Hi y’all!
Could someone enlighten me about hosts.allow & hosts.deny please?
I was reading up on linux networking, and it said I should consider the contents of these files. So networking aside, I've read up a bit and am a lot confused.
As far as I can find, 1) if there's an match in hosts.allow an address is allowed to contact the machine. 2) if no match in 1), then if there's a match in hosts.deny, then the address is not allowed to contact the machine 3) if no match in 1 or 2, then the address is allowed to contact the machine.
Is this right so far?
If so, what's typically in hosts.deny? I ask because I've obviously edited this in the past - I have a vague recollection of doing it because I couldn't get anything working and I just stripped it all out - I know - a very very bad idea.
All I've got in there is: ALL: ALL: ::1
As far as I can figure out, the first line, ALL: would do nothing. ALL: ::1 I think would block all IPV6 addresses from contacting.
Is my interpretation of the above right?
What's typically in the hosts.deny for a server? If it's set up to block by default, then what should I enable? Is it sufficient to use netstat to work out what's listening for a conversation and just allow these things if I think they should be allowed. If so what's the correct use of netstat to find out?
If I have things running as cron jobs rather than as a daemon to check things, do I have to specifically allow these to contact the outside world, or is hosts.allow/deny just for daemons?
Lastly, does this work like a firewall? As I have firewall already set up, is it a good idea to spend time on hosts.allow/deny as well?
Any advice appreciated muchly! Steve
On 04 Sep 16:54, steve-ALUG@hst.me.uk wrote:
On 15/08/15 15:25, steve-ALUG@hst.me.uk wrote:
Hi y’all!
Could someone enlighten me about hosts.allow & hosts.deny please?
If no one can give me a clue re this, could someone give me an idea of the sensible default contents of these files please?
Basically, they're both tedious and boring and you're better off denying things via iptables, really.
standard debian content follows...
brettp@miranda:~$ cat /etc/hosts.allow # /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5), # hosts_options(5) # and /usr/doc/netbase/portmapper.txt.gz # # Example: ALL: LOCAL @some_netgroup # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu # # If you're going to protect the portmapper use the name "portmap" for # the # daemon name. Remember that you can only use the keyword "ALL" and IP # addresses (NOT host or domain names) for the portmapper, as well as # for # rpc.mountd (the NFS mount daemon). See portmap(8), rpc.mountd(8) and # /usr/share/doc/portmap/portmapper.txt.gz for further information. # brettp@miranda:~$ cat /etc/hosts.deny # /etc/hosts.deny: list of hosts that are _not_ allowed to access the # system. # See the manual pages hosts_access(5), # hosts_options(5) # and /usr/doc/netbase/portmapper.txt.gz # # Example: ALL: some.host.name, .some.domain # ALL EXCEPT in.fingerd: other.host.name, .other.domain # # If you're going to protect the portmapper use the name "portmap" for # the # daemon name. Remember that you can only use the keyword "ALL" and IP # addresses (NOT host or domain names) for the portmapper. See # portmap(8) # and /usr/doc/portmap/portmapper.txt.gz for further information. # # The PARANOID wildcard matches any host whose name does not match its # address.
# You may wish to enable this to ensure any programs that don't # validate looked up hostnames still leave understandable logs. In past # versions of Debian this has been the default. # ALL: PARANOID
On 04/09/15 17:13, Brett Parker wrote:
On 04 Sep 16:54, steve-ALUG@hst.me.uk wrote:
On 15/08/15 15:25, steve-ALUG@hst.me.uk wrote:
Hi y’all!
Could someone enlighten me about hosts.allow & hosts.deny please?
If no one can give me a clue re this, could someone give me an idea of the sensible default contents of these files please?
Basically, they're both tedious and boring and you're better off denying things via iptables, really.
standard debian content follows...
Cheers! :-)
Steve
On 04/09/15 17:13, Brett Parker wrote:
On 04 Sep 16:54, steve-ALUG@hst.me.uk wrote:
On 15/08/15 15:25, steve-ALUG@hst.me.uk wrote:
Hi y’all!
Could someone enlighten me about hosts.allow & hosts.deny please?
If no one can give me a clue re this, could someone give me an idea of the sensible default contents of these files please?
Basically, they're both tedious and boring and you're better off denying things via iptables, really.
I agree and I never modify them from the distro default.
On the odd machine where I don't have iptables installed, I use the routing table to temporarily ban an IP address:
sudo /sbin/route add -net <ip address/subnetmask> reject sudo /sbin/route add -host <ip address> reject
Cheers, Laurie.
-
Brett Parker -
Laurie Brown -
steve-ALUG@hst.me.uk