Re: Somewhat complex nntp/inetd/open proxy question
From: Tim Haynes (usenet-20031013_at_stirfried.vegetable.org.uk)
Date: 10/13/03
- Next message: .sSweetMarie: "Re: I can't find the pid of a zombie process"
- Previous message: Nucleon: "Re: chroot question."
- In reply to: RedBeard: "Re: Somewhat complex nntp/inetd/open proxy question"
- Next in thread: wjk: "Re: Somewhat complex nntp/inetd/open proxy question"
- Reply: wjk: "Re: Somewhat complex nntp/inetd/open proxy question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 13 Oct 2003 10:08:01 +0100
"RedBeard" <redSPAMbeard@newbieCATCHERschool.co.uk> writes:
> Muchas gracias amigo - a quick skimming of that man page and it looks like
> the biggest part of my solution is at hand.
Goodie gumdrops, glad to oblige :)
> I'll read up (probably a LOT) on the matter of hosts.{allow || deny} and
> see where that leads me.
>
> Basically, my final goal is to automatically deny access to an nntp
> server (which carries only local.* newsgroups, which aren't propogated
> out to usenet in general) from open proxies for abuse prevention reasons,
> but allow nntp access for all other hosts.
Ahem. This is a strange scenario; what is it about the nature of usenet
spam that makes you think it originates mostly on open proxies?
> From what I've seen so far, it looks like I just need to configure inetd
> to listen for port 119 connections, which would be passed to a script
> written in bash or maybe perl.
>
> That script would run some program (still looking around for one) that
> checks a host to see if it's an open proxy.
I'm not sure you want to be wasting the time doing a thorough check for
complete openness of proxy at every connection to yourself; maybe invoking
`nc -z' might help you as well?
> Of course, if all that is the hard way to accomplish the final goal and
> you know of an easier way that's staring me in the face but not getting
> noticed due to "can't see the forest for the trees" syndrome, other ideas
> (whether general trains of thought or specific methods) are welcome.
I don't know what the size of your intended operation is going to be. If
it's just for you/home/SOHO scale, then I'd give up on the idea that
there's any correlation between a news client and a proxy server, and just
tie it down to a small finite number of IP#s or netblocks who are allowed
to connect.
OTOH, if you're attempting to provide some kind of network service to the
world at large, well, I'm not convinced you want to be merely appending to
hosts.{allow,deny} for every IP# that hits you. Rather, you want something
like a database lookup-or-scan+append-then-run script, so look into xinetd
(server and server_args parameters) and PAM as well.
~Tim
-- It's all over the front page |piglet@stirfried.vegetable.org.uk You give me road rage |http://spodzone.org.uk/ Racing through the best days |
- Next message: .sSweetMarie: "Re: I can't find the pid of a zombie process"
- Previous message: Nucleon: "Re: chroot question."
- In reply to: RedBeard: "Re: Somewhat complex nntp/inetd/open proxy question"
- Next in thread: wjk: "Re: Somewhat complex nntp/inetd/open proxy question"
- Reply: wjk: "Re: Somewhat complex nntp/inetd/open proxy question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
