Re: hosts.allow

From: Richard Villa <rvilla1@swbell.net>
To: speakup@braille.uwo.ca
Subject: Re: hosts.allow
Date: Tue, 15 Jan 2002 14:25:08 -0600 (CST)	[thread overview]
Message-ID: <Pine.LNX.4.33.0201151424120.2192-100000@dhcppc2> (raw)
In-Reply-To: <m16QZI8-00015VC@gene3.ait.iastate.edu>

How would that work if the server is behind a router?

Richard
On Tue, 15 Jan 2002, 
Gene Collins wrote:

> Hello all.  Hosts.allow and hosts.deny can contain lists of hosts or the
> word ALL in upper case to be associated with a particular service.  If you
> deny all access in hosts.deny, and then allow specific access in
> hosts.allow, the hosts.allow file will over ride the hosts.deny file. 
> For example, suppose you want to allow ssh access to ip address
> 192.168.1.1 and 192.168.1.2 and wanted to block everyone else.  you
> could put the following in your hosts.deny file:
> 
> sshd: ALL
> 
> All ssh access is now blocked.  You can then open access for the two
> addresses you want with the following line in your hosts.allow file:
> 
> sshd: 192.168.1.1 192.168.1.2
> 
> Only these two addresses would now have ssh access.  If you have the
> line:
> 
> ALL: ALL
> 
> in your hosts.deny file, then the line:
> 
> sshd: ALL
> 
> in your hosts.allow file will open up all ssh access, while leaving
> other services like telnet, finger and ftp closed.  When working with
> hosts.allow and osts.deny files, it's best to be specific about which
> services you are granting access to.  renaming your host.deny file to
> something else will throw your system wide open, which is not what you
> want.  In theory, if the hosts.deny file is empty or does not exist, and
> you have entries in your hosts.allow file, only those addresses for the
> specified services should get access.  I would not count on it, however.
>  Better to specifically deny all access, and then open up only what you
> intend.
> 
> Gene Collins
> 
> >Hi!
> >
> >  Try man tcpd or man hosts_access. Sshd will use /etc/hosts_*  files
> >only if   tcpwrapper support is included when compiling. In that case
> >hosts_allow line is something like
> >sshd : all (or sshd2 : all, try both).
> >
> >  Normally sshd holds it's own access control in sshd_config file
> >somewhere under /etc.
> >
> >  btw: make sure you use  the latest version of ssh,  earlier versions
> >at least 1.2.31 have severe security  problem.
> >
> >
> > Gregory Nowak 05.01.02:
> >
> >>I've tried typing "man hosts.allow", but no luck, so I have to ask.
> >>As Janina mentioned in reply to one of my posts, I'm currently blocking al=
> >l connections with
> >>"ALL: all".
> >>However, I want to let ssh in from any ip address. How do I do this?
> >>I've tried "ssh: all", but no luck.
> >>Greg
> >>
> >>
> >>_______________________________________________
> >>Speakup mailing list
> >>Speakup@braille.uwo.ca
> >>http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >>
> >
> >
> >Esitt=E4m=E4ni mielipiteet ovat  omiani eiv=E4tk=E4 v=E4ltt=E4m=E4tt=E4  ed=
> >usta
> >ty=F6nantajani tai internet-palveluntarjoajani virallista kantaa.
> >--=20
> >Mr. Ari Moisio, Niittykatu 7, 41160 Tikkakoski, +358-40-5055239
> >ari.moisio@iki.fi http://www.iki.fi/arimo PGP-keyID: 0x3FAF0F05
> >
> >
> >
> >_______________________________________________
> >Speakup mailing list
> >Speakup@braille.uwo.ca
> >http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 