[979] in linux-net channel archive
Re: /etc/hosts.deny
daemon@ATHENA.MIT.EDU (Alex Bligh)
Thu Aug 24 02:20:07 1995
From: Alex Bligh <alex@cconcepts.co.uk>
To: andrew@cludge.colloquium.co.uk (Andrew Crawford)
Date: Wed, 23 Aug 1995 16:17:30 +0100 (BST)
Cc: linux-net@vger.rutgers.edu
In-Reply-To: <Pine.LNX.3.91.950822211409.200A-100000@cludge> from "Andrew Crawford" at Aug 22, 95 09:16:56 pm
>
>
> I'm trying to block access to all ports from a particular host. Putting
> the hostname in /etc/hosts.deny doesn't seem to have any effect - even
> after a reboot. Any idea why, or what I'm doiong wrong?
>
1. tcpwrapper only affects services launched by inetd i.e. not sendmail
etc.; If you are really paranoid you might consider using firewalling.
2. Make sure inetd.conf launches tcpwrapper. Best way to check this works
is to strace -fp inetd while telnetting to your own IP number from another
VT.
3. You might have a name lookup problem - try the IP number.
4. Your deny file should look like
ALL : an.unwanted.host.net
not just the hotname (but I guess you knew that)
5. Make sure you haven't got ALL:ALL in hosts.allow as well - this takes
precedence.
6. A more secure way to do things is put ALL:ALL in hosts.deny and specifically
allow the service that are OK, even if you have lines like
wu.ftpd:ALL
&
ALL:a.trusted.host.net
otherwise you run the risk of leaving services you had forgotten you had
open to the whole internet.
Hope that helps
Alex
----------------------------+-------------+-----------------------------
Alex Bligh : ,-----. :
Computer Concepts Ltd. : : : alex@cconcepts.co.uk
Gaddesden Place : : ,-----. :
Hemel Hempstead : `-+---` ` : Tel. +44 1442-351000
Herts. UK HP2 6EX : | , : Fax. +44 1442-351010
: `-----` :
----------------------------+-------------+-----------------------------
