Subject: Re: hosts.allow & hosts.deny
From: Philip Good (phil@redplanetx.com)
Date: Thu Jan 18 2001 - 06:36:50 MST
I would also recommend switching over to xinetd to replace inetd. It is very configurable for all of your services. Combine that with Webmin
and it is very easy and powerful.
Phil
> I didn't notice this earlier, but this format is exactly backward from
> what I am using on RedHat and YellowDog 1.2.1. I think the correct
> format is
>
> <service> : <ip>
>
> ...but maybe I don't know anything. :) For example, my hosts.allow looks
> like this
>
> ALL : 127.0.0.1,localhost,brinkman.student.princeton.edu
> ALL : brinkman2.student.princeton.edu
>
> and my hosts.deny is
>
> ALL : ALL
>
> I highly recommend making this work, and getting a very restrictive
> hosts.deny if you have a very predictable ip address and no firewall. My
> Linux box was hacked within two days of setup when I first got my edu
> connection.
>
> Bryn Hughes wrote:
> >
> > I set everything up like that, and ended up with NOBODY able to connect at
> > all, the server was refusing all connections.
> >
> > I also tried removing the trailing zero and just leaving the period, that
> > didn't work either.
> >
> > In the end, I just deleted my hosts.deny file, and that of course allowed
> > connections again. My messages log does show IP addresses being refused
> > that match up with the subnets in my hosts.allow file.
> >
> > My hosts.allow:
> >
> > 192.168.128.0 : ALL : ALLOW
> > 192.168.129.0 : ALL : ALLOW
> > 192.168.130.0 : ALL : ALLOW
> > 142.30.100.0 : ALL : ALLOW
> > 142.30.101.0 : ALL : ALLOW
> > 142.30.102.0 : ALL : ALLOW
> > 142.30.103.0 : ALL : ALLOW
> >
> > My hosts.deny:
> >
> > ALL:ALL:DENY
> >
> > on 1/16/01 6:29 AM, Philip Good at phil@redplanetx.com wrote:
> >
> > > in hosts.deny put
> > >
> > > ALL : ALL : DENY
> > >
> > > in hosts.allow put:
> > >
> > > aaa.aaa.aaa.aaa : ALL : ALLOW
> > > aaa.bbb.ccc.ddd : ALL : ALLOW
> > > xxx.xxx.xxx.0 : ALL : ALLOW
> > > .domain.com : ALL : ALLOW
> > >
> > > this will allow access by the first two IPs, all addresses that start with
> > > xxx.xxx.xxx and allow access from all hosts from the domain
> > > domain.com.
> > >
> > > Phil
> > >
> > >> I'm having some trouble setting up my hosts.allow and hosts.deny files. The
> > >> man entries explain everything more or less, except I don't know what the
> > >> wildcard entry is! For some reason my man pages are slightly messed up and
> > >> I get something like a control character instead of whatever the real
> > >> wildcard character is.
> > >>
> > >> What I want to do:
> > >>
> > >> DENY access to everyone, then
> > >> ALLOW access to just our internal IP addresses
> > >> ALLOW access to a few individual static addresses off site
> > >>
> > >> I don't need to do anything as far as limiting access to specific ports or
> > >> anything else exotic at this point as I'm not running mail/web/ftp services
> > >> on this machine for anyone other than the above mentioned addresses.
> > >>
> > >> I'm also hoping that ALLOW takes precedence over DENY? Some systems I've
> > >> worked with (notably Windows 2000) look at DENY and then ALLOW, which makes
> > >> it very difficult to create a "nobody EXCEPT XYZ" type of policy.
> > >>
> > >> Thanks,
> > >>
> > >> Bryn
> > >>
> > >>
>
> --
> William "Bo" Brinkman brinkman@cs.princeton.edu
> Princeton Computer Science http://www.derandomized.org/
> --
> Coffee should be black as hell, strong as death, sweet as love.
> -- Turkish Proverb
>
>
-- Philip Good Red Planet Development, Red Canyon Software, Good Chi Tai Chi
This archive was generated by hypermail 2a24 : Thu Jan 18 2001 - 13:40:16 MST