Results 1 to 10 of 10
Hi,
I have a question about the format in hosts.allow and hosts.deny it is very confusing when you see different things mentioned on different sites.
The question is I have ...
- 04-02-2009 #1Just Joined!
- Join Date
- Mar 2009
- Posts
- 15
hosts.allow hosts.deny format
Hi,
I have a question about the format in hosts.allow and hosts.deny it is very confusing when you see different things mentioned on different sites.
The question is I have seen many sites ask to enter
in hosts.deny some place I have seenCode:ALL:ALL
to be entered. I can't seem to find any explanation on when to use which entry in hosts.denyCode:ALL:ALL:ALL
Can someone shed some light?
- 04-03-2009 #2Linux Enthusiast
- Join Date
- Aug 2006
- Location
- Portsmouth, UK
- Posts
- 539
Hi, XaeroOne
You want to read the Access Control Rules section of the man page ( man hosts.allow or man hosts.deny ). But in a nutshell:
ALL: ALL
deny access to ALL daemons from ALL hosts.
ALL: ALL: ALL
deny access to ALL daemons from ALL hosts and ALL shell commands/variants. ( Overkill in my opinion )RHCE #100-015-395
Please don't PM me with questions as no reply may offend, that's what the forums are for.
- 04-03-2009 #3Just Joined!
- Join Date
- Mar 2009
- Posts
- 15
lets say you don't need any incoming connections from anywhere. then entering ALL:ALL in hosts.deny should suffice (from a security point of view) right? Do you need iptables?
- 04-03-2009 #4Linux Enthusiast
- Join Date
- Aug 2006
- Location
- Portsmouth, UK
- Posts
- 539
from a hosts.deny / allow point of view then yes ALL: ALL should be enough.
As for a firewall ( iptables ), that depends on how your system is connected to the internet. Personally I would use one in anycase.
As your not doing anything special with the host, if it's redhat / centos then you could use the system-config-security tool which will create a simple firewall for you.
If there isn't a similar tool for your distro then a very easy/basic firewall package is firestarter.
HTHRHCE #100-015-395
Please don't PM me with questions as no reply may offend, that's what the forums are for.
- 04-07-2009 #5Just Joined!
- Join Date
- Apr 2009
- Posts
- 9
Keep in mind that hosts.allow has precedence, make sure you don't allow connections by accident.
Originally Posted by XaeroOne 
- 04-08-2009 #6Just Joined!
- Join Date
- Mar 2009
- Posts
- 15
I've heard about firestarter and guard dog, are these frontends for iptables? And how come everyone is talking about iptables whenever there is a discussion about firewalls? Aren't there are other firewall for linux?
- 04-08-2009 #7Linux Enthusiast
- Join Date
- Aug 2006
- Location
- Portsmouth, UK
- Posts
- 539
Yes firestarter and guard dog are front ends for iptables.
Firewall Builder is another, with a similar interface to checkpoint's Firewall One comercial product.
I don't know of any different firewalling methods other than iptables ( and the old ipchains ) doesn't mean that there isn't something out there though.RHCE #100-015-395
Please don't PM me with questions as no reply may offend, that's what the forums are for.
- 04-08-2009 #8Just Joined!
- Join Date
- Mar 2009
- Posts
- 15
Thanks for the help
- 04-08-2009 #9Just Joined!
- Join Date
- Sep 2007
- Location
- Lafayette, IN
- Posts
- 83
In my opinion, you definitely still need a firewall. Not all services support tcpwrappers, which means you can't use hosts.(allow|deny) to control access. If you're only running services that use tcpwrappers (e.g. ssh), and you're behind a router or firewall, then you don't necessarily need to run iptables. I still would, as an extra layer of safety. Originally Posted by XaeroOne
- 04-16-2009 #10Just Joined!
- Join Date
- Mar 2009
- Posts
- 15
ok, thank you all for your contributions
Reply With Quote 
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
