This object is in archive!
compile dovecot exim and pure-ftpd with libwrap
Needs Feedback
As above, request for dovecot, exim and pure-ftpd to be compiled wth TCP wrappers, so access can be finely controlled at the application level.
I like this idea 
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.
Could you please further elaborate on exactly how and where you would plan to leverage this functionality? It is less likely that we would simply compile something a different way without exposing that functionality some way within our own product.
Therefore, understanding precisely what end behavior and how you want that behavior to occur is critical to understanding this feature request. The more it's fleshed out, the higher the potential for acceptance and turning this into a proper feature within the product with UI elements and all.
Could you please further elaborate on exactly how and where you would plan to leverage this functionality? It is less likely that we would simply compile something a different way without exposing that functionality some way within our own product.
Therefore, understanding precisely what end behavior and how you want that behavior to occur is critical to understanding this feature request. The more it's fleshed out, the higher the potential for acceptance and turning this into a proper feature within the product with UI elements and all.
Could you please further elaborate on exactly how and where you would plan to leverage this functionality? It is less likely that we would simply compile something a different way without exposing that functionality some way within our own product.
Therefore, understanding precisely what end behavior and how you want that behavior to occur is critical to understanding this feature request. The more it's fleshed out, the higher the potential for acceptance and turning this into a proper feature within the product with UI elements and all.
Could you please further elaborate on exactly how and where you would plan to leverage this functionality? It is less likely that we would simply compile something a different way without exposing that functionality some way within our own product.
Therefore, understanding precisely what end behavior and how you want that behavior to occur is critical to understanding this feature request. The more it's fleshed out, the higher the potential for acceptance and turning this into a proper feature within the product with UI elements and all.
Ok, From wikipedia...
TCP Wrapper is a host-based networking ACL system, used to filter network access to Internet Protocol servers on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes.
Further details...
The TCP wrappers add an additional level of security for services like FTPD SSHD, Exim Dovecot etc by sitting in between the application itself and incoming requests to that service.
TCP wrappers log successful and unsuccessful connection attempts and provide a fine tuned level of access control, to allow or deny the connections depending on the IP address or IP range. When utilising the hosts.allow and hosts.deny files, access to these services can be controlled as mentioned, but also scripts can be spawned when access to a service is requested, allowing for custom access control systems to be created easily. Without TCP wrappers, this is not possible.
One such example would be to use access control lists or databases such as RBL's and GEOIP data to fine tune access to specific services based on IP address information.
This allows for much more versatility than can be found in a firewall and also for queries against large amounts of data that would not be possible with a software firewall because the access is processed at the application layer instead of the network layer, you don't need to have thousands of IPTABLES rules in place which invariably would slow down all network access to the server.
A practical example of this is as follows....
We use CSF to block access to certain ports to specific countries, but we can only do that for a small handful of them. Lets say we have 50 countries that we want to deny access to ports 21, 25, 26, 110, 143, 465, 993, 995. This would be impossible with CSF - because there would be too many IPTABLES rules.
With the TCP wrappers, from hosts.allow you can easily spawn a simple geoip lookup script each time a particular service is accessed which will check against the geoip database and block access by returning "allow" or "deny" based on the country code matching a rule in the script. You can spawn different scripts for different services, therefore tailoring your access control just the way you want it, without any loss of performance to HTTP traffic, which is important on a cpanel server.
Ok, From wikipedia...
TCP Wrapper is a host-based networking ACL system, used to filter network access to Internet Protocol servers on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes.
Further details...
The TCP wrappers add an additional level of security for services like FTPD SSHD, Exim Dovecot etc by sitting in between the application itself and incoming requests to that service.
TCP wrappers log successful and unsuccessful connection attempts and provide a fine tuned level of access control, to allow or deny the connections depending on the IP address or IP range. When utilising the hosts.allow and hosts.deny files, access to these services can be controlled as mentioned, but also scripts can be spawned when access to a service is requested, allowing for custom access control systems to be created easily. Without TCP wrappers, this is not possible.
One such example would be to use access control lists or databases such as RBL's and GEOIP data to fine tune access to specific services based on IP address information.
This allows for much more versatility than can be found in a firewall and also for queries against large amounts of data that would not be possible with a software firewall because the access is processed at the application layer instead of the network layer, you don't need to have thousands of IPTABLES rules in place which invariably would slow down all network access to the server.
A practical example of this is as follows....
We use CSF to block access to certain ports to specific countries, but we can only do that for a small handful of them. Lets say we have 50 countries that we want to deny access to ports 21, 25, 26, 110, 143, 465, 993, 995. This would be impossible with CSF - because there would be too many IPTABLES rules.
With the TCP wrappers, from hosts.allow you can easily spawn a simple geoip lookup script each time a particular service is accessed which will check against the geoip database and block access by returning "allow" or "deny" based on the country code matching a rule in the script. You can spawn different scripts for different services, therefore tailoring your access control just the way you want it, without any loss of performance to HTTP traffic, which is important on a cpanel server.
Replies have been locked on this page!