LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-09-2006, 07:36 AM   #1
xpucto
Member
 
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524

Rep: Reputation: 31
hosts.deny doesn't seem to work


Hi!
I filled my hosts.deny with a few IPs address in this form:

xxx.xxx.xx.xx
yyy.yyy.yy.yy
zzz.zzz.zz.

to test it I put the ip of one of my computer. Then I tried to connect myself via SSH with this computer... and I could loggin!
then I tries to write it like this
sshd:xxx.xxx.xx.xx

and it worked.
is there a way to nann those ips for all services? (and all ports)

Last edited by xpucto; 11-09-2006 at 07:40 AM.
 
Old 11-09-2006, 08:00 AM   #2
fordeck
Member
 
Registered: Oct 2006
Location: Utah
Posts: 520

Rep: Reputation: 61
It is important to realize that the allow table is scanned before the deny table, that the search terminates when a match is found, and that access is granted when no match is found at all.

Could you post the actual contents of both your hosts.allow and hosts.deny. I might then be able to help you.
 
Old 11-09-2006, 08:21 AM   #3
fordeck
Member
 
Registered: Oct 2006
Location: Utah
Posts: 520

Rep: Reputation: 61
In your hosts.deny you could try this:

Code:
ALL: xxx.xxx.xx.xx, yyy.yyy.yy.yy, zzz.zzz.zz.
However if your hosts.allow file has:

Code:
ALL:ALL
because it gets scanned first it will allow xxx.xxx.xx.xx, yyy.yyy.yy.yy, zzz.zzz.zz. these ip's.
 
Old 11-09-2006, 03:39 PM   #4
xpucto
Member
 
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524

Original Poster
Rep: Reputation: 31
Quote:
Originally Posted by fordeck
In your hosts.deny you could try this:

Code:
ALL: xxx.xxx.xx.xx, yyy.yyy.yy.yy, zzz.zzz.zz.
However if your hosts.allow file has:

Code:
ALL:ALL
because it gets scanned first it will allow xxx.xxx.xx.xx, yyy.yyy.yy.yy, zzz.zzz.zz. these ip's.
I don't get it: if hosts.allow has
Code:
ALL:ALL
then the hosts.deny won't be read, isn't it?
right now my hosts.allow is empty. I don't want to say who is allowed but rather who is not by baning some IPs.
 
Old 11-13-2006, 08:09 AM   #5
xpucto
Member
 
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524

Original Poster
Rep: Reputation: 31
I finally did so:
hosts.allow
Quote:
ALL:xxxx.xxx.xxx.xx.xx,yyy.yyy.yy.
hosts.deny
Quote:
ALL:ALL
Now anyone cannot loggin through ssh, only xxxx.xxx.xxx.xx.xx,yyy.yyy.yy.
what I do not understand is that in hosts.deny I baned all services (it means inclusive httpd, doesn'tt it?) an d still can anyone have a look on my website. Well, it's good so but I don't understand why since I forbid all services, or is httpd not included?
Where can I get a list of all services?
 
Old 11-13-2006, 09:00 AM   #6
fordeck
Member
 
Registered: Oct 2006
Location: Utah
Posts: 520

Rep: Reputation: 61
By denying all services in hosts.deny, this means that you have to explicitly allow the sevices and hosts in hosts.allow.

So if a request for ftp came in and there was no entry in hosts.allow it then would look at hosts.deny and see that there are no exceptions, thus denying the request for ftp. I hope that this all makes sense, and if this is not what you are after, let me know and I'll try to help.

Regards,

fordeck
 
Old 11-13-2006, 06:04 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by xpucto
what I do not understand is that in hosts.deny I baned all services (it means inclusive httpd, doesn'tt it?) an d still can anyone have a look on my website. Well, it's good so but I don't understand why since I forbid all services, or is httpd not included?
Where can I get a list of all services?
Not all services have support for tcpwrappers (hosts.allow/deny), so you have to be careful when using it for access control. Usually the default Apache configuration does not use tcpwrappers, so using hosts.deny is useless for filtering traffic to your webserver. You can get Apache to use tcpwrappers, but it's a better idea to just use iptables instead (you pay a performance penalty using tcpwrappers). Usually you can determine if a given binary has support for tcpwrappers if you see libwrap appear in the output of 'ldd /path/to/binary'.

Last edited by Capt_Caveman; 11-13-2006 at 06:05 PM.
 
Old 11-15-2006, 04:44 AM   #8
xpucto
Member
 
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524

Original Poster
Rep: Reputation: 31
Ok thanks for the help.
Iptables is configured (for all services inclusive http) and I used hosts.allow and hosts.deny to restrict ssh to some ips.
I checked with ldd. libwrap appears indeed with sshd but I doesn´t with ftpd for example.
 
Old 11-15-2006, 07:44 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I left out a category. You can also configure services to run through the xinetd and consult hosts.deny/allow, but again you pay a performance hit, so running a high traffic service through xinetd is a bad idea. Often services like ftp will be configured to run that way, in which case they would not have libwrap appear in the output of ldd. Xinetd services will usually appear in /etc/xinetd.conf or in /etx/xinetd.d/
 
Old 11-20-2006, 03:33 PM   #10
Vasek
LQ Newbie
 
Registered: Nov 2006
Location: Prague, Czech Republic
Distribution: Fedora
Posts: 4

Rep: Reputation: 0
Hello!
If I really wanted my Apache to be run through tcpwrappers or xinetd (performance is insignificant for me), is there any easy way to configure it so?
 
Old 11-20-2006, 07:03 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Quote:
Originally Posted by Vasek
Hello!
If I really wanted my Apache to be run through tcpwrappers or xinetd (performance is insignificant for me), is there any easy way to configure it so?
If you are using Apache 1.3 then it's easy, simply change the ServerType directive from 'StandAlone' to 'Inetd'. In version 2.0 it's harder because the ServerType directive was dropped. There is a Apache module called mod_hosts_access that works with 2.0 but I'm not sure how well maintained it is, so it may not function with more recent Apache builds. FWIW, my understanding is that the inetd support was dropped in favor of using Apache's built-in access control. Things like htaccess and mod_rewrite are way more powerful and flexible once you sit down and figure out how they work.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
/etc/hosts.deny/hosts.allow have no effect on sshd access bganesh Linux - Security 4 05-04-2006 08:06 PM
hosts.allow & hosts.deny question... jonc Linux - Security 9 03-05-2005 09:41 PM
deny.hosts does not work in blocking anything lexton Linux - Newbie 4 04-06-2004 08:45 AM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 03:52 PM
hosts.deny and hosts.allow defaults? gui10 Linux - Security 5 12-20-2001 01:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration