LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 06-14-2005, 12:22 PM   #1
paleogryph
Member
 
Registered: Mar 2003
Location: SLC, UT, US
Distribution: Fedora 12
Posts: 34

Rep: Reputation: 15
Question hosts.allow questions


Is this a correct hosts.allow setup to block access to ssh from certain ip's:

"sshd:ALL EXCEPT:xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx ENY"

Also, could this same method be used to block access to web (httpd) to certain ip's?

thanks!
 
Old 06-14-2005, 05:48 PM   #2
mattLSO
Member
 
Registered: Jun 2005
Posts: 43

Rep: Reputation: 15
Hey,

tcpwrappers are designed for inetd services, I recommend you use iptables to firewall any IP's you
dont want having access.

i.e. iptables -A INPUT -j DROP -s 2.2.0.0/16 -p tcp --dport blah for example

Regards
 
Old 06-14-2005, 11:45 PM   #3
hardcorelinux
Member
 
Registered: Jan 2005
Location: India
Distribution: RHEL,CentOS,SUSE,Solaris10
Posts: 183

Rep: Reputation: 31
Re: hosts.allow questions

Quote:
Originally posted by paleogryph
Is this a correct hosts.allow setup to block access to ssh from certain ip's:

"sshd:ALL EXCEPT:xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx ENY"

Also, could this same method be used to block access to web (httpd) to certain ip's?

thanks!
You can configure your apache also.Apache doesn't come with tcpwrappers support (dunno if you can compile it in) but you can run it from inted.

Somewhere in your apache configuration file is a line beginning with "ServerType" followed
by "standalone". This means exactly what is says. Change the "standalone" to
"inted". Stop apache with "apachectl stop" if it is run (don't forget to be root).

For Configuring inetd

Add the following line to the "/etc/inetd.conf":

http stream tcp nowait root /usr/local/sbin/httpd httpd

Do a "killall -HUP inetd" as root and you're set.

Allowing ip's

You can allow / disallow ip's from connecting to the httpd. This is done with
tcp wrappers. The configuration file is "/etc/hosts.allow".
Make sure the last line in this file is "ALL : ALL : DENY". This makes sure that all
ip's which don't match any line above this one are blocked. If you forget this line or
you don't want to do this then you have to make sure you specify 'deny' rules for
'httpd'.

Two setups:

1:

httpd : 1.1.1.1 2.2.2.2 3.3.3.3 : ALLOW
ALL : ALL : DENY

2:

httpd: 1.1.1.1 2.2.2.2 3.3.3.3 : ALLOW
httpd: ALL : DENY

Setup 1 just denies all connections (not just to httpd) except the httpd ones we
allow (this is the best setup IMHO). If you don't want to do this make sure you
specify a 'deny' line for httpd like setup 2.

Conclusion

I've runed apache from inetd and the protection works great. The disavantage is the
apache is slow and slows down more when more users connect to it. I guess this
is the price you have to pay. If someone knows the answer to this let me know on
i do get it. It isn't the
'nowait'/'wait' option in inetd, i've read the documentation and tried them both.

This configuration is running fine in my freebsd machine i don't know about linux.
 
Old 06-15-2005, 11:05 AM   #4
paleogryph
Member
 
Registered: Mar 2003
Location: SLC, UT, US
Distribution: Fedora 12
Posts: 34

Original Poster
Rep: Reputation: 15
Thumbs up THANKS!

You guys rock.
Thanks for the great info.

p.s. I've been seeing the ssh script pounding my box, trying all kinds of goofy user names like "albert" and "jeffery"...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 09:41 PM
/etc/hosts, hostname, and dnsdomainname questions rdmenotte Linux - Software 8 10-10-2004 04:30 AM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 03:52 PM
Gateway and hosts questions somnium Linux - Networking 1 10-08-2003 08:58 AM
Apache Virtual Hosts questions b_usa Linux - General 8 03-02-2003 10:41 PM


All times are GMT -5. The time now is 03:57 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration