Hi!
I filled my hosts.deny with a few IPs address in this form:

xxx.xxx.xx.xx
yyy.yyy.yy.yy
zzz.zzz.zz.

to test it I put the ip of one of my computer. Then I tried to connect myself via SSH with this computer... and I could loggin!
then I tries to write it like this
sshd:xxx.xxx.xx.xx

and it worked.
is there a way to nann those ips for all services? (and all ports)

It is important to realize that the allow table is scanned before the deny table, that the search terminates when a match is found, and that access is granted when no match is found at all.

Could you post the actual contents of both your hosts.allow and hosts.deny. I might then be able to help you.

In your hosts.deny you could try this:

However if your hosts.allow file has:

because it gets scanned first it will allow xxx.xxx.xx.xx, yyy.yyy.yy.yy, zzz.zzz.zz. these ip's.

I don't get it: if hosts.allow has then the hosts.deny won't be read, isn't it?
right now my hosts.allow is empty. I don't want to say who is allowed but rather who is not by baning some IPs.

I finally did so:
hosts.allow
hosts.deny
Now anyone cannot loggin through ssh, only xxxx.xxx.xxx.xx.xx,yyy.yyy.yy.
what I do not understand is that in hosts.deny I baned all services (it means inclusive httpd, doesn'tt it?) an d still can anyone have a look on my website. Well, it's good so but I don't understand why since I forbid all services, or is httpd not included?
Where can I get a list of all services?

By denying all services in hosts.deny, this means that you have to explicitly allow the sevices and hosts in hosts.allow.

So if a request for ftp came in and there was no entry in hosts.allow it then would look at hosts.deny and see that there are no exceptions, thus denying the request for ftp. I hope that this all makes sense, and if this is not what you are after, let me know and I'll try to help.

Regards,

fordeck

Not all services have support for tcpwrappers (hosts.allow/deny), so you have to be careful when using it for access control. Usually the default Apache configuration does not use tcpwrappers, so using hosts.deny is useless for filtering traffic to your webserver. You can get Apache to use tcpwrappers, but it's a better idea to just use iptables instead (you pay a performance penalty using tcpwrappers). Usually you can determine if a given binary has support for tcpwrappers if you see libwrap appear in the output of 'ldd /path/to/binary'.

Ok thanks for the help.
Iptables is configured (for all services inclusive http) and I used hosts.allow and hosts.deny to restrict ssh to some ips.
I checked with ldd. libwrap appears indeed with sshd but I doesn´t with ftpd for example.

I left out a category. You can also configure services to run through the xinetd and consult hosts.deny/allow, but again you pay a performance hit, so running a high traffic service through xinetd is a bad idea. Often services like ftp will be configured to run that way, in which case they would not have libwrap appear in the output of ldd. Xinetd services will usually appear in /etc/xinetd.conf or in /etx/xinetd.d/

Hello!
If I really wanted my Apache to be run through tcpwrappers or xinetd (performance is insignificant for me), is there any easy way to configure it so?

If you are using Apache 1.3 then it's easy, simply change the ServerType directive from 'StandAlone' to 'Inetd'. In version 2.0 it's harder because the ServerType directive was dropped. There is a Apache module called mod_hosts_access that works with 2.0 but I'm not sure how well maintained it is, so it may not function with more recent Apache builds. FWIW, my understanding is that the inetd support was dropped in favor of using Apache's built-in access control. Things like htaccess and mod_rewrite are way more powerful and flexible once you sit down and figure out how they work.