Entry in /etc/hosts.allow for insecure VNC?

Similar Messages

• Asking for a password when trying to add an entry to /etc/hosts

  I am trying to add an entry to /etc/hosts using Terminal. When I type the command: sudo nano /etc/hosts it asks me for a password. I have never set a password so I have no idea what this would be. My admin pw is blank (I just hit enter) and this is not working. Is there a defaut password or how can I reset this? Thanks

  This would be your admin account password. You must set one.
  Forgot Your Account Password
  For Lion, Mountain Lion, or Mavericks
      Boot to the Recovery HD:
  Restart the computer and after the chime press and hold down the COMMAND and R keys until the menu screen appears. Alternatively, restart the computer and after the chime press and hold down the OPTION key until the boot manager screen appears. Select the Recovery HD and click on the downward pointing arrow button.
       When the menubar appears select Terminal from the Utilities menu.
       Enter resetpassword at the prompt and press RETURN. Follow
       instructions in the dialog window that will appear.
       Or see Reset a Mac OS X 10.7 Lion Password, OS X Mountain Lion- Reset a login password,
       and OS X Lion- Apple ID can be used to reset your user account password.
  For Snow Leopard and earlier with installer DVD
       Mac OS X 10.6- If you forget your administrator password
  For Snow Leopard and earlier without installer DVD
      How to reset your Mac OS X password without an installer disc | MacYourself

• Sshd ignores /etc/hosts.allow and /etc/hosts.deny

  Hello everyone,
  I've just found out that sshd ignores /etc/hosts.allow and /etc/hosts.deny completely on my machine. It doesn't make use of tcp_wrappers. I am using the standard Arch package. Either my settings are wrong, or this is a severe security problem. It was a terrible surprise to find out that my server is under severe dictionary attacks all the time, despite the denyhosts script I am using.
  These are my settings:
  /etc/hosts.deny:
  ALL: ALL
  /etc/hosts.allow:
  # some nfs daemons: 192.168.1.0/255.255.255.0
  sshd sshd1 sshd2: ALL EXCEPT /etc/hosts.evil
  mysqld: 192.168.1.0/255.255.255.0
  /etc/hosts.evil:
  195.113.21.131
  60.10.6.53
  A simple experiment to verify the settings:
  [root@charon etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.131
  warning: sshd: no such process name in /etc/xinetd.conf
  client: address 195.113.21.131
  server: process sshd
  matched: hosts.deny line 5
  access: denied
  [root@charon etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.130
  warning: sshd: no such process name in /etc/xinetd.conf
  client: address 195.113.21.130
  server: process sshd
  matched: hosts.allow line 10
  access: granted
  This seems to be fine. But when I go to the machine 195.113.21.131, I can simply log in with no trouble at all.
  This is really strange. Does it have something to do with the xinetd warning? I am not using xinetd... Maybe I'm doing something wrong. If you have experienced such a trouble, please give me a hint.

  elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default?  My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid.  That was users don't have to specify their local IP address.  Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
  This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug.

• /etc/hosts.allow versus iptables/firewall?

  What's the relation between the /etc/hosts.allow and /etc/hosts.deny files, on the one hand, and a host firewall on the other? If I'm going to configure iptables on a machine, is there any point to having any non-trivial rules in /etc/hosts.allow and /etc/hosts.deny too? Or should I just set them to let everything connect and do all my configuration through iptables?
  (Well, really, I'm going to use some iptables-for-dummies tool like ufw or firehol.)

  I cannot agree that hosts.{allow,deny} are 'a lot more basic' They're different from iptables, they work on different level and offer different capabilities, but it would be much harder with iptables to grant/deny access according to:
  - ident lookup
  - NIS netgroup
  - domain name
  - consistent ip->name and name->ip mapping
  and so on; man 5 hosts_access and man hosts_options contain some examples. On the actions side, in addition to granting or denying access, arbitrary command can be run in parallel or instead of called service, with some useful informations about connection available as %variables.
  Tcp_wrappers do not have to be called by protected service itself; they can be used with everything that uses TCP and can be run via (x)inetd, with a little help from tcpd(8).
  I prefer iptables myself (no use in letting unwanted traffic pass any further than strictly necessary), but tcp_wrappers make a really nice and useful complementary solution.

• Syntax of ip ranges in /etc/hosts.allow

  How does one define a range of IP addresses in the /etc/hosts.allow?  Pasted from the ssh wiki article
  # let everyone connect to you
  sshd: ALL
  # OR you can restrict it to a certain ip
  sshd: 192.168.0.1
  # OR restrict for an IP range
  sshd: 10.0.0.0/255.255.255.0
  # OR restrict for an IP match
  sshd: 192.168.1.
  If I just want 192.168.1.2 - 192.168.1.10 (inclusive), what would the syntax be for this?
  192.168.1.2/192.168.1.10 didn't work for me.
  Thanks.

  You can't do this on a single line AFAIK since .2 to .10 doesn't fit in any valid CIDR mask. You will need to add a line for each host individually:
  sshd: 192.168.1.2
  sshd: 192.168.1.3
  sshd: 192.168.1.4
  sshd: 192.168.1.5
  sshd: 192.168.1.6
  sshd: 192.168.1.7
  sshd: 192.168.1.8
  sshd: 192.168.1.9
  sshd: 192.168.1.10
  Technically there are multiple /30 masks that fit within that, but you'd still have to have multiple lines.
  Last edited by fukawi2 (2009-06-06 22:45:26)

• Tcp wrappers /etc/hosts.allow format

  since most of the services that were originally run from
  the /etc/inet/inetd.conf file on pre-Solaris 10 systems
  are now run from smf, what are the "in.*" service names
  that should be placed in the /etc/hosts.allow file?
  also is there a "safe_finger" available for use that can
  be used in the /etc/hosts.deny file or should the
  "standard" Solaris 10 finger be used?
  Thanks

  elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default?  My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid.  That was users don't have to specify their local IP address.  Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
  This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug.

• Entries in /etc/hosts are being ingored.

  I added 
  209.132.176.175 bugzilla.gnome.org
  to /etc/hosts and restarted Xserver, network service and my pppoe connection.
  And the entry in /etc/hosts is is being ignored. Any idea how to debug this weird behavior?

  Ah, now I see what your problem is :-)
  What if you ping bugzilla.gnome.org? Does that reach 209.132.176.175?
  -edit-
  It seems that Firefox simply doesn't use /etc/hosts at all. Solution (if don't want to wait for your DNS servers to get updated): install dnsmasq, cp /etc/resolv.conf /etc/resolv.conf.2, change nameserver in resolv.conf to 127.0.0.1, change resolv-file to resolv.conf.2 and add bugzilla.gnome.org to address field in dnsmasq.conf and start /etc/rc.d/dnsmasq. You'd have to make sure ppooe doesn't overwrite resolv.conf (it'd have to write to resolv.conf.2). Additional benefit: local caching of DNS queries (=> faster browsing).
  Last edited by lucke (2007-10-21 23:23:42)

• Information required /etc/hosts configuration for prerequisites of R12 inst

  As a installation prerequisite, we used to save the /etc/hosts file as follows.
  IP hostname.domain.com hostname
  This instance will be exposed to the internet using following url.
  http://urlname.domain.com/
  Now what should I put in the /etc/hosts file.
  IP hostname.domain.com hostname
  or
  IP urlname.domain.com urlname
  And during DB and App configuration during installation what should I put?
  hostname or urlname?

  Now what should I put in the /etc/hosts file.
  IP hostname.domain.com hostname
  or
  IP urlname.domain.com urlnameIP hostname.domain.com hostname
  And during DB and App configuration during installation what should I put?
  hostname or urlname?hostname
  Thanks,
  Hussein

• Having issues-/etc/hosts.deny /etc/hosts.allow!

  OK-I just did an install of Arch '09 x86_64 core on my HP Pavillion a810n AMD Athlon64 3300+. I got to the part about configuring and the directions just aren't very clear...What EXACTLY do I input to both deny/allow to be able to get on the net to install gnome/X, etc??
  Why would anyone by default have the net services turned off when to have a Viable OS you need more packages-did someone miss that?
  Thanks.

  From the Beginners Guide:
  If you do not plan on using the ssh daemon, leave this file at the default, (empty), for added security.
  It seems you may be confusing the contents of this file with your inability to reach the network.
  What is the exact error(s) you are receiving?
  Did you leave the file empty (all lines commented out) ?

• How could a java process bypass etc\hosts file while doing dns lookup ?

  Hi,
  I am developing a java web proxy and developer tool [http://www.tcpcatcher.org|http://www.tcpcatcher.org] .
  Right now it is working as a none transparent web proxy.
  In some situation and for some hosts, I would like to turn it into a transparent web proxy.
  Suppose, user's browser and java proxy are running on same host (typically on localhost). An entry is added in etc\hosts file, for example:
  127.0.0.1 google.com
  So without any change in browser config , if user visits google.com with its browser , http request is received at proxy level.
  Now my proxy has to get the actual ip address of google.com bypassing the etc\hosts file (right now the proxy is doing a loop on itself).
  Any idea how this could be achieved ?
  Am I searching in wrong direction ?
  thanks !

  This is a shot in the dark, but I'll try anyway.
  Take a look at dnsjava (open source, I never played with it).
  My understanding is that using this to resolve names instead of normal Java API's would allow you to bypass etc/hosts in the java code
  (see [http://old.nabble.com/DNS-Resolve-from-hosts-file-first-then-DNS-Server-td15431381.html]).

• Hosts.allow option spawn parameter not work

  Hi,
  I would like to use BlockHosts and spawn it with spawn keyword from hosts:allow, but option parameter does nothing for me.
  I tried several configurations with different sshd entries and results are below
  hosts.deny:
  ALL:ALL:DENY
  With hosts.allow:
  sshd:ALL
  I can connect to sshd.
  With hosts.allow:
  sshd:ALL:DENY
  I can still connect to sshd. But I do not know why.
  With hosts.allow:
  sshd:ALL:spawn (echo "some tries to log" >> /var/tmp/sshd.tmp)
  I can connect but nothing is written to temporary log file.
  With empty hosts:allow I cannot connect to sshd.
  I cannot find any clue, from man entry everything seems clear, but it does not work as it is written in doc.
  Thanks,
  Ondra
  Last edited by xnovako2 (2010-02-20 16:53:23)

  the Access files are read in order of /etc/hosts.allow, and /etc/hosts.deny
  by default, /etc/hosts.deny contains ALL:ALL:DENY, only the first two are important, then third DENY is the placeholder for shell scripts, only the first two are considered, so ALL:ALL means that all daemons for all connections will not be allowed access, you can specifically add a specific service like sshd using sshd:ALL in /etc/hosts.allow to allow access.
  sshd:ALL:DENY, the DENY part is the place where you should put the location of your shell script (absolute path), writing DENY will not deny it access
  http://linux.die.net/man/5/hosts.allow
  use the above link for a complete help on this.

• SCAN LISTENER runs from only one node at a time from /etc/hosts !

  Dear all ,
  Recently I have to configure RAC in oracle 11g(r2) in AIX 6.1 . Since in this moment it is not possible to configure DNS, so I dont use SCAN ip into the DNS/GNS, I just add the SCAN ip into the host file like :
  cat /etc/hosts
  SCAN 172.17.0.22
  Got the info from : http://www.freeoraclehelp.com/2011/12/scan-setup-for-oracle-11g-release211gr2.html#ORACLE11GR2RACINS
  After configuring all the steps of RAC , Every services are ok except SCAN_LISTENER . This listener is up only one node at a time . First time when I chek it from node1 , it shows :
  srvctl status scan_listener
  SCAN listener LISTENER_SCAN1 is enabled
  SCAN listener LISTENER_SCAN1 is running on node dcdbsvr1
  now when I relocate it from node 2 using
  "srvctl relocate scan -i 1-n DCDBSVR2" , then the output shows :
  srvctl status scan_listener
  SCAN listener LISTENER_SCAN1 is enabled
  SCAN listener LISTENER_SCAN1 is running on node dcdbsvr2
  Baring these , we have to try to relocate it from the node2 by the following way, then it shows the error :
  srvctl relocate scan -i 2 -n DCDBSVR2
  resource ora.scan2.vip does not exists
  Now my question , How can I run the SCAN and SCAN_LISTENER both of the NODES ?
  Here is my listener file (which is in the GRID home location) configuration :
  Listener File OF NODE1 AND NODE 2:
  ==================================
  ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER_SCAN1=ON
  ENABLE_GLOBAL_DYNAMIC_ENDPOINT_LISTENER=ON
  LISTENER_SCAN1 =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = IPC) (KEY = LISTENER_SCAN1)
  ADR_BASE_LISTENER_SCAN1 = /U01/APP/ORACLE
  2)
  Another issue , when I give the command : " ifconfig -a " , then it shows the SCAN ip either node1 or node2 . suppose if the SCAN ip is in the node1 , and then if I run the "relocate" command from node2 , the ip goes to the Node 2 . is it a correct situation ? advice plz ... ...
  thx in advance .. ...
  Edited by: shipon_97 on Jan 10, 2012 7:22 AM
  Edited by: shipon_97 on Jan 10, 2012 7:31 AM

  After configuring all the steps of RAC , Every services are ok except SCAN_LISTENER . This listener is up only one node at a time . First time when I chek it from node1 , it shows :If I am not wrong and after looking at the document you sent, you will be able to use only once scan in case you use /etc/host file and this will be up on only one node where you added this scan entry in /etc/hosts file.
  Now my question , How can I run the SCAN and SCAN_LISTENER both of the NODES ?Probably you can't in your case, you might run only one i think and on one node only
  srvctl status scan_listener
  SCAN listener LISTENER_SCAN1 is enabled
  SCAN listener LISTENER_SCAN1 is running on node dcdbsvr1
  now when I relocate it from node 2 using
  "srvctl relocate scan -i 1 -n DCDBSVR2" , then the output shows :
  srvctl status scan_listener
  SCAN listener LISTENER_SCAN1 is enabled
  SCAN listener LISTENER_SCAN1 is running on node dcdbsvr2You moved scan listener from node 1 to node 2, OK
  Baring these , we have to try to relocate it from the node2 by the following way, then it shows the error :
  srvctl relocate scan -i 2 -n DCDBSVR2
  resource ora.scan2.vip does not exists
  --------------------------------------------------------------------------------Since you have only one scan, you can't relocate "2". So ise "1" instead here also
  FYI
  http://www.oracle.com/technetwork/database/clustering/overview/scan-129069.pdf
  Salman

• /etc/hosts is ignored

  I configured my computer to use tor and dnsmasq to resolve dns queries exactly how the arch wiki said to. This seems to work fine, however, when I try to add a entry into /etc/hosts it is ignored. To fix this I tried commenting out no-resolv but it did no good. Why is it ignoring my /etc/hosts file?
  Here is my /etc/hosts file:
  # /etc/hosts: static lookup table for host names
  #<ip-address> <hostname.domain.org> <hostname>
  127.0.0.1 localhost.localdomain localhost
  ::1 localhost.localdomain localhost
  0.0.0.0 facebook.com
  # End of file
  Facebook.com still works...
  Last edited by SteveDeFacto (2013-12-21 21:20:47)

  WonderWoofy wrote:If you are using dnsmasq, why not just put it in your dnsmasq.conf?  The formatting will obviously be different, but if that is what is resolving the dns, it would make more sense to put it there.
  Actually, the main reason I was trying to modify /etc/hosts is because I am wanting to build a decentralized peer-to-peer service. I need to redirect the user to localhost upon entering a url with ".mydomain" The only way I can think to do this is to add an entry into /etc/hosts.
  I just happen to be using tor/dnsmasq so my thought is that modifying /etc/hosts won't always work for people with abnormal dns configurations. I would like to understand why it is not working more than just finding a work around.

• Pure-ftpd setup (hosts.allow & hosts.deny)

  hello,
  i have installed pure-ftpd. i have it in daemon section in rc.conf and it's working (wisible from outside) althought my /etc/hosts.deny is
  ALL: ALL: DENY
  and in /etc/hosts.allow isn't any notice about pure-ftpd (just sshd).
  isn't that weird?
  thanx for answers.

  If your version of pure-ftpd was build without tcpwrappers, but might explain it.

• /etc/hosts error

  Hello,
  I'm trying to follow the cookbooks to install rac/linux/vmware on xp professional. Whenever i try and install the CRS I get an error message that says
  The local node entry in Cluster Configuration inforamtion does not match with the entry in /etc/hosts file. Verify local node information in /etc/hosts file and re-enter the correct value.
  I have followed the instructions and can't see where I have gone wrong. Can someone point me in the right direction...
  thanks

  I too am getting this same error on HP-UX install, any ideas?
  My nslookups, and /etc/hosts match up across the nodes, for the private and public networks, and the Cluster is created and looks good from clverify.