LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   disable host.allow and deny (https://www.linuxquestions.org/questions/linux-newbie-8/disable-host-allow-and-deny-444751/)

doronunu 05-14-2006 03:00 PM
disable host.allow and deny
 
can i disable the use of hosts.allow and hosts.deny somehow?

ethics 05-14-2006 04:40 PM
why would you want to do that? to either allow all or deny all? you can set ALL options in either

doronunu 05-16-2006 04:10 AM
how can i premit all?

ethics 05-16-2006 04:22 AM
Not on my Arch box right now but i believe it's ALL:ALL.

GOOGLE IT!!!!!!!!!!!! Not sure if this can control local access to your machine and i'd hate for you to be locked out.

Hobbletoe 05-16-2006 07:52 AM
As folk have said, I don't know why you would want to, but all you'd have to do is comment out everything in /etc/hosts.deny (don't delete anything, you might have a change of heart), then comment out everything in /etc/hosts.allow, and then add an entry of ALL:ALL

This is really not recommended though because of the obvious security reasons. Before you do this, you might want to make sure you are not running any un-needed services, have secured the services that you do have running, and make sure that any account that can log in has a good password.

As a side note, if you are having a problem with someone trying to get to your box, and don't know the IP (someone sitting behind a NATed firewall could have this problem), you can set up the hosts.deny file to e-mail you when you have a denial. Then you can add the IP that it sends you to your hosts.allow. Enter the following all on one line (I had to chop it up as it doesn't wrap and makes viewing the page a problem).

Code:
ALL:ALL (/usr/sbin/safe_finger -l @%h | echo Service denied: %d
Host Denied: %h Address Denied: %a > /tmp/out |
/usr/bin/mailx -s "TCP Wrapper Denial (SERVER NAME)" YOUR_EMAIL_HERE < /tmp/out) &
You might have to tinker with the mailx part (it might be /bin/mail ... The above is from a Solaris box).

Another option might be port knocking, though I've never set that up before. Basically, if you want in, you "knock" on a given port. The server heres that knock, then opens up a different port for that IP.

Regardless of what you do, please look at some other possible solutions before just opening your machine to the world. And if you can't find anything, tell us what you are trying to do, and chances are we can find a better option for you to help keep your box secure.

doronunu 05-17-2006 02:27 AM
guys tnx for your consern but i just preffer using iptables.
by the way can i just delete the files?

ethics 05-17-2006 04:09 AM
No, i don't think that is a good idea since it's an integral part of a system, deleting system configs etc. is not a good idea at all.


All times are GMT -5. The time now is 11:25 AM.