt::Long; use POSIX qw(:sys_wait_h); +# Check to see if we have the TCP Wrappers library installed +eval { + require Authen::Libwrap; + import Authen::Libwrap qw(hosts_ctl STRING_UNKNOWN); +}; +if (! $@) { $wrappers = 1;} else { $wrappers = 0; } + my $numchild; $MAX_CHILDREN = 10; @@ -185,9 +192,7 @@ sub listen_for_clients { while( 1 ) { next unless ( $client = $sock->accept() ); - $paddr = $client->peerhost(); - - # &validate_connection( $paddr ); - need to do something here... + &validate_connection("spong-client", $client) or next; # Read all from the client, and disconnect, we process the message next. @@ -243,7 +248,7 @@ sub listen_for_updates { &debug("Connection from $paddr",6); $0 = "spong-server (spong-update) connection from $paddr"; - # &validate_connection( $paddr ); - need to do something here... + &validate_connection("spong-update", $client) or next; # Now fork and allow the kid to process the message my $pid = fork(); @@ -337,7 +342,7 @@ sub listen_for_bb_updates { &debug("Connection from $paddr",6); $0 = "spong-server (spong-bb-update) connection from $paddr"; - # &validate_connection( $paddr ); - need to do something here... + &validate_connection("spong-bb-update", $client) or next; # Now fork and allow the kid to process the message @@ -437,7 +442,7 @@ sub listen_for_queries { } } } - $next_update += $localTimeOut * 60; + $next_update = $localTimeOut * 60; } else { &debug(time() . " < $next_update"); } @@ -449,7 +454,7 @@ sub listen_for_queries { &debug("[$$] update: Connection from $paddr",6); $0 = "spong-server (query) connection from $paddr"; - # &validate_connection( $paddr ); - need to do something here... + &validate_connection("spong-query", $client) or next; # Now fork and allow the kid to process the message @@ -1485,4 +1490,39 @@ sub load_data_funcs { } +# --------------------------------------------------------------------------- +# Validate an incoming connection +# --------------------------------------------------------------------------- +sub validate_connection { + my ($type, $client) = @_; + + # If TCP Wrappers not found, every connection is valid + if ( ! $wrappers ) { return 1; } + + my $client_ip = $client->peerhost(); + my $client_addr = $client->peeraddr(); + + my $client_name = gethostbyaddr($client_addr, AF_INET); + unless ($client_name) { + &error("gethostbyaddr for $client_ip failed - denying access\n"); + return 0; + } + +# Do we need to do this lookup, or will hosts_ctl() take care of it +# for us? +# my @addr = gethostbyname($client_name) +# or &error("gethostbyname for $client_name failed\n"); +# unless (grep { $client_addr == $_ } @addr[4..$#addr]) { +# &error("Host name does not match IP address: denying access\n"); +# return 0; +# } + + unless (hosts_ctl($type, $client_name, $client_ip, STRING_UNKNOWN)) { + &error("Denying $type access to $client_name [$client_ip]\n"); + return 0; + } + + &debug("Allowing $type access to $client_name [$client_ip]\n"); + return 1; +}