LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices



Reply
 
Search this Thread
Old 09-17-2006, 01:22 PM   #1
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Rep: Reputation: 54
Question Stupid networking tricks: X11 forwarding and hosts.deny


Hi guys,

Since I'm stuck with my unbootable server and bad network performance everywhere but winbloze I thought about some other stuff I need to look at. The problems are adding up and that is not a good sign for me

I am trying to get ssh working between two Slackware machines on a LAN. I can connect but when I start the X-session it starts on the target machine (not the one I did the SSH from) which is funny to watch with two machines sitting next to each other but not very effective. I tried a few different things (ssh -X user@host and ssh -Y user@host) and at the moment both sshd_config files have X11Forwarding yes and X11UseLocalhost no. What I want to do is to be able to log into a remote machine and have a full desktop like xfce, fluxbox, etc. running. Is this possible?

Also I followed the directions in something I found about setting ALL : ALL in hosts.deny. That did a pretty good job of denying me access to the internet from my web browser so I had to comment it out again. How should that be set? I want to deny everything but sshd and web browsing (for now).

Last q. if I have 10 machines 192.168.2.10 through 192.168.2.19 running on the LAN, how do I set an entry in hosts.allow? I tried 192.168.2.10/19 but that didn't seem to work. I am running with 192.168.2. which works ok but if someone connects to my wireless on ..1.20 it will also work and I want to block that.

Thanks,
Rand
 
Old 09-17-2006, 02:32 PM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,004
Blog Entries: 11

Rep: Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903Reputation: 903
Quote:
Originally Posted by Randux
Hi guys,

Since I'm stuck with my unbootable server and bad network performance everywhere but winbloze I thought about some other stuff I need to look at. The problems are adding up and that is not a good sign for me

I am trying to get ssh working between two Slackware machines on a LAN. I can connect but when I start the X-session it starts on the target machine (not the one I did the SSH from) which is funny to watch with two machines sitting next to each other but not very effective. I tried a few different things (ssh -X user@host and ssh -Y user@host) and at the moment both sshd_config files have X11Forwarding yes and X11UseLocalhost no. What I want to do is to be able to log into a remote machine and have a full desktop like xfce, fluxbox, etc. running. Is this possible?
Not quite like that. You can redirect individual programs output
from the remote machine to your local X server. If you want the
whole session you'll need x11vnc or tightVNC, and will still need
to run X on the local box, too.

Quote:
Also I followed the directions in something I found about setting ALL : ALL in hosts.deny. That did a pretty good job of denying me access to the internet from my web browser so I had to comment it out again. How should that be set? I want to deny everything but sshd and web browsing (for now).

Last q. if I have 10 machines 192.168.2.10 through 192.168.2.19 running on the LAN, how do I set an entry in hosts.allow? I tried 192.168.2.10/19 but that didn't seem to work. I am running with 192.168.2. which works ok but if someone connects to my wireless on ..1.20 it will also work and I want to block that.

Thanks,
Rand
What netmask are you using when you're setting them up?



Cheers,
Tink

Last edited by Tinkster; 09-17-2006 at 02:38 PM.
 
Old 09-17-2006, 03:14 PM   #3
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Original Poster
Rep: Reputation: 54
Quote:
Originally Posted by Tinkster
Not quite like that. You can redirect individual programs output
from the remote machine to your local X server. If you want the
whole session you'll need x11vnc or tightVNC, and will still need
to run X on the local box, too.
Hi Tink,

That's what I started to think after spending a few hours searching on this. But I think people were saying that some of these programs sent everything in the clear. I'm hoping there are ones (maybe the ones you mentioned) that run completely under SSH.

Quote:
Originally Posted by Tinkster
What netmask are you using when you're setting them up?
Cheers,
Tink
I don't know What's a netmask? These are just inside a range of addresses assigned by DHCP from the LAN router. I want to work only inside the LAN at first, and then open it up once I understand how to secure it. This is really part of the "where do I begin setting up a server" thread since the guys all said I should use SSH.

I'm pretty network-stupid and trying all this one step at a time

Thanks,
Rand
 
Old 09-17-2006, 05:56 PM   #4
ryanoa
Member
 
Registered: Jan 2006
Location: Santa Cruz, CA
Distribution: Slack 10.2 and 11.0
Posts: 102

Rep: Reputation: 15
I use tightvnc and it works great over my lan. For remote access it isn't very secure but you can set up an ssh tunnel to run it through. I haven't tried this yet but intend to in the near future.
 
Old 09-17-2006, 06:03 PM   #5
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,451
Blog Entries: 4

Rep: Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505
Hi,
For the netmask, you boolean 'AND' the mask with the IP to get the network part and the host part. Therefore you can network with the mask to provide a subnetwork class.

A sample of hosts.deny;

Code:
#cat /etc/hosts.deny
#
# hosts.deny    This file describes the names of the hosts whicneth are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# Version:      @(#)/etc/hosts.deny     1.00    05/28/93
#
# Author:       Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org
#
#
ALL:ALL
    portmap:ALL 
    lockd:ALL
    mountd:ALL
    rquotad:ALL
    statd:ALL
# End of hosts.deny.
A sample of hosts.allow;

Code:
 cat /etc/hosts.allow
#
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided by
#               the '/usr/sbin/tcpd' server.
#
# Version:      @(#)/etc/hosts.allow    1.00    05/28/93
#
# Author:       Fred N. van Kempen, <waltje@uwalt.nl.mugnet.org
#
#07-27-06 23:00 gws
#
#ALL:Local:192.168.0.2
ALL:192.168.0.1 192.168.0.2 192.168.0.3 192.168.0.4 192.168.0.5 192.168.0.6 192.
168.0.7 192.168.0.8 192.168.0.9 192.168.0.10 192.168.0.11 192.168.0.12 192.168.0
.13 192.168.0.14 192.168.0.15 192.168.0.100

    portmap: 192.168.0.1 , 192.168.0.2 , 192.168.0.3 , 192.168.0.4 , 192.168.0.5
192.168.0.6 192.168.0.7 192.168.0.8 192.168.0.9 192.168.0.10 192.168.0.11 192.16
8.0.12 192.168.0.13 192.168.0.14 192.168.0.15 192.168.0.16 192.168.0.17 192.168.
0.18 192.168.0.19 192.168.0.20 192.168.0.100
    lockd: 192.168.0.1 , 192.168.0.2 , 192.168.0.3 , 192.168.0.4 , 192.168.0.5 1
92.168.0.6 192.168.0.7 192.168.0.8 192.168.0.9 192.168.0.10 192.168.0.11 192.168
.0.12 192.168.0.13 192.168.0.14 192.168.0.15 192.168.0.16 192.168.0.17 192.168.0
.18 192.168.0.19 192.168.0.20 192.168.0.100
    rquotad: 192.168.0.1 , 192.168.0.2 , 192.168.0.3 , 192.168.0.4 , 192.168.0.5
 192.168.0.6 192.168.0.7 192.168.0.8 192.168.0.9 192.168.0.10 192.168.0.11 192.1
68.0.12 192.168.0.13 192.168.0.14 192.168.0.15 192.168.0.16 192.168.0.17 192.168
.0.18 192.168.0.19 192.168.0.20 192.168.0.100
    mountd: 192.168.0.1 , 192.168.0.2 , 192.168.0.3 , 192.168.0.4 , 192.168.0.5 
192.168.0.6 192.168.0.7 192.168.0.8 192.168.0.9 192.168.0.10 192.168.0.11 192.16
8.0.12 192.168.0.13 192.168.0.14 192.168.0.15 192.168.0.16 192.168.0.17 192.168.
0.18 192.168.0.19 192.168.0.20 192.168.0.100
    statd: 192.168.0.1 , 192.168.0.2 , 192.168.0.3 , 192.168.0.4 , 192.168.0.5 1
92.168.0.6 192.168.0.7 192.168.0.8 192.168.0.9 192.168.0.10 192.168.0.11 192.168
.0.12 192.168.0.13 192.168.0.14 192.168.0.15 192.168.0.16 192.168.0.17 192.168.0
.18 192.168.0.19 192.168.0.20 192.168.0.100
I prefer static verses dchp for small networks.
 
Old 09-17-2006, 06:45 PM   #6
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Original Poster
Rep: Reputation: 54
Quote:
Originally Posted by gwsandvik
Hi,
For the netmask, you boolean 'AND' the mask with the IP to get the network part and the host part. Therefore you can network with the mask to provide a subnetwork class.
Hi Gary,

I must be having a blonde moment since I am not sure if I understand what you mean.

For the hosts.deny, why do you have to have anything after ALL:ALL? Doesn't all mean all?
For the allow, I see you are specifying full ip addresses. I didn't know I could do that and for me it's probably a good solution. But I want to know for example, how I can allow

192.168.2.10 through 192.168.2.19 with one statement? And how does netmask fit in?

Also, why did ALL:ALL in my hosts.deny stop me from accessing the internet from my web browser? What should I have in there?

Thanks,
Rand
 
Old 09-17-2006, 06:47 PM   #7
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Original Poster
Rep: Reputation: 54
Quote:
Originally Posted by ryanoa
I use tightvnc and it works great over my lan. For remote access it isn't very secure but you can set up an ssh tunnel to run it through. I haven't tried this yet but intend to in the near future.
Thanks ryanoa. I would like to be able to do this to run a headless server inside the lan but I also want to open it up to remote devs when I can secure it. So I will look at what you and Tink suggested.
 
Old 09-17-2006, 09:11 PM   #8
ryanoa
Member
 
Registered: Jan 2006
Location: Santa Cruz, CA
Distribution: Slack 10.2 and 11.0
Posts: 102

Rep: Reputation: 15
Randux,
I just got a remote ssh tunnel working with tightvnc from a windows machine. Way cool! It was really very easy to setup using the ssh client PUTTY, and I'm a total noob. Let me know if you need any info on how I got it all working.
 
Old 09-17-2006, 10:12 PM   #9
evilDagmar
Member
 
Registered: Mar 2005
Location: Right behind you.
Distribution: NBG, then randomed.
Posts: 480

Rep: Reputation: 31
Geez.

Guys, this is what XDMCP is meant for. You don't need any kind of cockeyed VNC clone to get this functionality.

Last edited by evilDagmar; 09-17-2006 at 10:13 PM.
 
Old 09-17-2006, 10:23 PM   #10
onebuck
Moderator
 
Registered: Jan 2005
Location: Midwest USA, Central Illinois
Distribution: SlackwareŽ
Posts: 11,451
Blog Entries: 4

Rep: Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505Reputation: 1505
Quote:
Originally Posted by Randux
Hi Gary,

I must be having a blonde moment since I am not sure if I understand what you mean.

For the hosts.deny, why do you have to have anything after ALL:ALL? Doesn't all mean all?
For the allow, I see you are specifying full ip addresses. I didn't know I could do that and for me it's probably a good solution. But I want to know for example, how I can allow

192.168.2.10 through 192.168.2.19 with one statement? And how does netmask fit in?

Also, why did ALL:ALL in my hosts.deny stop me from accessing the internet from my web browser? What should I have in there?

Thanks,
Rand
Hi,

What part of this information don't you understand?

This states that the file describes the names of the hosts that are 'NOT' allowed for local use of the INET, period.

Code:
#
# hosts.deny    This file describes the names of the hosts whicneth are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#
# Version:      @(#)/etc/hosts.deny     1.00    05/28/93
The portion after the ALL:ALL states what services you wish to deny.

You then allow INET access with the use of the /etc/hosts.allow for your LAN. As I stated, I like to use static IP for my small LANs'. I'm explicit with the address and can use MAC ID if needed.

The netmask can be used to specify a broadcast netmask so as to allow the network portion of the quad dot address (first two octet ###.###). The next part of the address will provide the host portion. Note that the IP is assigned to the NIC on the system not the host.

Code:
111.111.111.000
111.111.110.000
                  AND will produce;
111.111.110.000
As for the /etc/hosts.allow you would setup for all of the allowed systems that have access to the INET (your LAN).

A good description from TLDP. If you look at section 3.5 you will get a better understanding.

Just remember that we are talking about your local IP address. The mask is used to identify portions on your network.

Last edited by onebuck; 09-17-2006 at 10:57 PM.
 
Old 09-17-2006, 11:02 PM   #11
drkstr
Senior Member
 
Registered: Feb 2006
Location: Seattle, WA: USA
Distribution: Slackware 11.0
Posts: 1,191

Rep: Reputation: 45
Quote:
Originally Posted by Randux
Hi Gary,

I must be having a blonde moment since I am not sure if I understand what you mean.

For the hosts.deny, why do you have to have anything after ALL:ALL? Doesn't all mean all?
For the allow, I see you are specifying full ip addresses. I didn't know I could do that and for me it's probably a good solution. But I want to know for example, how I can allow

192.168.2.10 through 192.168.2.19 with one statement? And how does netmask fit in?

Also, why did ALL:ALL in my hosts.deny stop me from accessing the internet from my web browser? What should I have in there?

Thanks,
Rand
Hi Rand!

I don't think the TCP wrapper has a syntax for ip ranges, only classes. You can match a range in iptables though. I don't remember the syntax off the top of my head, but I can tell you when I get home if you haven't found it in the iptables docs by then.

...drkstr
 
Old 09-18-2006, 07:19 AM   #12
evilDagmar
Member
 
Registered: Mar 2005
Location: Right behind you.
Distribution: NBG, then randomed.
Posts: 480

Rep: Reputation: 31
Quote:
Originally Posted by Randux
I am trying to get ssh working between two Slackware machines on a LAN. I can connect but when I start the X-session it starts on the target machine (not the one I did the SSH from) which is funny to watch with two machines sitting next to each other but not very effective. I tried a few different things (ssh -X user@host and ssh -Y user@host) and at the moment both sshd_config files have X11Forwarding yes and X11UseLocalhost no. What I want to do is to be able to log into a remote machine and have a full desktop like xfce, fluxbox, etc. running. Is this possible?
Yes, it is. I've seen enough silliness now that I'm going to step in and sort some things out for you. To tunnel X stuff over ssh, you want to edit /etc/ssh/sshd_config and make sure that UseLogin is set to 'no' (or commented out, that's the default), and that X11Forwarding is set to yes. You must restart the sshd (use the init script! It's easy to lock yourself out of the machine doing this) after you make this kind of change, and then reconnect to the host (these changes will not affect an existing connection). You will also likely want to edit /etc/ssh/ssh_config and setup a little section like so:

Code:
Host *
  Protocol 2
  Compression yes
  ForwardX11 yes
The Protocol setting is to protect you from having a malicious ssh server (or someone trying a MITM attack) from attempting to make your client do a v1 connection, which can be vulnerable to a MITM attack. The Compression setting just makes this much more liveable (and nicer on the bandwidth), so long as you have a machine faster than about 200Mhz. 'ForwardX11 yes' is all you really need from the client end of things, and eliminates your need to do anything with -X or -Y (and anyway having to use -Y is a sign you've done something wrong) at the command line when you ssh.

Once all that's done, you can fire up X on your local machine, open a terminal and ssh into the other one, then run `xterm` and it will appear on your local display.

Quote:
Originally Posted by Randux
Also I followed the directions in something I found about setting ALL : ALL in hosts.deny. That did a pretty good job of denying me access to the internet from my web browser so I had to comment it out again. How should that be set? I want to deny everything but sshd and web browsing (for now).
Something else was very broken if setting a default deny policy for tcp_wrappers affected your outgoing web browsing (contrary to what you may have been told). Tcp_wrappers typically has absolutely nothing to do with anything but incoming connections, and even then it only affects programs that have linked in libwrap.a and are actually heeding the library. Setting a default deny policy is a very sane and standard way of starting out with tcp_wrappers.

After having done this, to actually allow access to something like sshd, you have to know the service name (which is almost always not not always always the name of the daemon) which for this would be 'sshd', and you add a line to /etc/hosts_allow describing what IP addresses and so forth you want to have access. For example, if you're using 192.168.2.0/24 as your home network, you can simply put:

Code:
sshd: 192.168.0.
into the file. Changes made to /etc/hosts_allow and /etc/hosts_deny can kinda be said to take effect immediately, but they won't affect already ongoing connections. These files are only checked as each incoming connection comes in, and every time one of these connections comes in (they are not cached in any way). To explain that "192.168.0." in terms of filename globbing (it's not a typo), when you leave off a trailing octet from an IP address, tcp_wrappers assumes a wildcard, so that "192.168.0." is treated as "192.168.0.*" (or 192.168.0.0/24). Much the same is true for DNS names, but by leaving off a leading element, like ".kung.foo" means "*.kung.foo", so that any host whose inverse address resolution maps to a the kung.foo domain will be allowed in. Mind you, using DNS names will slow things down as libwrap looks these things up, and is not exactly reliable for other external reasons.

Quote:
Originally Posted by Randux
Last q. if I have 10 machines 192.168.2.10 through 192.168.2.19 running on the LAN, how do I set an entry in hosts.allow? I tried 192.168.2.10/19 but that didn't seem to work. I am running with 192.168.2. which works ok but if someone connects to my wireless on ..1.20 it will also work and I want to block that.
No offense, but, um, 192.168.2.10/19 is kind of insane, and won't be parsed properly by tcp_wrappers. Tcp_wrappers does actually think the slash is good for something, but it's not CIDR notation (Google that if you need to). If you use an address followed by a slash, tcp_wrappers interprets what follows the slash as a netmask, and /19 may or may not get filled in with zeros as 19.0.0.0, but it's not good either way. Even if it were interpreting that as CIDR (which it doesn't) it would have allowed addresses 192.168.0.0 through 192.168.31.255 which is probably not what you wanted. The closest you can get to that with a single declaration would be 192.168.2.1/255.255.255.224, which would allow 192.168.2.1 through 192.168.2.30. If you type `man 5 hosts_access` you can get the entire skinny on everything it does. You could, if you wanted, go ahead and follow that up with "EXCEPT 192.168.2.20 192.168.2.21 192.168.2.22 .." but frankly, if you're having a problem with rogue IP addresses that might jump on these exposed IP addresses on your local subnet at your house, then your attacker is also going to be able to spoof IP traffic (and MAC addresses) so you're kinda screwed anyway.

To address some other things that were brought up in this thread:

"The portion after the ALL:ALL states what services you wish to deny."

Wrong, wrong, wrong.

"For the hosts.deny, why do you have to have anything after ALL:ALL? Doesn't all mean all?"

All in fact does mean all, and anything after that is simply wasted text. Someone didn't read the man page. ALL:ALL means all services for all IP addresses will be denied unless something in /etc/hosts_allow lets them through explicitly (and again, this only affects incoming TCP connections for applications which are in some way making use of libwrap.a. UDP is not filtered well by this.)

"The netmask can be used to specify a broadcast netmask [...]"

No.

A lot of what's been going on with this thread is the kind of deranged nomenclature that is IMHO exactly the reason the internet as a whole abandoned classed addressing quite some time ago. All it does is make newbies crazy.
 
Old 09-18-2006, 08:22 AM   #13
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Original Poster
Rep: Reputation: 54
Quote:
Originally Posted by ryanoa
Randux,
I just got a remote ssh tunnel working with tightvnc from a windows machine. Way cool! It was really very easy to setup using the ssh client PUTTY, and I'm a total noob. Let me know if you need any info on how I got it all working.
Thanks man.
 
Old 09-18-2006, 08:24 AM   #14
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Original Poster
Rep: Reputation: 54
Quote:
Originally Posted by drkstr
Hi Rand!

I don't think the TCP wrapper has a syntax for ip ranges, only classes. You can match a range in iptables though. I don't remember the syntax off the top of my head, but I can tell you when I get home if you haven't found it in the iptables docs by then.

...drkstr
Ok, so there is no one statement to do what I wanted to do. Thanks, Darkstar

I do have arno iptables firewall script which is excellent but I'm not good at tweaking it. For now port 22 is open but I'm behind a router which drops port 22 until I say I want it.
 
Old 09-18-2006, 08:30 AM   #15
Randux
Senior Member
 
Registered: Feb 2006
Location: Siberia
Distribution: Slackware & Slamd64. What else is there?
Posts: 1,705

Original Poster
Rep: Reputation: 54
Quote:
Originally Posted by evilDagmar
awesome info snipped
Hey Dagmar, you don't sound so evil

Thanks a lot for your post. I bookmarked it and I'll go over it again until I get it. I think I'm with Gary and you on netmask being the part after the slash. Before that I didn't know *where* the netmask was being specified. So I should be able to allow a range by using the right mask.

I'll try again but I'm sure that after I put ALL : ALL in hosts.deny I couldn't browse any web sites. It was like my interfaces were all down (they weren't). I'm having a lot of other wierd stuff (browser performance issues) going on but I don't think it's my setup or hardware because it's happening on two separate boxes and it started at the same time. My ISP is making my life hell

Rand
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] question about hosts.allow/hosts.deny Wim Sturkenboom Linux - Security 9 05-30-2006 02:33 AM
/etc/hosts.deny/hosts.allow have no effect on sshd access bganesh Linux - Security 4 05-04-2006 09:06 PM
/etc/hosts and hosts.deny question ilan1 Linux - Networking 4 03-04-2006 06:28 PM
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 10:41 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 04:52 PM


All times are GMT -5. The time now is 02:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration