Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
10-11-2006, 07:57 AM
|
#1
|
LQ Newbie
Registered: Nov 2005
Location: Buckinghamshire, UK
Distribution: Slackware
Posts: 26
Rep:
|
Different Security models - confused.
I'm starting to look at securing my slackware box. I've got a basic understanding of host.allow/hosts.deny and I'm reading iptables tutorials (so far they make sense).
What I don't understand is the relationship between these two security systems. Should I be restricting traffic with hosts.(allow|deny) or should I be using iptables or both? What are the implications of using both - is it possible to set up contradictions where traffic is allowed under the hosts files and denied under iptables etc?
Can someone explain this or point me to a web page which compares the two systems?
Many thanks,
R.
|
|
|
10-11-2006, 08:41 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
hosts.allow and hosts.deny are part of tcpwrappers, which is a framework that any application can be hooked into to abstract ip security to it. this way a service listening on a port can do it's own security via an external library wihtout having to reimplement from scratch.
iptables sits within the kernel, not the user land, and will block traffic reaching that service port in the first place. if you block port 22 access in iptables then the netfitler hooks in the kernel will never let that traffic connect to the ssh daemon on port 22. if you do not block it, and instead restrict with tcpwrappers, then ssh recieves the actual data and then refers to hosts.allow etc... and then drops it there.
iptables is your firewall, tcpwrappers is your permissions... somethign like that. additionally many applications are not built with tcpwrappers support so can not benefit from it's functionality whereas iptables and netfilter sit infront of the services so will always see that traffic regardless of what is or isn't sitting behind it.
|
|
|
10-11-2006, 08:50 AM
|
#3
|
Member
Registered: Aug 2004
Location: Europe
Posts: 608
Rep:
|
I would just look at them as different layers of security. If your requirements are fixed and simple (e.g. only allow connections to FTP from local network), then set up iptables and hosts.* the same way so you have 2 layers of protection. If one of them fails for some reason, you still have the other one to protect you.
|
|
|
10-11-2006, 09:17 AM
|
#4
|
LQ Newbie
Registered: Nov 2005
Location: Buckinghamshire, UK
Distribution: Slackware
Posts: 26
Original Poster
Rep:
|
So if I'm understanding properly - iptables is a front-line defence and encompasses all net traffic, whereas hosts.* is ignored by non-tcp traffic.
I had a feeling that hosts.* was the 'obsolete' of the two, since it was around in my unix days pre-1990 wheras I'd never heard of iptables so I assumed it was the new improved security feature.
With that in mind I'll focus my attention on iptables.
Thanks for the help,
R.
Last edited by richardh1970; 10-11-2006 at 09:19 AM.
|
|
|
All times are GMT -5. The time now is 02:50 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|