LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 01-11-2005, 12:24 PM   #1
ryedunn
Member
 
Registered: Jul 2003
Location: Chicago
Distribution: Fedora, ubuntu
Posts: 458

Rep: Reputation: 30
iptables vs hosts.deny


Im sorry if this is too basic of a question but can some quickly and simply tell me the difference between the two? I know the hosts.deny stops the host from using a local service, but assuming you want to block ALL services from that host, why not just block them at the firewall? Is one way prefered over another?

Being a n00b I find it much easier to use hosts.deny but now is as good of a time to learn as any.

Also, after adding an entry to the hosts.deny file, does any service need to be restarted?

Thank you,
 
Old 01-11-2005, 01:39 PM   #2
gian2oo1
Member
 
Registered: Oct 2004
Location: Rhode Island, USA
Distribution: Slackware... Simplicity is bliss.
Posts: 62

Rep: Reputation: 15
iptables

Yes, IPTables block the immediate connection to the service, while hosts.deny does the same.

For a good situation, I did the following:

hosts.deny contained:

ALL : ALL

SSH <--(I forgot the correct syntax) : DENY EXCEPT 1.2.3.4 2.3.5.6 5.2.3.6

I believe that how I did it. And in my IPTables, port 22 [ssh] was shut down and only open to the IPs: 1.2.3.4 2.3.5.6 5.2.3.6

Do I prefer one? I use both "just-in-case"--They both work effectively, but IPTables seems to be MUCH more flexible because it can also block pings, fin, syn, xmas, smurf & other attacks and probes.

If your looking for a quick and dirty way to learn practical IPtables, take a look at http://iptablesrocks.org/

I hope this helps,

--Gian

PS- I don't remember the exact syntax I used in hosts.deny (it has been awhile ), so make sure to check out the man pages before putting up the production server.
 
Old 01-11-2005, 06:56 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Also, it's very important to remember that not all applications include tcp wrappers (hosts.allow/deny) support by default. Certain services like sshd usually have it in the default install, but others like Apache do not in a number of distros, so make sure to check the docs first.

You can run most of them through inetd/xinetd using tcpd so that they use tcp wrappers, otherwise they'll need to be compiled with tcp wrappers support. Unfortunately no errors will be generated if you try and put a non-supported application in hosts.allow/deny, leading many to think that they are secure when they're really not.

Last edited by Capt_Caveman; 01-11-2005 at 06:58 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables v. hosts.deny/allow vswr31 Linux - Security 3 04-22-2005 04:16 PM
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 09:41 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 03:52 PM
Using iptables and hosts.deny? Poetics Linux - Security 8 07-19-2003 02:31 PM
hosts.deny and hosts.allow defaults? gui10 Linux - Security 5 12-20-2001 01:57 AM


All times are GMT -5. The time now is 04:46 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration