/etc/hosts.deny and /etc/hosts.allow

/etc/hosts.deny and /etc/hosts.allow

Post by Patrick Aven » Tue, 18 Jan 2000 04:00:00



Hi!

I am using Linux at home (RH6.1) and I'm the only one who logs in at
home. I was wondering if I just put in the /etc/hosts.deny
ALL: ALL

and in the /etc/allow
ALL: 127.

This should be enough to make sure that no-one can telnet, ftp,
whatever to my Linuxbox from the internet? I'm just starting with
Linux security. If everything is OK, I'll connect it to the internet.

Does anyone have more info?

Greetings
Patrick Avenue

 
 
 

/etc/hosts.deny and /etc/hosts.allow

Post by Joe Jenkin » Tue, 18 Jan 2000 04:00:00


In hosts.allow, I would recommend

ALL: localhost
ALL: 127.0.0.1


> Hi!

> I am using Linux at home (RH6.1) and I'm the only one who logs in at
> home. I was wondering if I just put in the /etc/hosts.deny
> ALL: ALL

> and in the /etc/allow
> ALL: 127.

> This should be enough to make sure that no-one can telnet, ftp,
> whatever to my Linuxbox from the internet? I'm just starting with
> Linux security. If everything is OK, I'll connect it to the internet.

> Does anyone have more info?

> Greetings
> Patrick Avenue



 
 
 

/etc/hosts.deny and /etc/hosts.allow

Post by Tad » Tue, 18 Jan 2000 04:00:00



>Hi!

>I am using Linux at home (RH6.1) and I'm the only one who logs in at
>home. I was wondering if I just put in the /etc/hosts.deny
>ALL: ALL

>and in the /etc/allow
>ALL: 127.

>This should be enough to make sure that no-one can telnet, ftp,
>whatever to my Linuxbox from the internet? I'm just starting with
>Linux security. If everything is OK, I'll connect it to the internet.

>Does anyone have more info?

Well, if you are going to do this, why don't you just comment out everything
in the /etc/inetd.conf and killall -HUP inetd. No need to have all those
services running if you aren't going to use them.

Tad

 
 
 

/etc/hosts.deny and /etc/hosts.allow

Post by Keith Kell » Wed, 19 Jan 2000 04:00:00





>>I am using Linux at home (RH6.1) and I'm the only one who logs in at
>>home. I was wondering if I just put in the /etc/hosts.deny
>>ALL: ALL

>>and in the /etc/allow
>>ALL: 127.

>>This should be enough to make sure that no-one can telnet, ftp,
>>whatever to my Linuxbox from the internet? I'm just starting with
>>Linux security. If everything is OK, I'll connect it to the internet.

> Well, if you are going to do this, why don't you just comment out everything
> in the /etc/inetd.conf and killall -HUP inetd. No need to have all those
> services running if you aren't going to use them.

If you're going to comment out every service in /etc/inetd.conf, why
bother running inetd at all?  Comment it out in your networking
scripts, and you save yourself a process while at the same time
disabling a whole bunch of potentially dangerous services.

-- Keith

maintainer of alt.os.linux.slackware FAQ

 
 
 

/etc/hosts.deny and /etc/hosts.allow

Post by Nick Craig-Wo » Wed, 19 Jan 2000 04:00:00




> > Well, if you are going to do this, why don't you just comment out everything
> > in the /etc/inetd.conf and killall -HUP inetd. No need to have all those
> > services running if you aren't going to use them.

> If you're going to comment out every service in /etc/inetd.conf, why
> bother running inetd at all?  Comment it out in your networking
> scripts, and you save yourself a process while at the same time
> disabling a whole bunch of potentially dangerous services.

There are some services which don't run from inetd.conf but do use TCP
wrappers - portmap and sshd being two that come to mind.

So you should still set /etc/hosts.{allow|deny} even if you kill off
inetd or disable everything in inetd.conf

--
Nick Craig-Wood

 
 
 

/etc/hosts.deny and /etc/hosts.allow

Post by Tim Hayne » Wed, 19 Jan 2000 04:00:00



> > If you're going to comment out every service in /etc/inetd.conf, why
> > bother running inetd at all?  Comment it out in your networking
> > scripts, and you save yourself a process while at the same time
> > disabling a whole bunch of potentially dangerous services.

> There are some services which don't run from inetd.conf but do use TCP
> wrappers - portmap and sshd being two that come to mind.

Ssh is not *only* a standalone, it can be done from inetd. OTOH why you'd
want to when it has its own host identification (other than to spawn remote
fingers, etc) is beyond me. Still, portmap is a reason to retain
/etc/hosts.{allow,deny} anyway.

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-
| The sun is melting over the hills,         | http://www.glutinous.custard.org

 
 
 

/etc/hosts.deny and /etc/hosts.allow

Post by Roger Pan » Wed, 19 Jan 2000 04:00:00


Thanks for your reactions!

Quote:>Well, if you are going to do this, why don't you just comment out everything
>in the /etc/inetd.conf and killall -HUP inetd. No need to have all those
>services running if you aren't going to use them.

Can I still use these services as user on my own system (e.g. root or
other user)??? I understand that these restriction set by myself are
only to prevent unauthorised acces and improve security on my own
Linuxsystem.

Greetings,
--
Roger Panch

 
 
 

/etc/hosts.deny and /etc/hosts.allow

Post by Tad » Wed, 19 Jan 2000 04:00:00




Quote:>Can I still use these services as user on my own system (e.g. root or
>other user)??? I understand that these restriction set by myself are
>only to prevent unauthorised acces and improve security on my own
>Linuxsystem.

This will only affect the ability for people to connect to you from
the outside. You will still be able to telnet and ftp.... etc to other
hosts.

Tad

 
 
 

/etc/hosts.deny and /etc/hosts.allow

Post by Tad » Wed, 19 Jan 2000 04:00:00


On 18 Jan 2000 19:29:13 +0000, "Tim Haynes"


>Ssh is not *only* a standalone, it can be done from inetd. OTOH why you'd
>want to when it has its own host identification (other than to spawn remote
>fingers, etc) is beyond me. Still, portmap is a reason to retain
>/etc/hosts.{allow,deny} anyway.

What uses portmap anyway? I have yet to figure this one out. Yeah, I
have read the man page, but that is vague to say the least.

Tad

 
 
 

/etc/hosts.deny and /etc/hosts.allow

Post by Marc Hab » Thu, 20 Jan 2000 04:00:00



>What uses portmap anyway? I have yet to figure this one out. Yeah, I
>have read the man page, but that is vague to say the least.

The port mapper is being used for services that use RPC. The most
prominent of these services probably is NFS:

Greetings
Marc

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber          |   " Questions are the         | Mailadresse im Header
Karlsruhe, Germany  |     Beginning of Wisdom "     | Fon: *49 721 966 32 15
Nordisch by Nature  | Lt. Worf, TNG "Rightful Heir" | Fax: *49 721 966 31 29