LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   hosts.allow & hosts.deny question... (http://www.linuxquestions.org/questions/linux-security-4/hosts-allow-and-hosts-deny-question-297298/)

jonc 03-03-2005 05:25 PM

hosts.allow & hosts.deny question...
 
hey everyone,

I was wondering if someone could enlighten me as to how hosts.allow and hosts.deny work.

The reason why i am wondering is because i have setup my hosts.deny file with the following text ALL:ALL and nothing in my hosts.allow file and when i type apachectl start i am able to view my server.

how can i make it so hosts.deny will block any server that is started on my system?

thanks, jonc

DDoSire 03-03-2005 05:49 PM

Not particularly sure what you meant... do you want to block SSH access to your server? Do you want to block any traffic from outside world so no one can see your websites?

One thing is that you need to restart sshd after editing the file.

jonc 03-03-2005 05:57 PM

hosts.deny
 
what i would like to do is block anyone from the outside world to access my apache server or any other server started.

thanks, jonc

jschiwal 03-03-2005 06:08 PM

According to one Linux Security book I read, you can have a
ALL: ALL: deny
as the first option in the /etc/hosts.allow file.

Some services like samba have their own tcwrappers interface compiled in, and you want to use the configuration files for the service.

Did you view the webpage on the same machine as the server?
Is the apache service an xinetd wrapped service.

I think that either you started the webserver explicitly instead of doing it from an xinetd interface, you may of bypassed the controls. Or the httpd service isn't one that uses tcpwrappers at all and access should be controlled in the apache configuration file. Or you need to send an 'USR2' signal to 'xinetd' to reload the configuration so that your recent changes take effect. ( HUP for inetd ).
kill -USR2 <xinetd pid>
or
kill -HUP <inetd pid>
or
killall -HUP inetd

Verify this by looking in the man page for your system. Some systems use inetd, some use xinetd, some use the USR2 signal, some use HUP.

Also, xinetd on your system may not support tcpwrappers.
From the Xinetd FAQ
Quote:

Q. Does xinetd support libwrap (tcpwrappers)?
A. Yes. xinetd can be compiled with libwrap support by passing --with-libwrap as an option to the configure script. When xinetd is compiled with libwrap support, all services can use the /etc/hosts.allow and /etc/hosts.deny access control. xinetd can also be configured to use tcpd in the traditional inetd style. This requires the use of the NAMEINARGS flag, and the name of the real daemon be passed in as server_args. Here is an example for using telnet with tcpd:
service telnet
{
flags = REUSE NAMEINARGS
protocol = tcp
socket_type = stream
wait = no
user = telnetd
server = /usr/sbin/tcpd
server_args = /usr/sbin/in.telnetd
}

jschiwal 03-03-2005 07:13 PM

The 2nd and 3rd posts came when I was writing my first response. The tcpwrappers control is in addition to your filewall setup. If you want to block access to the outside world to any service, you can set up your firewall that way. You haven't indicated how or where the internet connection is.

If you have a cable/dsl router you may be able to use a web interface to use this device to determine which machine handles which service.

If you have one computer that has the internet connection on a seperate interface, be sure that the firewall configuration blocks access to all services on the internet interface. This is most likely done in the kernel, using iptables, unless you have a very old kernel that uses ipchains. Your distribution will have a firewall configuration GUI interface that you can use to set up the table that gets loaded in when the computer reboots.

This way, you have a multilayered defense set up. If a hacker can break through the firewall, he still needs to get through the tcpwrappers layer on each host.

Check if you have nmap installed. You can use this program to scan for open ports on your local network you may have missed. There may be ports open for services that you don't need. Disabling these services could also slightly improve the performance of your computer, with less services running in the background. Although that may be more true for a host that doesn't have much resources to start with (memory, or speed).

jonc 03-03-2005 08:09 PM

hosts.deny
 
well i have a lan connection to my router but the only reason why i am wondering about this is because hosts.deny is supposed to stop services from being open to hackers and if a hacker gets into my computer and runs the command 'apachectl start', hosts.deny is supposed to deny access to it as i have 'ALL: ALL' set. but the problem is that it's blocking everything BUT the httpd server. it doesnt really matter i guess but i was just wondering why. anyways thanks for all the info guys.

jonc

Prudent 03-04-2005 08:10 AM

In your hosts.deny
edit this file by vim

servicename : [options]

ex apache:

httpd:ALL EXCEPT 192.168.0.0/24

EXCEPT mens :disable any ip only make share enable for my LAN ip 192.168.0.0/24

========
I think your understatnd this Examlpe ;)

have a nice times with linux :-)

Capt_Caveman 03-04-2005 10:27 AM

Apache doesn'i have support for tcp wrappers (hosts.allow/deny) by default. You need to run Apache through xinetd with tcpd (as jschiwal posted) or if you're using Apache 1.3 you can use mod_hosts_access. Not all daemons include support, so you need to be careful when relying on hosts.allow/deny for security and check the documentation to see whether it supports tcp wrappers or not.

Prudent 03-04-2005 11:53 AM

Capt_Caveman

Thank you very much , but this an example only for Mr.jonc

Syntax :

servicename : [options]

jschiwal 03-05-2005 10:41 PM

You may also want to read up on the PAM documentation. There is probably a PAM administrator guide in /usr/share/doc/packages/pam.

There is a mod_auth_pam apache module.
http://pam.sourceforge.net/mod_auth_pam/install.html

The contents of /etc/pam.d/pam_other setup will determine the default policy for pam aware services that you don't have configured.


All times are GMT -5. The time now is 02:33 AM.