[NTLUG:Discuss] Killing Bad People
Bug Hunter
bughuntr at one.ctelcom.net
Wed Feb 6 08:31:10 CST 2002
Well, we do run the latest version of sshd. And we put it on a
non-standard port, up there. You can then open sshd up in hosts.allow
sshd: ALL
so that it is accessible from anywhere.
Note the order of the search for tcp_wrappers (and sshd) is
hosts.allow, hosts.deny
if the host is in hosts.allow, then allow. otherwise, check hosts.deny
and see if it is not allowed. If it is NOT REFUSED in hosts.deny, then
let the service work.
bug
On 5 Feb 2002, Rev. wRy wrote:
> On Tue, 2002-02-05 at 20:45, Bug Hunter wrote:
>
> > the best thing for /etc/hosts.deny is the following:
> >
> > ALL: ALL
> >
> > then, in /etc/hosts.allow, add the services you want people to access,
> > with the networks:
> >
> > ALL: 192.168.1. <-- allows everyone on the class c network 192.168.1
> >
> > in.telnetd: 207.101.132.23 <--allows telnet only from this ip
>
> I don't disagree (it absolutely is the best thing), but it seems to me
> that a hosts.deny file consisting solely of ALL: ALL would pose a
> problem or two of it's own:
>
> a) You remotely admin the server and don't always know the ip you'll be
> coming from, so you can't always set up hosts.allow to let you in.
>
> b) You have users that aren't on a local network, yet you need to allow
> them access, and they aren't on static ip addresses.
>
> I realize that both of the above are solvable with client username
> lookups, but is there an easier solution than maintaining a list of
> users that frequently change hosts?
>
> Is there a complete listing somewhere of all services that
> hosts.deny/allow will let you configure? Or is it simply that which is
> in inetd and wrapped with tcpd?
>
> Ry
> (who thinks the bottom line is watch your logs, keep your system
> updated, and remain paranoid. :) )
More information about the Discuss
mailing list