Subject: Re: hosts.allow & hosts.deny
From: Bo Brinkman (brinkman@cs.princeton.edu)
Date: Thu Jan 18 2001 - 10:46:48 MST
I didn't notice this earlier, but this format is exactly backward from
what I am using on RedHat and YellowDog 1.2.1. I think the correct
format is
<service> : <ip>
...but maybe I don't know anything. :) For example, my hosts.allow looks
like this
ALL : 127.0.0.1,localhost,brinkman.student.princeton.edu
ALL : brinkman2.student.princeton.edu
and my hosts.deny is
ALL : ALL
I highly recommend making this work, and getting a very restrictive
hosts.deny if you have a very predictable ip address and no firewall. My
Linux box was hacked within two days of setup when I first got my edu
connection.
Bryn Hughes wrote:
>
> I set everything up like that, and ended up with NOBODY able to connect at
> all, the server was refusing all connections.
>
> I also tried removing the trailing zero and just leaving the period, that
> didn't work either.
>
> In the end, I just deleted my hosts.deny file, and that of course allowed
> connections again. My messages log does show IP addresses being refused
> that match up with the subnets in my hosts.allow file.
>
> My hosts.allow:
>
> 192.168.128.0 : ALL : ALLOW
> 192.168.129.0 : ALL : ALLOW
> 192.168.130.0 : ALL : ALLOW
> 142.30.100.0 : ALL : ALLOW
> 142.30.101.0 : ALL : ALLOW
> 142.30.102.0 : ALL : ALLOW
> 142.30.103.0 : ALL : ALLOW
>
> My hosts.deny:
>
> ALL:ALL:DENY
>
> on 1/16/01 6:29 AM, Philip Good at phil@redplanetx.com wrote:
>
> > in hosts.deny put
> >
> > ALL : ALL : DENY
> >
> > in hosts.allow put:
> >
> > aaa.aaa.aaa.aaa : ALL : ALLOW
> > aaa.bbb.ccc.ddd : ALL : ALLOW
> > xxx.xxx.xxx.0 : ALL : ALLOW
> > .domain.com : ALL : ALLOW
> >
> > this will allow access by the first two IPs, all addresses that start with
> > xxx.xxx.xxx and allow access from all hosts from the domain
> > domain.com.
> >
> > Phil
> >
> >> I'm having some trouble setting up my hosts.allow and hosts.deny files. The
> >> man entries explain everything more or less, except I don't know what the
> >> wildcard entry is! For some reason my man pages are slightly messed up and
> >> I get something like a control character instead of whatever the real
> >> wildcard character is.
> >>
> >> What I want to do:
> >>
> >> DENY access to everyone, then
> >> ALLOW access to just our internal IP addresses
> >> ALLOW access to a few individual static addresses off site
> >>
> >> I don't need to do anything as far as limiting access to specific ports or
> >> anything else exotic at this point as I'm not running mail/web/ftp services
> >> on this machine for anyone other than the above mentioned addresses.
> >>
> >> I'm also hoping that ALLOW takes precedence over DENY? Some systems I've
> >> worked with (notably Windows 2000) look at DENY and then ALLOW, which makes
> >> it very difficult to create a "nobody EXCEPT XYZ" type of policy.
> >>
> >> Thanks,
> >>
> >> Bryn
> >>
> >>
-- William "Bo" Brinkman brinkman@cs.princeton.edu Princeton Computer Science http://www.derandomized.org/ -- Coffee should be black as hell, strong as death, sweet as love. -- Turkish Proverb
This archive was generated by hypermail 2a24 : Thu Jan 18 2001 - 10:43:47 MST