On Wed, 2008-01-30 at 09:48 +0000, Jenny Hopkins wrote:
Hullo there,
I've got ("have taken over") a hosts.allow file as below:
ftp: ALL cvspserver: ALL svn: ALL sshd: ALL telnet: ALL ALL: <domain-we-allow>.co.uk ALL: LOCAL
I don't understand why if the ALL keyword is called in the first half, aliases are then described in the second. Surely ALL means just that?
What I want is for the cvspserver to be ALL and the others to be restricted to LOCAL and <domain-we-allow>.co.uk. No matter what I try with wildcard *, UNKNOWN, etc, the hosts.allow will only allow anonymous cvs log in with adding ALL:ALL at the bottom, which I don't want to do obviously.
Sorry to not rtfm; I have done but it sort of went in one ear and out of the other leaving a puffy pink cloud in the middle.
According to the friendly manual, that file should permit any system access to ftp, cvspserver, svn, sshd & telnet while restricting every other service to LOCAL (no domain component when looked up in reverse DNS and/or the hosts file) and the specified domain.
Is there a matching hosts.deny file?
I think you need the following to achieve your aim:
cvspserver: ALL ALL: LOCAL .<domain-we-allow>.co.uk
Note the leading '.' in the allowed domain, since that matters. The magic word 'ALL' is a wildcard that matches all services or hosts depending whihc side of the ':' it's on, it's certainly not an alias.
HTH, Phil.