[NTLUG:Discuss] Killing Bad People
Rev. wRy
slot0k at pogox.org
Tue Feb 5 21:34:31 CST 2002
On Tue, 2002-02-05 at 20:45, Bug Hunter wrote:
> the best thing for /etc/hosts.deny is the following:
>
> ALL: ALL
>
> then, in /etc/hosts.allow, add the services you want people to access,
> with the networks:
>
> ALL: 192.168.1. <-- allows everyone on the class c network 192.168.1
>
> in.telnetd: 207.101.132.23 <--allows telnet only from this ip
I don't disagree (it absolutely is the best thing), but it seems to me
that a hosts.deny file consisting solely of ALL: ALL would pose a
problem or two of it's own:
a) You remotely admin the server and don't always know the ip you'll be
coming from, so you can't always set up hosts.allow to let you in.
b) You have users that aren't on a local network, yet you need to allow
them access, and they aren't on static ip addresses.
I realize that both of the above are solvable with client username
lookups, but is there an easier solution than maintaining a list of
users that frequently change hosts?
Is there a complete listing somewhere of all services that
hosts.deny/allow will let you configure? Or is it simply that which is
in inetd and wrapped with tcpd?
Ry
(who thinks the bottom line is watch your logs, keep your system
updated, and remain paranoid. :) )
More information about the Discuss
mailing list