LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables vs hosts.deny (https://www.linuxquestions.org/questions/linux-security-4/iptables-vs-hosts-deny-276580/)

ryedunn 01-11-2005 12:24 PM
iptables vs hosts.deny
 
Im sorry if this is too basic of a question but can some quickly and simply tell me the difference between the two? I know the hosts.deny stops the host from using a local service, but assuming you want to block ALL services from that host, why not just block them at the firewall? Is one way prefered over another?

Being a n00b I find it much easier to use hosts.deny but now is as good of a time to learn as any.

Also, after adding an entry to the hosts.deny file, does any service need to be restarted?

Thank you,

gian2oo1 01-11-2005 01:39 PM
iptables
 
Yes, IPTables block the immediate connection to the service, while hosts.deny does the same.

For a good situation, I did the following:

hosts.deny contained:

ALL : ALL

SSH <--(I forgot the correct syntax) : DENY EXCEPT 1.2.3.4 2.3.5.6 5.2.3.6

I believe that how I did it. And in my IPTables, port 22 [ssh] was shut down and only open to the IPs: 1.2.3.4 2.3.5.6 5.2.3.6

Do I prefer one? I use both "just-in-case"--They both work effectively, but IPTables seems to be MUCH more flexible because it can also block pings, fin, syn, xmas, smurf & other attacks and probes.

If your looking for a quick and dirty way to learn practical IPtables, take a look at http://iptablesrocks.org/

I hope this helps,

--Gian

PS- I don't remember the exact syntax I used in hosts.deny (it has been awhile :)), so make sure to check out the man pages before putting up the production server.

Capt_Caveman 01-11-2005 06:56 PM
Also, it's very important to remember that not all applications include tcp wrappers (hosts.allow/deny) support by default. Certain services like sshd usually have it in the default install, but others like Apache do not in a number of distros, so make sure to check the docs first.

You can run most of them through inetd/xinetd using tcpd so that they use tcp wrappers, otherwise they'll need to be compiled with tcp wrappers support. Unfortunately no errors will be generated if you try and put a non-supported application in hosts.allow/deny, leading many to think that they are secure when they're really not.


All times are GMT -5. The time now is 03:06 PM.