[999] in linux-net channel archive
Re: /etc/hosts.deny
daemon@ATHENA.MIT.EDU (Avery Pennarun)
Sat Aug 26 11:53:41 1995
Date: Thu, 24 Aug 1995 19:37:21 -0400 (EDT)
From: Avery Pennarun <apenwarr@foxnet.net>
To: linux-net@vger.rutgers.edu
In-Reply-To: <199508231517.QAA30952@cconcepts3.cconcepts.co.uk>
On Wed, 23 Aug 1995, Alex Bligh wrote:
> >
> >
> > I'm trying to block access to all ports from a particular host. Putting
> > the hostname in /etc/hosts.deny doesn't seem to have any effect - even
> > after a reboot. Any idea why, or what I'm doiong wrong?
> >
> 1. tcpwrapper only affects services launched by inetd i.e. not sendmail
> etc.; If you are really paranoid you might consider using firewalling.
>
> 2. Make sure inetd.conf launches tcpwrapper. Best way to check this works
> is to strace -fp inetd while telnetting to your own IP number from another
> VT.
>
> 3. You might have a name lookup problem - try the IP number.
>
> 4. Your deny file should look like
> ALL : an.unwanted.host.net
> not just the hotname (but I guess you knew that)
>
> 5. Make sure you haven't got ALL:ALL in hosts.allow as well - this takes
> precedence.
>
> 6. A more secure way to do things is put ALL:ALL in hosts.deny and specifically
> allow the service that are OK, even if you have lines like
> wu.ftpd:ALL
> &
> ALL:a.trusted.host.net
>
> otherwise you run the risk of leaving services you had forgotten you had
> open to the whole internet.
>
> Hope that helps
>
> Alex
>
> ----------------------------+-------------+-----------------------------
> Alex Bligh : ,-----. :
> Computer Concepts Ltd. : : : alex@cconcepts.co.uk
> Gaddesden Place : : ,-----. :
> Hemel Hempstead : `-+---` ` : Tel. +44 1442-351000
> Herts. UK HP2 6EX : | , : Fax. +44 1442-351010
> : `-----` :
> ----------------------------+-------------+-----------------------------
>
