LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 12-22-2003, 03:14 PM   #1
filiphw
LQ Newbie
 
Registered: Dec 2003
Posts: 6

Rep: Reputation: 0
Question Cron chaning back hosts.deny!


Gents,
I have set my security to higher, which is msec 4 I think,
If I change my hosts.deny to deny whit an exception, It will change back to deny all during the night. I guess this is the cron service thats running during the night. Can I make an exception somewhere so it run as normal but let the hosts.deny be....
.
Im using Mandrake 9.2
.
Thanks in advance...
 
Old 12-29-2003, 01:05 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Did you try adding your exceptions to hosts.allow amd leaving hosts.deny as ALL:ALL. Usually the best way to use tcpwrappers (hosts.allow/deny) is to have hosts.deny block everything and then explicitly allow access by adding ip addresses to hosts.allow. If you need to, you should be able to override the default msec permissions. Checkout this howto, but you shouldn't have to do it that way.

http://www.mandrakesecure.net/en/docs/msec.php
 
Old 12-30-2003, 02:22 AM   #3
filiphw
LQ Newbie
 
Registered: Dec 2003
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks for your reply,
Okey, that mean that I should change back to deny all in my hosts.deny
and then put the ipadresses and domains that I trust in the hosts.allow instead. Couldsomeone just give me an exapmle how you write a good hosts.allow file...?

Rgds F
 
Old 12-30-2003, 01:21 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Yes, change hosts.deny to this:
ALL: ALL

Anything that you put in hosts.allow will will override the ALL setting in hosts.deny. The syntax for hosts.allow is the same and uses the format:

SERVICENAME: arguments

where arguments can be a complete or partial domain name like node1.yahoo.com or just .yahoo.com . Or you can use complete or partial IP addresses like 123.456.789.1 or 123.456. So to use an example, say we wanted to allow anyone from yahoo.com to access our FTP server and we also want to allow the hosts 123.456.789.1, the 192.168. private IP block and all of yahoo.com to access our sshd server. The hosts.allow file would look like this:

Code:
#### BUNCH OF HEADER COMMENTS HERE

FTPD:  .yahoo.com 
SSHD:  123.456.789.1  192.168.   .yahoo.com
The key to writitng a "good" hosts.allow file is just try to limit the number of people that have access to the fewest possible. Sometimes that can be hard if you have clients with dynamic IP addresses or if you need to run a public service. Also an important thing to keep in mind is that not all services use the hosts.allow/deny files. For example the Apache web server won't use them, so don't try to put an entry in hosts.allow for www or httpd.
 
Old 12-30-2003, 01:28 PM   #5
filiphw
LQ Newbie
 
Registered: Dec 2003
Posts: 6

Original Poster
Rep: Reputation: 0
Thanks for that great reply! I will change that at once.
I guess ProFTPD doesn't use the hosts.xxxx either.

What about the service name. Can I use whatever? Does it matter if I write SSH instead of SSHD...?

Rgds F
 
Old 12-30-2003, 01:54 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
No, the servicename does matter. But it can be upper or lowercase, that doesn't matter. Offhand I don't know all the services that use tcpwrappers (hosts.xxxx) and all that don't. But I know that sshd and tftpd do have tcpwrappers support and I believe that services running through inetd or xinetd use it as well.
 
Old 12-30-2003, 02:09 PM   #7
GAVollink
Member
 
Registered: Apr 2002
Location: St. Paul, Minnesota
Distribution: UbuntuStudio, Ubuntu
Posts: 357

Rep: Reputation: 31
The service name must match the information in "/etc/services" if you have the same service port match for ssh and sshd, then yes, you can use both.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
cron.allow and cron.deny in slackware? tl64 Slackware 5 10-13-2005 09:44 PM
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 09:41 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 03:52 PM
hosts.deny help/how-to jon_k Linux - Software 1 07-25-2003 10:17 PM
hosts.deny and hosts.allow defaults? gui10 Linux - Security 5 12-20-2001 01:57 AM


All times are GMT -5. The time now is 06:34 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration