/etc/hosts.allow and hosts.deny

bigmacbb63 · #1 29th June 2009, 01:52 AM

Hi all,

I need to know how to secure /etc/hosts.allow and /etc/hosts.deny
I've never configured them and that I'm sure is a problem for me.

Thanks for your help I appreciate all of you,

bigmac

bigmacbb63 · #2 29th June 2009, 03:30 AM

Hi guys,

I think I have the answer? I was looking at this and it looks right?
Maybe someone can tell me if I'm wrong.

http://www.brighthub.com/computing/l...les/20184.aspx

Thanks, bigmac

stevea · #3 29th June 2009, 01:42 PM

man hosts.allow

Bad thread title - /etc/hosts is NOT relate hosts.allow/deny.

scottro · #4 29th June 2009, 01:46 PM

As per stevea's suggestion, I've edited the title.

bodhi.zazen · #5 30th June 2009, 01:52 AM

No offense intended, but the man page on hosts.allow / hosts.deny is actually fairly helpful.

http://linux.die.net/man/5/hosts.allow

ibbo · #6 30th June 2009, 01:47 PM

Remember 1st and foremost that this is only one trench in your in depth defense of your system. I actually think this one is pretty good, well built trench that is very configurable.

Basically
hosts.deny
--------------
ALL: ALL

Deny everything by default.

hosts.allow
--------------
httpd: ALL
smtp: 192.168.1
etc: ...

Open up services for (a anyone, b local network).
The man pages are very helpful on this and give many examples of the stuff you can do. I.E. notifications

I would also look at deny hosts and look at getting to grips with iptables.

Defense in depth is the key, SELinux is the icing.

Ibbo

bigmacbb63 · #7 30th June 2009, 04:18 PM

Hi guys,

I have installed tripwire, rkhunter, aide, denyhosts, ettercap, nmap, chkrootkit.
That's about all. The one thing I can't get to work is my /bin/rpm file has been hijacked
it keeps saying that it cannot stat: when I scan with rkhunter and I don't know how to
fix that. Does anyone have any suggestions?

Thanks,

bigmac

bodhi.zazen · #8 1st July 2009, 06:32 AM

Quote:

Originally Posted by ibbo

Remember 1st and foremost that this is only one trench in your in depth defense of your system. I actually think this one is pretty good, well built trench that is very configurable.

Basically
hosts.deny
--------------
ALL: ALL

Deny everything by default.

hosts.allow
--------------
httpd: ALL
smtp: 192.168.1
etc: ...

Open up services for (a anyone, b local network).
The man pages are very helpful on this and give many examples of the stuff you can do. I.E. notifications

I would also look at deny hosts and look at getting to grips with iptables.

Defense in depth is the key, SELinux is the icing.

Ibbo

I like TCPwrapper (host.allow / hosts.deny) but by default with most distros (Fedora included) Apache does not use tcpwrappers.

If you wish to use tcp wrappers with apache you need to recompile apache.

You can see if an application uses tcp wrappers with "strings"

Code:

strings -f /usr/sbin/sshd | grep hosts_access
/usr/sbin/sshd: hosts_access

But not httpd

Code:

strings -f /usr/sbin/httpd | grep hosts_access
     < -- see no output

So, if you are relying on tcpwrappers take the time to make sure your service in fact uses tcpwrappers.

Last, many servers have ACL (access control lists) or ACL functionality built into the config files.

Using apache as an example , apache is usually public, so rather then deny all and allow some (whitelist) you usually allow all and deny some (blacklist)

Code:

< Location />
< Limit GET POST PUT>
order allow,deny
allow from all
deny from 111.222.33.444
deny from 111.222.33.555
< /Limit>
< /Location>

Which eventually leads back to iptables, or similar applications, as you can maintain one "central" blacklist rather then service - by - service configuration (assuming you are running multiple services of course).

<snip-it>

iptables -A INPUT -j blacklist # check a blacklist (see below)
iptables -A INPUT -s 192.168.0.0/16 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -j DROP

iptables -N blacklist
iptables -A blacklist -s 111.22.333.444/32 -j DROP
iptables -A blacklist -s 111.22.333.555/32 -j DROP

</snip-it>

Note: In practice you will need to define your blacklist first or you will get an error with the first command, but I hope the above layout is easier to follow.

A few "simple" iptables rules to check a blacklist, accept ssh from LAN only, accept all traffic on port 80, drop everything else.

While iptables is intimidating at first, taking the time to learn the rules (or use something like shorewall) can pay off in spades (rather then learning tcpwrappers, adding fail2ban, recompile apache there, etc).

jenaniston · #9 21st January 2010, 11:26 PM

Quote:

Originally Posted by bodhi.zazen

. . . if you are relying on tcpwrappers take the time to make sure your service in fact uses tcpwrappers.

( reviving an older thread that came up in search for tcp wrappers . . .similar topic of sorts)

tcp_wrappers 7.6-55.fc11 i586 comes installed with with my F11 Live . . .(as well as the tcp_wrappers-libs)
and tcp_wrappers 7.6-56.fc12.i686 comes with my F12 Live which I am using for a LAN boot point-to-point connection.

dhcp server works fine to the client diskless laptop, but the tftp gets hung . . .
etc/hosts_allow is only # comment lines/description so everything should be allowed ?

Bottom line:
How do I check status of the tcp_wrappers ? . . .
i.e if my xinetd service (tftp server) is in fact using or not using the installed tcp_wrappers in Fedora 11 or 12 ?

Thank you very much.

P.S. Since tcpdump and snort do NOT show any TCP flags or options -
that should mean there are no tcp wrappers issues involved in stopping the boot filename packet from reaching the client destination ?

bigmacbb63 · #10 19th March 2010, 10:22 PM

Hi guys,

In /etc/hosts.deny where do you put ALL:ALL
What I mean is which line?

Thanks,

bigmac