LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-03-2005, 04:25 PM   #1
jonc
LQ Newbie
 
Registered: Dec 2004
Posts: 8

Rep: Reputation: 0
hosts.allow & hosts.deny question...


hey everyone,

I was wondering if someone could enlighten me as to how hosts.allow and hosts.deny work.

The reason why i am wondering is because i have setup my hosts.deny file with the following text ALL:ALL and nothing in my hosts.allow file and when i type apachectl start i am able to view my server.

how can i make it so hosts.deny will block any server that is started on my system?

thanks, jonc
 
Old 03-03-2005, 04:49 PM   #2
DDoSire
LQ Newbie
 
Registered: Mar 2005
Location: Auckland
Distribution: Fedora Core 1, 3, RH9, SUSE
Posts: 8

Rep: Reputation: 0
Not particularly sure what you meant... do you want to block SSH access to your server? Do you want to block any traffic from outside world so no one can see your websites?

One thing is that you need to restart sshd after editing the file.
 
Old 03-03-2005, 04:57 PM   #3
jonc
LQ Newbie
 
Registered: Dec 2004
Posts: 8

Original Poster
Rep: Reputation: 0
hosts.deny

what i would like to do is block anyone from the outside world to access my apache server or any other server started.

thanks, jonc
 
Old 03-03-2005, 05:08 PM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
According to one Linux Security book I read, you can have a
ALL: ALL: deny
as the first option in the /etc/hosts.allow file.

Some services like samba have their own tcwrappers interface compiled in, and you want to use the configuration files for the service.

Did you view the webpage on the same machine as the server?
Is the apache service an xinetd wrapped service.

I think that either you started the webserver explicitly instead of doing it from an xinetd interface, you may of bypassed the controls. Or the httpd service isn't one that uses tcpwrappers at all and access should be controlled in the apache configuration file. Or you need to send an 'USR2' signal to 'xinetd' to reload the configuration so that your recent changes take effect. ( HUP for inetd ).
kill -USR2 <xinetd pid>
or
kill -HUP <inetd pid>
or
killall -HUP inetd

Verify this by looking in the man page for your system. Some systems use inetd, some use xinetd, some use the USR2 signal, some use HUP.

Also, xinetd on your system may not support tcpwrappers.
From the Xinetd FAQ
Quote:
Q. Does xinetd support libwrap (tcpwrappers)?
A. Yes. xinetd can be compiled with libwrap support by passing --with-libwrap as an option to the configure script. When xinetd is compiled with libwrap support, all services can use the /etc/hosts.allow and /etc/hosts.deny access control. xinetd can also be configured to use tcpd in the traditional inetd style. This requires the use of the NAMEINARGS flag, and the name of the real daemon be passed in as server_args. Here is an example for using telnet with tcpd:
service telnet
{
flags = REUSE NAMEINARGS
protocol = tcp
socket_type = stream
wait = no
user = telnetd
server = /usr/sbin/tcpd
server_args = /usr/sbin/in.telnetd
}

Last edited by jschiwal; 03-03-2005 at 05:11 PM.
 
Old 03-03-2005, 06:13 PM   #5
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
The 2nd and 3rd posts came when I was writing my first response. The tcpwrappers control is in addition to your filewall setup. If you want to block access to the outside world to any service, you can set up your firewall that way. You haven't indicated how or where the internet connection is.

If you have a cable/dsl router you may be able to use a web interface to use this device to determine which machine handles which service.

If you have one computer that has the internet connection on a seperate interface, be sure that the firewall configuration blocks access to all services on the internet interface. This is most likely done in the kernel, using iptables, unless you have a very old kernel that uses ipchains. Your distribution will have a firewall configuration GUI interface that you can use to set up the table that gets loaded in when the computer reboots.

This way, you have a multilayered defense set up. If a hacker can break through the firewall, he still needs to get through the tcpwrappers layer on each host.

Check if you have nmap installed. You can use this program to scan for open ports on your local network you may have missed. There may be ports open for services that you don't need. Disabling these services could also slightly improve the performance of your computer, with less services running in the background. Although that may be more true for a host that doesn't have much resources to start with (memory, or speed).
 
Old 03-03-2005, 07:09 PM   #6
jonc
LQ Newbie
 
Registered: Dec 2004
Posts: 8

Original Poster
Rep: Reputation: 0
hosts.deny

well i have a lan connection to my router but the only reason why i am wondering about this is because hosts.deny is supposed to stop services from being open to hackers and if a hacker gets into my computer and runs the command 'apachectl start', hosts.deny is supposed to deny access to it as i have 'ALL: ALL' set. but the problem is that it's blocking everything BUT the httpd server. it doesnt really matter i guess but i was just wondering why. anyways thanks for all the info guys.

jonc
 
Old 03-04-2005, 07:10 AM   #7
Prudent
LQ Newbie
 
Registered: Mar 2005
Posts: 2

Rep: Reputation: 0
In your hosts.deny
edit this file by vim

servicename : [options]

ex apache:

httpd:ALL EXCEPT 192.168.0.0/24

EXCEPT mens :disable any ip only make share enable for my LAN ip 192.168.0.0/24

========
I think your understatnd this Examlpe

have a nice times with linux :-)

Last edited by Prudent; 03-04-2005 at 07:12 AM.
 
Old 03-04-2005, 09:27 AM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Apache doesn'i have support for tcp wrappers (hosts.allow/deny) by default. You need to run Apache through xinetd with tcpd (as jschiwal posted) or if you're using Apache 1.3 you can use mod_hosts_access. Not all daemons include support, so you need to be careful when relying on hosts.allow/deny for security and check the documentation to see whether it supports tcp wrappers or not.
 
Old 03-04-2005, 10:53 AM   #9
Prudent
LQ Newbie
 
Registered: Mar 2005
Posts: 2

Rep: Reputation: 0
Capt_Caveman

Thank you very much , but this an example only for Mr.jonc

Syntax :

servicename : [options]
 
Old 03-05-2005, 09:41 PM   #10
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
You may also want to read up on the PAM documentation. There is probably a PAM administrator guide in /usr/share/doc/packages/pam.

There is a mod_auth_pam apache module.
http://pam.sourceforge.net/mod_auth_pam/install.html

The contents of /etc/pam.d/pam_other setup will determine the default policy for pam aware services that you don't have configured.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ssh and /etc/hosts.all & deny tebucky Linux - Security 8 01-27-2005 05:23 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 03:52 PM
hosts.deny question egarnel Linux - Security 2 09-15-2003 03:30 PM
hosts.deny and hosts.allow defaults? gui10 Linux - Security 5 12-20-2001 01:57 AM
hosts.allow / hosts.deny fistz Linux - Newbie 1 04-19-2001 07:00 PM


All times are GMT -5. The time now is 12:17 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration