LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-05-2015, 12:09 AM   #1
arfon
Member
 
Registered: Apr 2004
Distribution: Slackware
Posts: 312

Rep: Reputation: Disabled
How to 'include file' in hosts.allow or hosts.deny?


Anyone know how you can have Linux (specifically RH) read two hosts.allow (or hosts.deny) files?

My situation is that I have a room full of machines and ALL have a base set of IPs that need to be allowed and then depending on the machine, a custom set of IPs.

I'd like to have one hosts.allow file for all of the base IPs that I can maintain on the machines with puppet and a custom allow file that I can maintain manually.

What should I be Altavista-ing (since "hosts.allow include file" is giving me worthless results)?


SOLUTION: It's not possible.

Last edited by arfon; 12-05-2015 at 03:41 PM.
 
Old 12-05-2015, 01:13 AM   #2
berndbausch
LQ Addict
 
Registered: Nov 2013
Location: Tokyo
Distribution: Mostly Ubuntu and Centos
Posts: 6,316

Rep: Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002Reputation: 2002
There is a man page for hosts.allow. There is also an extension named hosts_options. Sadly, neither mentions anything about including files, so that it seems you need to implement this differently.
 
Old 12-05-2015, 04:15 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598
As berndbausch said you can't. Also note using tcp_wrappers is neither the best performing or safe way anymore and for example OpenSSH 6.7, released October 2014, already removed support for tcpwrappers/libwrap. Staying with deprecated features is easy if your distribution vendor applies a patch like this. Transitioning is easy too: just turn your allow list into its own ipset.
 
1 members found this post helpful.
Old 12-05-2015, 11:00 AM   #4
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Wildcards no good to you?
< 6.6 allows for them.
Code:
10.
10.x
10.x.x
are all valid
 
Old 12-05-2015, 03:39 PM   #5
arfon
Member
 
Registered: Apr 2004
Distribution: Slackware
Posts: 312

Original Poster
Rep: Reputation: Disabled
Yeah, I was afraid of that. Thanks.
 
Old 12-05-2015, 11:29 PM   #6
Doug G
Member
 
Registered: Jul 2013
Posts: 749

Rep: Reputation: Disabled
dnsmasq can solve this. I have 4 or 5 different hosts files, and dnsmasq is configured to include all in a specified directory. The downside is that dnsmasq is an additional service you have to run on your machine, and you may need to tweak /etc/resolv.conf
 
Old 12-06-2015, 06:09 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598Reputation: 3598
Quote:
Originally Posted by Doug G View Post
dnsmasq can solve this.
The OP is talking about /etc/hosts.{allow,deny} (as in tcp_wrappers), not /etc/hosts (part of NSS aka Name Service Switch)?
 
Old 12-06-2015, 01:08 PM   #8
Doug G
Member
 
Registered: Jul 2013
Posts: 749

Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
The OP is talking about /etc/hosts.{allow,deny} (as in tcp_wrappers), not /etc/hosts (part of NSS aka Name Service Switch)?
Oops! Thanks for the clarification.
 
Old 01-19-2018, 10:54 PM   #9
orev
LQ Newbie
 
Registered: May 2013
Posts: 10

Rep: Reputation: Disabled
Actually, at least as of RHEL 7, you can include files in hosts.allow/deny.

From the man page:
PATTERNS:
A string that begins with a `/´ character is treated as a file name. A host name or address is
matched if it matches any host name or address pattern listed in the named file.
So if you make an entry like:
Code:
    sshd: /etc/hosts.allow-sshd
You can then list hosts in the /etc/hosts.allow-sshd file, and it will be included.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
hosts.deny vs arno ip tables blocked hosts D0zer Linux - Security 2 12-07-2014 03:07 AM
Access denied for NFS - but hosts.allow and hosts.deny seem OK royce2020 Linux - Networking 4 10-17-2011 11:44 PM
can't restrict sshd access through hosts.allow and hosts.deny but was working earlier farhan Linux - Security 4 04-18-2008 08:41 AM
/etc/hosts.deny/hosts.allow have no effect on sshd access bganesh Linux - Security 4 05-04-2006 09:06 PM
Adding shell commands to hosts.deny and hosts.allow ridertech Linux - Security 3 12-29-2003 04:52 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration