Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
11-09-2006, 07:36 AM
|
#1
|
Member
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524
Rep:
|
hosts.deny doesn't seem to work
Hi!
I filled my hosts.deny with a few IPs address in this form:
xxx.xxx.xx.xx
yyy.yyy.yy.yy
zzz.zzz.zz.
to test it I put the ip of one of my computer. Then I tried to connect myself via SSH with this computer... and I could loggin!
then I tries to write it like this
sshd:xxx.xxx.xx.xx
and it worked.
is there a way to nann those ips for all services? (and all ports)
Last edited by xpucto; 11-09-2006 at 07:40 AM.
|
|
|
11-09-2006, 08:00 AM
|
#2
|
Member
Registered: Oct 2006
Location: Utah
Posts: 520
Rep:
|
It is important to realize that the allow table is scanned before the deny table, that the search terminates when a match is found, and that access is granted when no match is found at all.
Could you post the actual contents of both your hosts.allow and hosts.deny. I might then be able to help you.
|
|
|
11-09-2006, 08:21 AM
|
#3
|
Member
Registered: Oct 2006
Location: Utah
Posts: 520
Rep:
|
In your hosts.deny you could try this:
Code:
ALL: xxx.xxx.xx.xx, yyy.yyy.yy.yy, zzz.zzz.zz.
However if your hosts.allow file has:
because it gets scanned first it will allow xxx.xxx.xx.xx, yyy.yyy.yy.yy, zzz.zzz.zz. these ip's.
|
|
|
11-09-2006, 03:39 PM
|
#4
|
Member
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524
Original Poster
Rep:
|
Quote:
Originally Posted by fordeck
In your hosts.deny you could try this:
Code:
ALL: xxx.xxx.xx.xx, yyy.yyy.yy.yy, zzz.zzz.zz.
However if your hosts.allow file has:
because it gets scanned first it will allow xxx.xxx.xx.xx, yyy.yyy.yy.yy, zzz.zzz.zz. these ip's.
|
I don't get it: if hosts.allow has then the hosts.deny won't be read, isn't it?
right now my hosts.allow is empty. I don't want to say who is allowed but rather who is not by baning some IPs.
|
|
|
11-13-2006, 08:09 AM
|
#5
|
Member
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524
Original Poster
Rep:
|
I finally did so:
hosts.allow
Quote:
ALL:xxxx.xxx.xxx.xx.xx,yyy.yyy.yy.
|
hosts.deny
Now anyone cannot loggin through ssh, only xxxx.xxx.xxx.xx.xx,yyy.yyy.yy.
what I do not understand is that in hosts.deny I baned all services (it means inclusive httpd, doesn'tt it?) an d still can anyone have a look on my website. Well, it's good so but I don't understand why since I forbid all services, or is httpd not included?
Where can I get a list of all services?
|
|
|
11-13-2006, 09:00 AM
|
#6
|
Member
Registered: Oct 2006
Location: Utah
Posts: 520
Rep:
|
By denying all services in hosts.deny, this means that you have to explicitly allow the sevices and hosts in hosts.allow.
So if a request for ftp came in and there was no entry in hosts.allow it then would look at hosts.deny and see that there are no exceptions, thus denying the request for ftp. I hope that this all makes sense, and if this is not what you are after, let me know and I'll try to help.
Regards,
fordeck
|
|
|
11-13-2006, 06:04 PM
|
#7
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
Originally Posted by xpucto
what I do not understand is that in hosts.deny I baned all services (it means inclusive httpd, doesn'tt it?) an d still can anyone have a look on my website. Well, it's good so but I don't understand why since I forbid all services, or is httpd not included?
Where can I get a list of all services?
|
Not all services have support for tcpwrappers (hosts.allow/deny), so you have to be careful when using it for access control. Usually the default Apache configuration does not use tcpwrappers, so using hosts.deny is useless for filtering traffic to your webserver. You can get Apache to use tcpwrappers, but it's a better idea to just use iptables instead (you pay a performance penalty using tcpwrappers). Usually you can determine if a given binary has support for tcpwrappers if you see libwrap appear in the output of 'ldd /path/to/binary'.
Last edited by Capt_Caveman; 11-13-2006 at 06:05 PM.
|
|
|
11-15-2006, 04:44 AM
|
#8
|
Member
Registered: Sep 2005
Location: Vienna, Austria
Distribution: Mint 13
Posts: 524
Original Poster
Rep:
|
Ok thanks for the help.
Iptables is configured (for all services inclusive http) and I used hosts.allow and hosts.deny to restrict ssh to some ips.
I checked with ldd. libwrap appears indeed with sshd but I doesn´t with ftpd for example.
|
|
|
11-15-2006, 07:44 PM
|
#9
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
I left out a category. You can also configure services to run through the xinetd and consult hosts.deny/allow, but again you pay a performance hit, so running a high traffic service through xinetd is a bad idea. Often services like ftp will be configured to run that way, in which case they would not have libwrap appear in the output of ldd. Xinetd services will usually appear in /etc/xinetd.conf or in /etx/xinetd.d/
|
|
|
11-20-2006, 03:33 PM
|
#10
|
LQ Newbie
Registered: Nov 2006
Location: Prague, Czech Republic
Distribution: Fedora
Posts: 4
Rep:
|
Hello!
If I really wanted my Apache to be run through tcpwrappers or xinetd (performance is insignificant for me), is there any easy way to configure it so?
|
|
|
11-20-2006, 07:03 PM
|
#11
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Quote:
Originally Posted by Vasek
Hello!
If I really wanted my Apache to be run through tcpwrappers or xinetd (performance is insignificant for me), is there any easy way to configure it so?
|
If you are using Apache 1.3 then it's easy, simply change the ServerType directive from 'StandAlone' to 'Inetd'. In version 2.0 it's harder because the ServerType directive was dropped. There is a Apache module called mod_hosts_access that works with 2.0 but I'm not sure how well maintained it is, so it may not function with more recent Apache builds. FWIW, my understanding is that the inetd support was dropped in favor of using Apache's built-in access control. Things like htaccess and mod_rewrite are way more powerful and flexible once you sit down and figure out how they work.
|
|
|
All times are GMT -5. The time now is 04:40 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|