Find the answer to your Linux question:
Results 1 to 10 of 10
Hi, I have a question about the format in hosts.allow and hosts.deny it is very confusing when you see different things mentioned on different sites. The question is I have ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2009
    Posts
    15

    Post hosts.allow hosts.deny format


    Hi,

    I have a question about the format in hosts.allow and hosts.deny it is very confusing when you see different things mentioned on different sites.

    The question is I have seen many sites ask to enter
    Code:
    ALL:ALL
    in hosts.deny some place I have seen
    Code:
    ALL:ALL:ALL
    to be entered. I can't seem to find any explanation on when to use which entry in hosts.deny

    Can someone shed some light?

  2. #2
    Linux Enthusiast
    Join Date
    Aug 2006
    Location
    Portsmouth, UK
    Posts
    539
    Hi, XaeroOne

    You want to read the Access Control Rules section of the man page ( man hosts.allow or man hosts.deny ). But in a nutshell:

    ALL: ALL
    deny access to ALL daemons from ALL hosts.

    ALL: ALL: ALL
    deny access to ALL daemons from ALL hosts and ALL shell commands/variants. ( Overkill in my opinion )
    RHCE #100-015-395
    Please don't PM me with questions as no reply may offend, that's what the forums are for.

  3. #3
    Just Joined!
    Join Date
    Mar 2009
    Posts
    15
    lets say you don't need any incoming connections from anywhere. then entering ALL:ALL in hosts.deny should suffice (from a security point of view) right? Do you need iptables?

  4. #4
    Linux Enthusiast
    Join Date
    Aug 2006
    Location
    Portsmouth, UK
    Posts
    539
    from a hosts.deny / allow point of view then yes ALL: ALL should be enough.

    As for a firewall ( iptables ), that depends on how your system is connected to the internet. Personally I would use one in anycase.

    As your not doing anything special with the host, if it's redhat / centos then you could use the system-config-security tool which will create a simple firewall for you.

    If there isn't a similar tool for your distro then a very easy/basic firewall package is firestarter.

    HTH
    RHCE #100-015-395
    Please don't PM me with questions as no reply may offend, that's what the forums are for.

  5. #5
    Just Joined!
    Join Date
    Apr 2009
    Posts
    9
    Quote Originally Posted by XaeroOne View Post
    lets say you don't need any incoming connections from anywhere. then entering ALL:ALL in hosts.deny should suffice (from a security point of view) right? Do you need iptables?
    Keep in mind that hosts.allow has precedence, make sure you don't allow connections by accident.

  6. #6
    Just Joined!
    Join Date
    Mar 2009
    Posts
    15
    I've heard about firestarter and guard dog, are these frontends for iptables? And how come everyone is talking about iptables whenever there is a discussion about firewalls? Aren't there are other firewall for linux?

  7. #7
    Linux Enthusiast
    Join Date
    Aug 2006
    Location
    Portsmouth, UK
    Posts
    539
    Yes firestarter and guard dog are front ends for iptables.
    Firewall Builder is another, with a similar interface to checkpoint's Firewall One comercial product.

    I don't know of any different firewalling methods other than iptables ( and the old ipchains ) doesn't mean that there isn't something out there though.
    RHCE #100-015-395
    Please don't PM me with questions as no reply may offend, that's what the forums are for.

  8. #8
    Just Joined!
    Join Date
    Mar 2009
    Posts
    15
    Thanks for the help

  9. #9
    Just Joined!
    Join Date
    Sep 2007
    Location
    Lafayette, IN
    Posts
    83
    Quote Originally Posted by XaeroOne View Post
    lets say you don't need any incoming connections from anywhere. then entering ALL:ALL in hosts.deny should suffice (from a security point of view) right? Do you need iptables?
    In my opinion, you definitely still need a firewall. Not all services support tcpwrappers, which means you can't use hosts.(allow|deny) to control access. If you're only running services that use tcpwrappers (e.g. ssh), and you're behind a router or firewall, then you don't necessarily need to run iptables. I still would, as an extra layer of safety.

  10. #10
    Just Joined!
    Join Date
    Mar 2009
    Posts
    15
    ok, thank you all for your contributions

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •