* hosts.allow @ Gregory Nowak ` hosts.allow Janina Sajka ` hosts.allow Ari Moisio 0 siblings, 2 replies; 10+ messages in thread From: Gregory Nowak @ UTC (permalink / raw) To: speakup Hi all, I've tried typing "man hosts.allow", but no luck, so I have to ask. As Janina mentioned in reply to one of my posts, I'm currently blocking all connections with "ALL: all". However, I want to let ssh in from any ip address. How do I do this? I've tried "ssh: all", but no luck. Greg ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: hosts.allow hosts.allow Gregory Nowak @ ` Janina Sajka ` hosts.allow Gregory Nowak ` hosts.allow Ari Moisio 1 sibling, 1 reply; 10+ messages in thread From: Janina Sajka @ UTC (permalink / raw) To: speakup If you want your door wide open, just delete (or rename) /etc/hosts.deny. Bingo, everyone gets in from anywhere--provided they have ssh and accounts, of course. On Sat, 5 Jan 2002, Gregory Nowak wrote: > Hi all, > > I've tried typing "man hosts.allow", but no luck, so I have to ask. > As Janina mentioned in reply to one of my posts, I'm currently blocking all connections with > "ALL: all". > However, I want to let ssh in from any ip address. How do I do this? > I've tried "ssh: all", but no luck. > Greg > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup > -- Janina Sajka, Director Technology Research and Development Governmental Relations Group American Foundation for the Blind (AFB) Email: janina@afb.net Phone: (202) 408-8175 Chair, Accessibility SIG Open Electronic Book Forum (OEBF) http://www.openebook.org ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: hosts.allow ` hosts.allow Janina Sajka @ ` Gregory Nowak ` hosts.allow Janina Sajka 0 siblings, 1 reply; 10+ messages in thread From: Gregory Nowak @ UTC (permalink / raw) To: speakup Ok, but what if ssh is the only service I want to have wide open and the rest closed? Yes, I know my firewall could take care of that, but I want additional security. Greg On Sat, Jan 05, 2002 at 05:42:31PM -0500, Janina Sajka wrote: > If you want your door wide open, just delete (or rename) /etc/hosts.deny. > Bingo, everyone gets in from anywhere--provided they have ssh and > accounts, of course. > On Sat, 5 Jan 2002, Gregory Nowak wrote: > > > Hi all, > > > > I've tried typing "man hosts.allow", but no luck, so I have to ask. > > As Janina mentioned in reply to one of my posts, I'm currently blocking all connections with > > "ALL: all". > > However, I want to let ssh in from any ip address. How do I do this? > > I've tried "ssh: all", but no luck. > > Greg > > > > > > _______________________________________________ > > Speakup mailing list > > Speakup@braille.uwo.ca > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > -- > > Janina Sajka, Director > Technology Research and Development > Governmental Relations Group > American Foundation for the Blind (AFB) > > Email: janina@afb.net Phone: (202) 408-8175 > > Chair, Accessibility SIG > Open Electronic Book Forum (OEBF) > http://www.openebook.org > > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: hosts.allow ` hosts.allow Gregory Nowak @ ` Janina Sajka 0 siblings, 0 replies; 10+ messages in thread From: Janina Sajka @ UTC (permalink / raw) To: speakup I think hosts.allow/deny is ssh specific. Ftp is managed elsewhere. But, I would simply not listen on the ports that you don't want to accept on. If you don't permit a service, don't turn it on. There's even a way to not respond to probes (which I don't know how to tell you about). The idea is that if someone probes you and you answer saying "I don't accept that," the transaction goes quickly and the prober knows there's a machine behind that address. This encourages them to probe more. If, on the other hand, you don't answer at all, it takes a long time for the connection attempt to time out, and the prober is never sure whether there's no machine behind that address/port, or what. Look at http://www.bastille-linux.org to learn more about such things. But, be careful applying the scripts mainly because you might shutdown more than you know, and it's always better to actually know how something is done than to have a script just do it for you. On Sat, 5 Jan 2002, Gregory Nowak wrote: > Ok, but what if ssh is the only service I want to have wide open and the rest closed? > Yes, I know my firewall could take care of that, but I want additional security. > Greg > > > On Sat, Jan 05, 2002 at 05:42:31PM -0500, Janina Sajka wrote: > > If you want your door wide open, just delete (or rename) /etc/hosts.deny. > > Bingo, everyone gets in from anywhere--provided they have ssh and > > accounts, of course. > > On Sat, 5 Jan 2002, Gregory Nowak wrote: > > > > > Hi all, > > > > > > I've tried typing "man hosts.allow", but no luck, so I have to ask. > > > As Janina mentioned in reply to one of my posts, I'm currently blocking all connections with > > > "ALL: all". > > > However, I want to let ssh in from any ip address. How do I do this? > > > I've tried "ssh: all", but no luck. > > > Greg > > > > > > > > > _______________________________________________ > > > Speakup mailing list > > > Speakup@braille.uwo.ca > > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > > > > > > -- > > > > Janina Sajka, Director > > Technology Research and Development > > Governmental Relations Group > > American Foundation for the Blind (AFB) > > > > Email: janina@afb.net Phone: (202) 408-8175 > > > > Chair, Accessibility SIG > > Open Electronic Book Forum (OEBF) > > http://www.openebook.org > > > > > > _______________________________________________ > > Speakup mailing list > > Speakup@braille.uwo.ca > > http://speech.braille.uwo.ca/mailman/listinfo/speakup > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup > -- Janina Sajka, Director Technology Research and Development Governmental Relations Group American Foundation for the Blind (AFB) Email: janina@afb.net Phone: (202) 408-8175 Chair, Accessibility SIG Open Electronic Book Forum (OEBF) http://www.openebook.org ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: hosts.allow hosts.allow Gregory Nowak ` hosts.allow Janina Sajka @ ` Ari Moisio ` hosts.allow Gene Collins 1 sibling, 1 reply; 10+ messages in thread From: Ari Moisio @ UTC (permalink / raw) To: Speakup mailing list Hi! Try man tcpd or man hosts_access. Sshd will use /etc/hosts_* files only if tcpwrapper support is included when compiling. In that case hosts_allow line is something like sshd : all (or sshd2 : all, try both). Normally sshd holds it's own access control in sshd_config file somewhere under /etc. btw: make sure you use the latest version of ssh, earlier versions at least 1.2.31 have severe security problem. Gregory Nowak 05.01.02: >I've tried typing "man hosts.allow", but no luck, so I have to ask. >As Janina mentioned in reply to one of my posts, I'm currently blocking all connections with >"ALL: all". >However, I want to let ssh in from any ip address. How do I do this? >I've tried "ssh: all", but no luck. >Greg > > >_______________________________________________ >Speakup mailing list >Speakup@braille.uwo.ca >http://speech.braille.uwo.ca/mailman/listinfo/speakup > Esittämäni mielipiteet ovat omiani eivätkä välttämättä edusta työnantajani tai internet-palveluntarjoajani virallista kantaa. -- Mr. Ari Moisio, Niittykatu 7, 41160 Tikkakoski, +358-40-5055239 ari.moisio@iki.fi http://www.iki.fi/arimo PGP-keyID: 0x3FAF0F05 ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: hosts.allow ` hosts.allow Ari Moisio @ ` Gene Collins ` hosts.allow Tommy Moore ` hosts.allow Richard Villa 0 siblings, 2 replies; 10+ messages in thread From: Gene Collins @ UTC (permalink / raw) To: speakup Hello all. Hosts.allow and hosts.deny can contain lists of hosts or the word ALL in upper case to be associated with a particular service. If you deny all access in hosts.deny, and then allow specific access in hosts.allow, the hosts.allow file will over ride the hosts.deny file. For example, suppose you want to allow ssh access to ip address 192.168.1.1 and 192.168.1.2 and wanted to block everyone else. you could put the following in your hosts.deny file: sshd: ALL All ssh access is now blocked. You can then open access for the two addresses you want with the following line in your hosts.allow file: sshd: 192.168.1.1 192.168.1.2 Only these two addresses would now have ssh access. If you have the line: ALL: ALL in your hosts.deny file, then the line: sshd: ALL in your hosts.allow file will open up all ssh access, while leaving other services like telnet, finger and ftp closed. When working with hosts.allow and osts.deny files, it's best to be specific about which services you are granting access to. renaming your host.deny file to something else will throw your system wide open, which is not what you want. In theory, if the hosts.deny file is empty or does not exist, and you have entries in your hosts.allow file, only those addresses for the specified services should get access. I would not count on it, however. Better to specifically deny all access, and then open up only what you intend. Gene Collins >Hi! > > Try man tcpd or man hosts_access. Sshd will use /etc/hosts_* files >only if tcpwrapper support is included when compiling. In that case >hosts_allow line is something like >sshd : all (or sshd2 : all, try both). > > Normally sshd holds it's own access control in sshd_config file >somewhere under /etc. > > btw: make sure you use the latest version of ssh, earlier versions >at least 1.2.31 have severe security problem. > > > Gregory Nowak 05.01.02: > >>I've tried typing "man hosts.allow", but no luck, so I have to ask. >>As Janina mentioned in reply to one of my posts, I'm currently blocking al= >l connections with >>"ALL: all". >>However, I want to let ssh in from any ip address. How do I do this? >>I've tried "ssh: all", but no luck. >>Greg >> >> >>_______________________________________________ >>Speakup mailing list >>Speakup@braille.uwo.ca >>http://speech.braille.uwo.ca/mailman/listinfo/speakup >> > > >Esitt=E4m=E4ni mielipiteet ovat omiani eiv=E4tk=E4 v=E4ltt=E4m=E4tt=E4 ed= >usta >ty=F6nantajani tai internet-palveluntarjoajani virallista kantaa. >--=20 >Mr. Ari Moisio, Niittykatu 7, 41160 Tikkakoski, +358-40-5055239 >ari.moisio@iki.fi http://www.iki.fi/arimo PGP-keyID: 0x3FAF0F05 > > > >_______________________________________________ >Speakup mailing list >Speakup@braille.uwo.ca >http://speech.braille.uwo.ca/mailman/listinfo/speakup ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: hosts.allow ` hosts.allow Gene Collins @ ` Tommy Moore ` hosts.allow Geoff Shang ` hosts.allow William F. Acker WB2FLW +1-303-777-8123 ` hosts.allow Richard Villa 1 sibling, 2 replies; 10+ messages in thread From: Tommy Moore @ UTC (permalink / raw) To: speakup Speaking of allowing hosts to connect to your machines have a little problem of my own here. On my little network I don't run dns so I access my different machines by their hostnames. One thing I notice is that when I'm not connected to the internet with my firewall machine when ever I try to make an ftp connection to my machines the setion hangs. I suspect this is the ftp server trying to resolve the dns hostname. How do I get the default ftp server on RH 7.2 to look for the hostname in /etc/hosts instead of querrying dns. I don't seem to have this problem when using ssh though. Any help would be cool of how I can fix this. This gets rather annoying if I don't have a connection to the world. Thansk. Tommy -- Only wimps use tape backup: _real_ men just upload their important stuff on ftp, and let the rest of the world mirror it ;) -- Linus Torvalds, about his failing hard drive on linux.cs.helsinki.fi ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: hosts.allow ` hosts.allow Tommy Moore @ ` Geoff Shang ` hosts.allow William F. Acker WB2FLW +1-303-777-8123 1 sibling, 0 replies; 10+ messages in thread From: Geoff Shang @ UTC (permalink / raw) To: speakup Hi Tommy: I can't answer your question, but there may not be away to do that. This is a good argument for running your own DNS server. Of course, if you have a paranoid entry in your hosts file, then it will DNS lookup even if it's trying to use hosts. Geoff. ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: hosts.allow ` hosts.allow Tommy Moore ` hosts.allow Geoff Shang @ ` William F. Acker WB2FLW +1-303-777-8123 1 sibling, 0 replies; 10+ messages in thread From: William F. Acker WB2FLW +1-303-777-8123 @ UTC (permalink / raw) To: speakup Hi, Arrange for your /etc/resolv.conf to be moved out of the way when you're not connected. I think there's a bug in glibc causing the order of hosts then dns to not be honored. HTH and 73. Bill On Tue, 15 Jan 2002, Tommy Moore wrote: > Speaking of allowing hosts to connect to your machines have a little > problem of my own here. > On my little network I don't run dns so I access my different machines by > their hostnames. > One thing I notice is that when I'm not connected to the internet with my > firewall machine when ever I try to make an ftp connection to my machines > the setion hangs. > I suspect this is the ftp server trying to resolve the dns hostname. How > do I get the default ftp server on RH 7.2 to look for the hostname in > /etc/hosts instead of querrying dns. > I don't seem to have this problem when using ssh though. > Any help would be cool of how I can fix this. > This gets rather annoying if I don't have a connection to the world. > > Thansk. > Tommy > > > ^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: hosts.allow ` hosts.allow Gene Collins ` hosts.allow Tommy Moore @ ` Richard Villa 1 sibling, 0 replies; 10+ messages in thread From: Richard Villa @ UTC (permalink / raw) To: speakup How would that work if the server is behind a router? Richard On Tue, 15 Jan 2002, Gene Collins wrote: > Hello all. Hosts.allow and hosts.deny can contain lists of hosts or the > word ALL in upper case to be associated with a particular service. If you > deny all access in hosts.deny, and then allow specific access in > hosts.allow, the hosts.allow file will over ride the hosts.deny file. > For example, suppose you want to allow ssh access to ip address > 192.168.1.1 and 192.168.1.2 and wanted to block everyone else. you > could put the following in your hosts.deny file: > > sshd: ALL > > All ssh access is now blocked. You can then open access for the two > addresses you want with the following line in your hosts.allow file: > > sshd: 192.168.1.1 192.168.1.2 > > Only these two addresses would now have ssh access. If you have the > line: > > ALL: ALL > > in your hosts.deny file, then the line: > > sshd: ALL > > in your hosts.allow file will open up all ssh access, while leaving > other services like telnet, finger and ftp closed. When working with > hosts.allow and osts.deny files, it's best to be specific about which > services you are granting access to. renaming your host.deny file to > something else will throw your system wide open, which is not what you > want. In theory, if the hosts.deny file is empty or does not exist, and > you have entries in your hosts.allow file, only those addresses for the > specified services should get access. I would not count on it, however. > Better to specifically deny all access, and then open up only what you > intend. > > Gene Collins > > >Hi! > > > > Try man tcpd or man hosts_access. Sshd will use /etc/hosts_* files > >only if tcpwrapper support is included when compiling. In that case > >hosts_allow line is something like > >sshd : all (or sshd2 : all, try both). > > > > Normally sshd holds it's own access control in sshd_config file > >somewhere under /etc. > > > > btw: make sure you use the latest version of ssh, earlier versions > >at least 1.2.31 have severe security problem. > > > > > > Gregory Nowak 05.01.02: > > > >>I've tried typing "man hosts.allow", but no luck, so I have to ask. > >>As Janina mentioned in reply to one of my posts, I'm currently blocking al= > >l connections with > >>"ALL: all". > >>However, I want to let ssh in from any ip address. How do I do this? > >>I've tried "ssh: all", but no luck. > >>Greg > >> > >> > >>_______________________________________________ > >>Speakup mailing list > >>Speakup@braille.uwo.ca > >>http://speech.braille.uwo.ca/mailman/listinfo/speakup > >> > > > > > >Esitt=E4m=E4ni mielipiteet ovat omiani eiv=E4tk=E4 v=E4ltt=E4m=E4tt=E4 ed= > >usta > >ty=F6nantajani tai internet-palveluntarjoajani virallista kantaa. > >--=20 > >Mr. Ari Moisio, Niittykatu 7, 41160 Tikkakoski, +358-40-5055239 > >ari.moisio@iki.fi http://www.iki.fi/arimo PGP-keyID: 0x3FAF0F05 > > > > > > > >_______________________________________________ > >Speakup mailing list > >Speakup@braille.uwo.ca > >http://speech.braille.uwo.ca/mailman/listinfo/speakup > > _______________________________________________ > Speakup mailing list > Speakup@braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup > ^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~ UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
hosts.allow Gregory Nowak
` hosts.allow Janina Sajka
` hosts.allow Gregory Nowak
` hosts.allow Janina Sajka
` hosts.allow Ari Moisio
` hosts.allow Gene Collins
` hosts.allow Tommy Moore
` hosts.allow Geoff Shang
` hosts.allow William F. Acker WB2FLW +1-303-777-8123
` hosts.allow Richard Villa
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).