Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I was wondering if someone could enlighten me as to how hosts.allow and hosts.deny work.
The reason why i am wondering is because i have setup my hosts.deny file with the following text ALL:ALL and nothing in my hosts.allow file and when i type apachectl start i am able to view my server.
how can i make it so hosts.deny will block any server that is started on my system?
Not particularly sure what you meant... do you want to block SSH access to your server? Do you want to block any traffic from outside world so no one can see your websites?
One thing is that you need to restart sshd after editing the file.
According to one Linux Security book I read, you can have a
ALL: ALL: deny
as the first option in the /etc/hosts.allow file.
Some services like samba have their own tcwrappers interface compiled in, and you want to use the configuration files for the service.
Did you view the webpage on the same machine as the server?
Is the apache service an xinetd wrapped service.
I think that either you started the webserver explicitly instead of doing it from an xinetd interface, you may of bypassed the controls. Or the httpd service isn't one that uses tcpwrappers at all and access should be controlled in the apache configuration file. Or you need to send an 'USR2' signal to 'xinetd' to reload the configuration so that your recent changes take effect. ( HUP for inetd ).
kill -USR2 <xinetd pid>
or
kill -HUP <inetd pid>
or
killall -HUP inetd
Verify this by looking in the man page for your system. Some systems use inetd, some use xinetd, some use the USR2 signal, some use HUP.
Also, xinetd on your system may not support tcpwrappers.
From the Xinetd FAQ
Quote:
Q. Does xinetd support libwrap (tcpwrappers)?
A. Yes. xinetd can be compiled with libwrap support by passing --with-libwrap as an option to the configure script. When xinetd is compiled with libwrap support, all services can use the /etc/hosts.allow and /etc/hosts.deny access control. xinetd can also be configured to use tcpd in the traditional inetd style. This requires the use of the NAMEINARGS flag, and the name of the real daemon be passed in as server_args. Here is an example for using telnet with tcpd:
service telnet
{
flags = REUSE NAMEINARGS
protocol = tcp
socket_type = stream
wait = no
user = telnetd
server = /usr/sbin/tcpd
server_args = /usr/sbin/in.telnetd
}
The 2nd and 3rd posts came when I was writing my first response. The tcpwrappers control is in addition to your filewall setup. If you want to block access to the outside world to any service, you can set up your firewall that way. You haven't indicated how or where the internet connection is.
If you have a cable/dsl router you may be able to use a web interface to use this device to determine which machine handles which service.
If you have one computer that has the internet connection on a seperate interface, be sure that the firewall configuration blocks access to all services on the internet interface. This is most likely done in the kernel, using iptables, unless you have a very old kernel that uses ipchains. Your distribution will have a firewall configuration GUI interface that you can use to set up the table that gets loaded in when the computer reboots.
This way, you have a multilayered defense set up. If a hacker can break through the firewall, he still needs to get through the tcpwrappers layer on each host.
Check if you have nmap installed. You can use this program to scan for open ports on your local network you may have missed. There may be ports open for services that you don't need. Disabling these services could also slightly improve the performance of your computer, with less services running in the background. Although that may be more true for a host that doesn't have much resources to start with (memory, or speed).
well i have a lan connection to my router but the only reason why i am wondering about this is because hosts.deny is supposed to stop services from being open to hackers and if a hacker gets into my computer and runs the command 'apachectl start', hosts.deny is supposed to deny access to it as i have 'ALL: ALL' set. but the problem is that it's blocking everything BUT the httpd server. it doesnt really matter i guess but i was just wondering why. anyways thanks for all the info guys.
Apache doesn'i have support for tcp wrappers (hosts.allow/deny) by default. You need to run Apache through xinetd with tcpd (as jschiwal posted) or if you're using Apache 1.3 you can use mod_hosts_access. Not all daemons include support, so you need to be careful when relying on hosts.allow/deny for security and check the documentation to see whether it supports tcp wrappers or not.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.