hosts.allow

hosts.allow

[Gregory Nowak]

Hi all,

I've tried typing "man hosts.allow", but no luck, so I have to ask.
As Janina mentioned in reply to one of my posts, I'm currently blocking all connections with
"ALL: all".
However, I want to let ssh in from any ip address. How do I do this?
I've tried "ssh: all", but no luck.
Greg

Re: hosts.allow

[Janina Sajka]

If you want your door wide open, just delete (or rename) /etc/hosts.deny. 
Bingo, everyone gets in from anywhere--provided they have ssh and 
accounts, of course.
 On Sat, 5 Jan 2002, Gregory Nowak wrote:

> Hi all,
> 
> I've tried typing "man hosts.allow", but no luck, so I have to ask.
> As Janina mentioned in reply to one of my posts, I'm currently blocking all connections with
> "ALL: all".
> However, I want to let ssh in from any ip address. How do I do this?
> I've tried "ssh: all", but no luck.
> Greg
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 

-- 
	
				Janina Sajka, Director
				Technology Research and Development
				Governmental Relations Group
				American Foundation for the Blind (AFB)

Email: janina@afb.net		Phone: (202) 408-8175

Chair, Accessibility SIG
Open Electronic Book Forum (OEBF)
http://www.openebook.org

Re: hosts.allow

[Gregory Nowak]

Ok, but what if ssh is the only service I want to have wide open and the rest closed?
Yes, I know my firewall could take care of that, but I want additional security.
Greg


On Sat, Jan 05, 2002 at 05:42:31PM -0500, Janina Sajka wrote:
> If you want your door wide open, just delete (or rename) /etc/hosts.deny. 
> Bingo, everyone gets in from anywhere--provided they have ssh and 
> accounts, of course.
>  On Sat, 5 Jan 2002, Gregory Nowak wrote:
> 
> > Hi all,
> > 
> > I've tried typing "man hosts.allow", but no luck, so I have to ask.
> > As Janina mentioned in reply to one of my posts, I'm currently blocking all connections with
> > "ALL: all".
> > However, I want to let ssh in from any ip address. How do I do this?
> > I've tried "ssh: all", but no luck.
> > Greg
> > 
> > 
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> > 
> 
> -- 
> 	
> 				Janina Sajka, Director
> 				Technology Research and Development
> 				Governmental Relations Group
> 				American Foundation for the Blind (AFB)
> 
> Email: janina@afb.net		Phone: (202) 408-8175
> 
> Chair, Accessibility SIG
> Open Electronic Book Forum (OEBF)
> http://www.openebook.org
> 
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: hosts.allow

[Janina Sajka]

I think hosts.allow/deny is ssh specific. Ftp is managed elsewhere.

But, I would simply not listen on the ports that you don't want to accept 
on. If you don't permit a service, don't turn it on. There's even a way to 
not respond to probes (which I don't know how to tell you about). The idea 
is that if someone probes you and you answer saying "I don't accept that," 
the transaction goes quickly and the prober knows there's a machine behind 
that address. This encourages them to probe more. If, on the other hand, 
you don't answer at all, it takes a long time for the connection attempt 
to time out, and the prober is never sure whether there's no machine 
behind that address/port, or what.

Look at http://www.bastille-linux.org to learn more about such things. 
But, be careful applying the scripts mainly because you might shutdown 
more than you know, and it's always better to actually know how something 
is done than to have a script just do it for you.



On Sat, 5 Jan 2002, Gregory Nowak wrote:

> Ok, but what if ssh is the only service I want to have wide open and the rest closed?
> Yes, I know my firewall could take care of that, but I want additional security.
> Greg
> 
> 
> On Sat, Jan 05, 2002 at 05:42:31PM -0500, Janina Sajka wrote:
> > If you want your door wide open, just delete (or rename) /etc/hosts.deny. 
> > Bingo, everyone gets in from anywhere--provided they have ssh and 
> > accounts, of course.
> >  On Sat, 5 Jan 2002, Gregory Nowak wrote:
> > 
> > > Hi all,
> > > 
> > > I've tried typing "man hosts.allow", but no luck, so I have to ask.
> > > As Janina mentioned in reply to one of my posts, I'm currently blocking all connections with
> > > "ALL: all".
> > > However, I want to let ssh in from any ip address. How do I do this?
> > > I've tried "ssh: all", but no luck.
> > > Greg
> > > 
> > > 
> > > _______________________________________________
> > > Speakup mailing list
> > > Speakup@braille.uwo.ca
> > > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> > > 
> > 
> > -- 
> > 	
> > 				Janina Sajka, Director
> > 				Technology Research and Development
> > 				Governmental Relations Group
> > 				American Foundation for the Blind (AFB)
> > 
> > Email: janina@afb.net		Phone: (202) 408-8175
> > 
> > Chair, Accessibility SIG
> > Open Electronic Book Forum (OEBF)
> > http://www.openebook.org
> > 
> > 
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 

-- 
	
				Janina Sajka, Director
				Technology Research and Development
				Governmental Relations Group
				American Foundation for the Blind (AFB)

Email: janina@afb.net		Phone: (202) 408-8175

Chair, Accessibility SIG
Open Electronic Book Forum (OEBF)
http://www.openebook.org

Re: hosts.allow

[Ari Moisio]

Hi!

  Try man tcpd or man hosts_access. Sshd will use /etc/hosts_*  files
only if   tcpwrapper support is included when compiling. In that case
hosts_allow line is something like
sshd : all (or sshd2 : all, try both).

  Normally sshd holds it's own access control in sshd_config file
somewhere under /etc.

  btw: make sure you use  the latest version of ssh,  earlier versions
at least 1.2.31 have severe security  problem.


 Gregory Nowak 05.01.02:

>I've tried typing "man hosts.allow", but no luck, so I have to ask.
>As Janina mentioned in reply to one of my posts, I'm currently blocking all connections with
>"ALL: all".
>However, I want to let ssh in from any ip address. How do I do this?
>I've tried "ssh: all", but no luck.
>Greg
>
>
>_______________________________________________
>Speakup mailing list
>Speakup@braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup
>


Esittämäni mielipiteet ovat  omiani eivätkä välttämättä  edusta
työnantajani tai internet-palveluntarjoajani virallista kantaa.
-- 
Mr. Ari Moisio, Niittykatu 7, 41160 Tikkakoski, +358-40-5055239
ari.moisio@iki.fi http://www.iki.fi/arimo PGP-keyID: 0x3FAF0F05

Re: hosts.allow

[Gene Collins]

Hello all.  Hosts.allow and hosts.deny can contain lists of hosts or the
word ALL in upper case to be associated with a particular service.  If you
deny all access in hosts.deny, and then allow specific access in
hosts.allow, the hosts.allow file will over ride the hosts.deny file. 
For example, suppose you want to allow ssh access to ip address
192.168.1.1 and 192.168.1.2 and wanted to block everyone else.  you
could put the following in your hosts.deny file:

sshd: ALL

All ssh access is now blocked.  You can then open access for the two
addresses you want with the following line in your hosts.allow file:

sshd: 192.168.1.1 192.168.1.2

Only these two addresses would now have ssh access.  If you have the
line:

ALL: ALL

in your hosts.deny file, then the line:

sshd: ALL

in your hosts.allow file will open up all ssh access, while leaving
other services like telnet, finger and ftp closed.  When working with
hosts.allow and osts.deny files, it's best to be specific about which
services you are granting access to.  renaming your host.deny file to
something else will throw your system wide open, which is not what you
want.  In theory, if the hosts.deny file is empty or does not exist, and
you have entries in your hosts.allow file, only those addresses for the
specified services should get access.  I would not count on it, however.
 Better to specifically deny all access, and then open up only what you
intend.

Gene Collins

>Hi!
>
>  Try man tcpd or man hosts_access. Sshd will use /etc/hosts_*  files
>only if   tcpwrapper support is included when compiling. In that case
>hosts_allow line is something like
>sshd : all (or sshd2 : all, try both).
>
>  Normally sshd holds it's own access control in sshd_config file
>somewhere under /etc.
>
>  btw: make sure you use  the latest version of ssh,  earlier versions
>at least 1.2.31 have severe security  problem.
>
>
> Gregory Nowak 05.01.02:
>
>>I've tried typing "man hosts.allow", but no luck, so I have to ask.
>>As Janina mentioned in reply to one of my posts, I'm currently blocking al=
>l connections with
>>"ALL: all".
>>However, I want to let ssh in from any ip address. How do I do this?
>>I've tried "ssh: all", but no luck.
>>Greg
>>
>>
>>_______________________________________________
>>Speakup mailing list
>>Speakup@braille.uwo.ca
>>http://speech.braille.uwo.ca/mailman/listinfo/speakup
>>
>
>
>Esitt=E4m=E4ni mielipiteet ovat  omiani eiv=E4tk=E4 v=E4ltt=E4m=E4tt=E4  ed=
>usta
>ty=F6nantajani tai internet-palveluntarjoajani virallista kantaa.
>--=20
>Mr. Ari Moisio, Niittykatu 7, 41160 Tikkakoski, +358-40-5055239
>ari.moisio@iki.fi http://www.iki.fi/arimo PGP-keyID: 0x3FAF0F05
>
>
>
>_______________________________________________
>Speakup mailing list
>Speakup@braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup

Re: hosts.allow

[Tommy Moore]

Speaking of allowing hosts to connect to your machines have a little 
problem of my own here.
On my little network I don't run dns so I access my different machines by 
their hostnames.
One thing I notice is that when I'm not connected to the internet with my 
firewall machine when ever I try to make an ftp connection to my machines 
the setion hangs.
I suspect this is the ftp server trying to resolve the dns hostname. How 
do I get the default ftp server on RH 7.2 to look for the hostname in 
/etc/hosts instead of querrying dns.
I don't seem to have this problem when using ssh though.
Any help would be cool of how I can fix this.
This gets rather annoying if I don't have a connection to the world.

Thansk.
Tommy


-- 
Only wimps use tape backup: _real_ men just upload their important
stuff on ftp, and let the rest of the world mirror it ;)
        -- Linus Torvalds, about his failing hard drive on
linux.cs.helsinki.fi

Re: hosts.allow

[Richard Villa]

How would that work if the server is behind a router?

Richard
On Tue, 15 Jan 2002, 
Gene Collins wrote:

> Hello all.  Hosts.allow and hosts.deny can contain lists of hosts or the
> word ALL in upper case to be associated with a particular service.  If you
> deny all access in hosts.deny, and then allow specific access in
> hosts.allow, the hosts.allow file will over ride the hosts.deny file. 
> For example, suppose you want to allow ssh access to ip address
> 192.168.1.1 and 192.168.1.2 and wanted to block everyone else.  you
> could put the following in your hosts.deny file:
> 
> sshd: ALL
> 
> All ssh access is now blocked.  You can then open access for the two
> addresses you want with the following line in your hosts.allow file:
> 
> sshd: 192.168.1.1 192.168.1.2
> 
> Only these two addresses would now have ssh access.  If you have the
> line:
> 
> ALL: ALL
> 
> in your hosts.deny file, then the line:
> 
> sshd: ALL
> 
> in your hosts.allow file will open up all ssh access, while leaving
> other services like telnet, finger and ftp closed.  When working with
> hosts.allow and osts.deny files, it's best to be specific about which
> services you are granting access to.  renaming your host.deny file to
> something else will throw your system wide open, which is not what you
> want.  In theory, if the hosts.deny file is empty or does not exist, and
> you have entries in your hosts.allow file, only those addresses for the
> specified services should get access.  I would not count on it, however.
>  Better to specifically deny all access, and then open up only what you
> intend.
> 
> Gene Collins
> 
> >Hi!
> >
> >  Try man tcpd or man hosts_access. Sshd will use /etc/hosts_*  files
> >only if   tcpwrapper support is included when compiling. In that case
> >hosts_allow line is something like
> >sshd : all (or sshd2 : all, try both).
> >
> >  Normally sshd holds it's own access control in sshd_config file
> >somewhere under /etc.
> >
> >  btw: make sure you use  the latest version of ssh,  earlier versions
> >at least 1.2.31 have severe security  problem.
> >
> >
> > Gregory Nowak 05.01.02:
> >
> >>I've tried typing "man hosts.allow", but no luck, so I have to ask.
> >>As Janina mentioned in reply to one of my posts, I'm currently blocking al=
> >l connections with
> >>"ALL: all".
> >>However, I want to let ssh in from any ip address. How do I do this?
> >>I've tried "ssh: all", but no luck.
> >>Greg
> >>
> >>
> >>_______________________________________________
> >>Speakup mailing list
> >>Speakup@braille.uwo.ca
> >>http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >>
> >
> >
> >Esitt=E4m=E4ni mielipiteet ovat  omiani eiv=E4tk=E4 v=E4ltt=E4m=E4tt=E4  ed=
> >usta
> >ty=F6nantajani tai internet-palveluntarjoajani virallista kantaa.
> >--=20
> >Mr. Ari Moisio, Niittykatu 7, 41160 Tikkakoski, +358-40-5055239
> >ari.moisio@iki.fi http://www.iki.fi/arimo PGP-keyID: 0x3FAF0F05
> >
> >
> >
> >_______________________________________________
> >Speakup mailing list
> >Speakup@braille.uwo.ca
> >http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
> 

Re: hosts.allow

[Geoff Shang]

Hi Tommy:

I can't answer your question, but there may not be away to do that.  This
is a good argument for running your own DNS server.  Of course, if you have
a paranoid entry in your hosts file, then it will DNS lookup even if it's
trying to use hosts.

Geoff.

Re: hosts.allow

[William F. Acker WB2FLW +1-303-777-8123]

Hi,

     Arrange for your /etc/resolv.conf to be moved out of the way when 
you're not connected.  I think there's a bug in glibc causing the order of 
hosts then dns to not be honored.



          HTH and 73.
          Bill


On Tue, 15 Jan 2002, Tommy Moore wrote:

> Speaking of allowing hosts to connect to your machines have a little 
> problem of my own here.
> On my little network I don't run dns so I access my different machines by 
> their hostnames.
> One thing I notice is that when I'm not connected to the internet with my 
> firewall machine when ever I try to make an ftp connection to my machines 
> the setion hangs.
> I suspect this is the ftp server trying to resolve the dns hostname. How 
> do I get the default ftp server on RH 7.2 to look for the hostname in 
> /etc/hosts instead of querrying dns.
> I don't seem to have this problem when using ssh though.
> Any help would be cool of how I can fix this.
> This gets rather annoying if I don't have a connection to the world.
> 
> Thansk.
> Tommy
> 
> 
>