LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-19-2001, 10:10 AM   #1
gui10
Member
 
Registered: Mar 2001
Distribution: enigma, slack8
Posts: 677

Rep: Reputation: 30
hosts.deny and hosts.allow defaults?


from a fresh install, these 2 files have no lines in them (except for the commented out version preamble etc etc)

was just wondering... if both files are left blank, what is the default policy?

also... if in hosts.deny, policy is ALL : ALL
and in hosts.allow is all blank...

what kind of connections are allowed through these TCP wrappers?
 
Old 12-19-2001, 11:31 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
IIRC, if *both* files are blank, this counts as not having *any* of both; so default policy then will be: allow.
If /etc/hosts.deny contains the line
"ALL: ALL" this can be read as: (deny access to) ALL(services): (from) ALL(addresses).
 
Old 12-19-2001, 01:31 PM   #3
gui10
Member
 
Registered: Mar 2001
Distribution: enigma, slack8
Posts: 677

Original Poster
Rep: Reputation: 30
just to clarify:

so that means no remote login of any kind is allowed right? (if hosts.deny is ALL : ALL and hosts.allow is left blank)

thanks!
 
Old 12-19-2001, 02:12 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
Access, when defined as in "making a connecting to a service", in this case (sic) means no access is allowed.

To clarify: this means you *still* need to place login restrictions on any service necessary, because TCP Wrappers don't deal with login ACL's of any kind like /etc/login.(defs|access), /etc/(secure|user)tty, or PAM.

Ok, ok, even tho it seems silly because no one is really allowed acces, that doesn't mean you don't want to have it act as a single point of failure or single line of defense, right?

Last edited by unSpawn; 12-19-2001 at 02:15 PM.
 
Old 12-19-2001, 10:16 PM   #5
gui10
Member
 
Registered: Mar 2001
Distribution: enigma, slack8
Posts: 677

Original Poster
Rep: Reputation: 30
ah! i see what you mean...
yea i've disallowed logins in the /etc/securetty file though i've not really seen a /etc/usertty file on my system? where ithis file?

also, i've yet to read up on PAM and ACL... that's up next...
 
Old 12-20-2001, 01:57 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,132
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
LOL! Like I sed, it *is* /etc/usertty. If it's not there (on a PAM capable system) its handled by PAM files in /etc/security, like access.conf, group.conf.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 09:41 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 03:52 PM
hosts.deny help/how-to jon_k Linux - Software 1 07-25-2003 10:17 PM
hosts.allow / hosts.deny fistz Linux - Newbie 1 04-19-2001 07:00 PM
hosts.deny 98steve600 Linux - General 1 01-10-2001 07:39 PM


All times are GMT -5. The time now is 08:28 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration