Is this a correct hosts.allow setup to block access to ssh from certain ip's:

"sshd:ALL EXCEPT:xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx ENY"

Also, could this same method be used to block access to web (httpd) to certain ip's?

thanks!

Hey,

tcpwrappers are designed for inetd services, I recommend you use iptables to firewall any IP's you
dont want having access.

i.e. iptables -A INPUT -j DROP -s 2.2.0.0/16 -p tcp --dport blah for example

Regards

You can configure your apache also.Apache doesn't come with tcpwrappers support (dunno if you can compile it in) but you can run it from inted.

Somewhere in your apache configuration file is a line beginning with "ServerType" followed
by "standalone". This means exactly what is says. Change the "standalone" to
"inted". Stop apache with "apachectl stop" if it is run (don't forget to be root).

For Configuring inetd

Add the following line to the "/etc/inetd.conf":

http stream tcp nowait root /usr/local/sbin/httpd httpd

Do a "killall -HUP inetd" as root and you're set.

Allowing ip's

You can allow / disallow ip's from connecting to the httpd. This is done with
tcp wrappers. The configuration file is "/etc/hosts.allow".
Make sure the last line in this file is "ALL : ALL : DENY". This makes sure that all
ip's which don't match any line above this one are blocked. If you forget this line or
you don't want to do this then you have to make sure you specify 'deny' rules for
'httpd'.

Two setups:

1:

httpd : 1.1.1.1 2.2.2.2 3.3.3.3 : ALLOW
ALL : ALL : DENY

2:

httpd: 1.1.1.1 2.2.2.2 3.3.3.3 : ALLOW
httpd: ALL : DENY

Setup 1 just denies all connections (not just to httpd) except the httpd ones we
allow (this is the best setup IMHO). If you don't want to do this make sure you
specify a 'deny' line for httpd like setup 2.

Conclusion

I've runed apache from inetd and the protection works great. The disavantage is the
apache is slow and slows down more when more users connect to it. I guess this
is the price you have to pay. If someone knows the answer to this let me know on
i do get it. It isn't the
'nowait'/'wait' option in inetd, i've read the documentation and tried them both.

This configuration is running fine in my freebsd machine i don't know about linux.

You guys rock.
Thanks for the great info.

p.s. I've been seeing the ssh script pounding my box, trying all kinds of goofy user names like "albert" and "jeffery"...