From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from dsl092-170-086.wdc1.dsl.speakeasy.net ([66.92.170.86] helo=toccata.dsl092-170-083.wdc1.dsl.speakeasy.net) by speech.braille.uwo.ca with esmtp (Exim 3.32 #1 (Debian)) id 16N0YO-0000gA-00 for ; Sat, 05 Jan 2002 18:48:44 -0500 Received: from localhost (janina@localhost) by toccata.dsl092-170-083.wdc1.dsl.speakeasy.net (8.11.6/8.11.6) with ESMTP id g05NmQi10806 for ; Sat, 5 Jan 2002 18:48:26 -0500 X-Authentication-Warning: toccata.grg.afb.net: janina owned process doing -bs Date: Sat, 5 Jan 2002 18:48:26 -0500 (EST) From: Janina Sajka X-X-Sender: janina@toccata.dsl092-170-083.wdc1.dsl.speakeasy.net To: speakup@braille.uwo.ca Subject: Re: hosts.allow In-Reply-To: <20020105165301.A1051@uic.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: speakup-admin@braille.uwo.ca Errors-To: speakup-admin@braille.uwo.ca X-BeenThere: speakup@braille.uwo.ca X-Mailman-Version: 2.0.7 Precedence: bulk Reply-To: speakup@braille.uwo.ca List-Help: List-Post: List-Subscribe: , List-Id: Speakup is a screen review system for Linux. List-Unsubscribe: , List-Archive: I think hosts.allow/deny is ssh specific. Ftp is managed elsewhere. But, I would simply not listen on the ports that you don't want to accept on. If you don't permit a service, don't turn it on. There's even a way to not respond to probes (which I don't know how to tell you about). The idea is that if someone probes you and you answer saying "I don't accept that," the transaction goes quickly and the prober knows there's a machine behind that address. This encourages them to probe more. If, on the other hand, you don't answer at all, it takes a long time for the connection attempt to time out, and the prober is never sure whether there's no machine behind that address/port, or what. Look at http://www.bastille-linux.org to learn more about such things. But, be careful applying the scripts mainly because you might shutdown more than you know, and it's always better to actually know how something is done than to have a script just do it for you. On Sat, 5 Jan 2002, Gregory Nowak wrote: > Ok, but what if ssh is the only service I want to have wide open and the rest closed? > Yes, I know my firewall could take care of that, but I want additional security. > Greg > > > On Sat, Jan 05, 2002 at 05:42:31PM -0500, Janina Sajka wrote: > > If you want your door wide open, just delete (or rename) /etc/hosts.deny. > > Bingo, everyone gets in from anywhere--provided they have ssh and > > accounts, of course. > > On Sat, 5 Jan 2002, Gregory Nowak wrote: > > > > > Hi all, > > > > > > I've tried typing "man hosts.allow", but no luck, so I have to ask. > > > As Janina mentioned in reply to one of my posts, I'm currently blocking all connections with > > > "ALL: all". > > > However, I want to let ssh in from any ip address. How do I do this? > > > I've tried "ssh: all", but no luck. > > > Greg > > > > > > > > > _______________________________________________ > > > Speakup mailing list > > > Speakup@braille.uwo.ca > > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > > > -- > > > > Janina Sajka, Director > > Technology Research and Development > > Governmental Relations Group > > American Foundation for the Blind (AFB) > > > > Email: janina@afb.net Phone: (202) 408-8175 > > > > Chair, Accessibility SIG > > Open Electronic Book Forum (OEBF) > > http://www.openebook.org > > > > > > _______________________________________________ > > Speakup mailing list > > Speakup@braille.uwo.ca > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup > -- Janina Sajka, Director Technology Research and Development Governmental Relations Group American Foundation for the Blind (AFB) Email: janina@afb.net Phone: (202) 408-8175 Chair, Accessibility SIG Open Electronic Book Forum (OEBF) http://www.openebook.org