[SOLVED] How to 'include file' in hosts.allow or hosts.deny?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to 'include file' in hosts.allow or hosts.deny?
Anyone know how you can have Linux (specifically RH) read two hosts.allow (or hosts.deny) files?
My situation is that I have a room full of machines and ALL have a base set of IPs that need to be allowed and then depending on the machine, a custom set of IPs.
I'd like to have one hosts.allow file for all of the base IPs that I can maintain on the machines with puppet and a custom allow file that I can maintain manually.
What should I be Altavista-ing (since "hosts.allow include file" is giving me worthless results)?
There is a man page for hosts.allow. There is also an extension named hosts_options. Sadly, neither mentions anything about including files, so that it seems you need to implement this differently.
As berndbausch said you can't. Also note using tcp_wrappers is neither the best performing or safe way anymore and for example OpenSSH 6.7, released October 2014, already removed support for tcpwrappers/libwrap. Staying with deprecated features is easy if your distribution vendor applies a patch like this. Transitioning is easy too: just turn your allow list into its own ipset.
dnsmasq can solve this. I have 4 or 5 different hosts files, and dnsmasq is configured to include all in a specified directory. The downside is that dnsmasq is an additional service you have to run on your machine, and you may need to tweak /etc/resolv.conf
Actually, at least as of RHEL 7, you can include files in hosts.allow/deny.
From the man page:
PATTERNS:
A string that begins with a `/´ character is treated as a file name. A host name or address is
matched if it matches any host name or address pattern listed in the named file.
So if you make an entry like:
Code:
sshd: /etc/hosts.allow-sshd
You can then list hosts in the /etc/hosts.allow-sshd file, and it will be included.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.