Cron chaning back hosts.deny!

filiphw · 12-22-2003, 03:14 PM

Gents,
I have set my security to higher, which is msec 4 I think,
If I change my hosts.deny to deny whit an exception, It will change back to deny all during the night. I guess this is the cron service thats running during the night. Can I make an exception somewhere so it run as normal but let the hosts.deny be....
.
Im using Mandrake 9.2
.
Thanks in advance...

Capt_Caveman · 12-29-2003, 01:05 PM

Did you try adding your exceptions to hosts.allow amd leaving hosts.deny as ALL:ALL. Usually the best way to use tcpwrappers (hosts.allow/deny) is to have hosts.deny block everything and then explicitly allow access by adding ip addresses to hosts.allow. If you need to, you should be able to override the default msec permissions. Checkout this howto, but you shouldn't have to do it that way.

http://www.mandrakesecure.net/en/docs/msec.php

filiphw · 12-30-2003, 02:22 AM

Thanks for your reply,
Okey, that mean that I should change back to deny all in my hosts.deny
and then put the ipadresses and domains that I trust in the hosts.allow instead. Couldsomeone just give me an exapmle how you write a good hosts.allow file...?

Rgds F

Capt_Caveman · 12-30-2003, 01:21 PM

Yes, change hosts.deny to this:
ALL: ALL

Anything that you put in hosts.allow will will override the ALL setting in hosts.deny. The syntax for hosts.allow is the same and uses the format:

SERVICENAME: arguments

where arguments can be a complete or partial domain name like node1.yahoo.com or just .yahoo.com . Or you can use complete or partial IP addresses like 123.456.789.1 or 123.456. So to use an example, say we wanted to allow anyone from yahoo.com to access our FTP server and we also want to allow the hosts 123.456.789.1, the 192.168. private IP block and all of yahoo.com to access our sshd server. The hosts.allow file would look like this:

Code:

#### BUNCH OF HEADER COMMENTS HERE

FTPD:  .yahoo.com 
SSHD:  123.456.789.1  192.168.   .yahoo.com

The key to writitng a "good" hosts.allow file is just try to limit the number of people that have access to the fewest possible. Sometimes that can be hard if you have clients with dynamic IP addresses or if you need to run a public service. Also an important thing to keep in mind is that not all services use the hosts.allow/deny files. For example the Apache web server won't use them, so don't try to put an entry in hosts.allow for www or httpd.

filiphw · 12-30-2003, 01:28 PM

Thanks for that great reply! I will change that at once.
I guess ProFTPD doesn't use the hosts.xxxx either.

What about the service name. Can I use whatever? Does it matter if I write SSH instead of SSHD...?

Rgds F

Capt_Caveman · 12-30-2003, 01:54 PM

No, the servicename does matter. But it can be upper or lowercase, that doesn't matter. Offhand I don't know all the services that use tcpwrappers (hosts.xxxx) and all that don't. But I know that sshd and tftpd do have tcpwrappers support and I believe that services running through inetd or xinetd use it as well.

GAVollink · 12-30-2003, 02:09 PM

The service name must match the information in "/etc/services" if you have the same service port match for ssh and sshd, then yes, you can use both.