/etc/hosts.allow versus iptables/firewall?

What's the relation between the /etc/hosts.allow and /etc/hosts.deny files, on the one hand, and a host firewall on the other? If I'm going to configure iptables on a machine, is there any point to having any non-trivial rules in /etc/hosts.allow and /etc/hosts.deny too? Or should I just set them to let everything connect and do all my configuration through iptables?
(Well, really, I'm going to use some iptables-for-dummies tool like ufw or firehol.)

I cannot agree that hosts.{allow,deny} are 'a lot more basic' They're different from iptables, they work on different level and offer different capabilities, but it would be much harder with iptables to grant/deny access according to:
- ident lookup
- NIS netgroup
- domain name
- consistent ip->name and name->ip mapping
and so on; man 5 hosts_access and man hosts_options contain some examples. On the actions side, in addition to granting or denying access, arbitrary command can be run in parallel or instead of called service, with some useful informations about connection available as %variables.
Tcp_wrappers do not have to be called by protected service itself; they can be used with everything that uses TCP and can be run via (x)inetd, with a little help from tcpd(8).
I prefer iptables myself (no use in letting unwanted traffic pass any further than strictly necessary), but tcp_wrappers make a really nice and useful complementary solution.

Similar Messages

  • Entry in /etc/hosts.allow for insecure VNC?

    I read the ssh wiki article which teaches to add an entry to /etc/hosts.allow for sshd.  I am know that tunneling vnc through sshd is the way to go security wise, however, there are cases where I need to switch on un-encrypted vnc for the purposes of sharing my X11 session with family members.  Anyway, my question deals with an entry in the /etc/hosts.allow for gnome's desktop sharing (which is vnc as I understand it).  Does anyone know the syntax to allow vnc for any incoming connection (default port of 5900).
    I have tried:
    vino: ALL
    Xvnc: ALL
    X11vnc: ALL
    None of which worked.
    Thanks!

    when I don't know what's the name of the process listening to specific port, I always execute
    netstat -tnlp
    to get the proper processes' names.

  • Sshd ignores /etc/hosts.allow and /etc/hosts.deny

    Hello everyone,
    I've just found out that sshd ignores /etc/hosts.allow and /etc/hosts.deny completely on my machine. It doesn't make use of tcp_wrappers. I am using the standard Arch package. Either my settings are wrong, or this is a severe security problem. It was a terrible surprise to find out that my server is under severe dictionary attacks all the time, despite the denyhosts script I am using.
    These are my settings:
    /etc/hosts.deny:
    ALL: ALL
    /etc/hosts.allow:
    # some nfs daemons: 192.168.1.0/255.255.255.0
    sshd sshd1 sshd2: ALL EXCEPT /etc/hosts.evil
    mysqld: 192.168.1.0/255.255.255.0
    /etc/hosts.evil:
    195.113.21.131
    60.10.6.53
    A simple experiment to verify the settings:
    [[email protected] etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.131
    warning: sshd: no such process name in /etc/xinetd.conf
    client: address 195.113.21.131
    server: process sshd
    matched: hosts.deny line 5
    access: denied
    [[email protected] etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.130
    warning: sshd: no such process name in /etc/xinetd.conf
    client: address 195.113.21.130
    server: process sshd
    matched: hosts.allow line 10
    access: granted
    This seems to be fine. But when I go to the machine 195.113.21.131, I can simply log in with no trouble at all.
    This is really strange. Does it have something to do with the xinetd warning? I am not using xinetd... Maybe I'm doing something wrong. If you have experienced such a trouble, please give me a hint.

    elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default?  My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid.  That was users don't have to specify their local IP address.  Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
    This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug.

  • Syntax of ip ranges in /etc/hosts.allow

    How does one define a range of IP addresses in the /etc/hosts.allow?  Pasted from the ssh wiki article
    # let everyone connect to you
    sshd: ALL
    # OR you can restrict it to a certain ip
    sshd: 192.168.0.1
    # OR restrict for an IP range
    sshd: 10.0.0.0/255.255.255.0
    # OR restrict for an IP match
    sshd: 192.168.1.
    If I just want 192.168.1.2 - 192.168.1.10 (inclusive), what would the syntax be for this?
    192.168.1.2/192.168.1.10 didn't work for me.
    Thanks.

    You can't do this on a single line AFAIK since .2 to .10 doesn't fit in any valid CIDR mask. You will need to add a line for each host individually:
    sshd: 192.168.1.2
    sshd: 192.168.1.3
    sshd: 192.168.1.4
    sshd: 192.168.1.5
    sshd: 192.168.1.6
    sshd: 192.168.1.7
    sshd: 192.168.1.8
    sshd: 192.168.1.9
    sshd: 192.168.1.10
    Technically there are multiple /30 masks that fit within that, but you'd still have to have multiple lines.
    Last edited by fukawi2 (2009-06-06 22:45:26)

  • Tcp wrappers /etc/hosts.allow format

    since most of the services that were originally run from
    the /etc/inet/inetd.conf file on pre-Solaris 10 systems
    are now run from smf, what are the "in.*" service names
    that should be placed in the /etc/hosts.allow file?
    also is there a "safe_finger" available for use that can
    be used in the /etc/hosts.deny file or should the
    "standard" Solaris 10 finger be used?
    Thanks

    elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default?  My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid.  That was users don't have to specify their local IP address.  Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
    This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug.

  • Having issues-/etc/hosts.deny /etc/hosts.allow!

    OK-I just did an install of Arch '09 x86_64 core on my HP Pavillion a810n AMD Athlon64 3300+. I got to the part about configuring and the directions just aren't very clear...What EXACTLY do I input to both deny/allow to be able to get on the net to install gnome/X, etc??
    Why would anyone by default have the net services turned off when to have a Viable OS you need more packages-did someone miss that?
    Thanks.

    From the Beginners Guide:
    If you do not plan on using the ssh daemon, leave this file at the default, (empty), for added security.
    It seems you may be confusing the contents of this file with your inability to reach the network.
    What is the exact error(s) you are receiving?
    Did you leave the file empty (all lines commented out) ?

  • Pure-ftpd setup (hosts.allow & hosts.deny)

    hello,
    i have installed pure-ftpd. i have it in daemon section in rc.conf and it's working (wisible from outside) althought my /etc/hosts.deny is
    ALL: ALL: DENY
    and in /etc/hosts.allow isn't any notice about pure-ftpd (just sshd).
    isn't that weird?
    thanx for answers.

    If your version of pure-ftpd was build without tcpwrappers, but might explain it.

  • Hosts.allow option spawn parameter not work

    Hi,
    I would like to use BlockHosts and spawn it with spawn keyword from hosts:allow, but option parameter does nothing for me.
    I tried several configurations with different sshd entries and results are below
    hosts.deny:
    ALL:ALL:DENY
    With hosts.allow:
    sshd:ALL
    I can connect to sshd.
    With hosts.allow:
    sshd:ALL:DENY
    I can still connect to sshd. But I do not know why.
    With hosts.allow:
    sshd:ALL:spawn (echo "some tries to log" >> /var/tmp/sshd.tmp)
    I can connect but nothing is written to temporary log file.
    With empty hosts:allow I cannot connect to sshd.
    I cannot find any clue, from man entry everything seems clear, but it does not work as it is written in doc.
    Thanks,
    Ondra
    Last edited by xnovako2 (2010-02-20 16:53:23)

    the Access files are read in order of /etc/hosts.allow, and /etc/hosts.deny
    by default, /etc/hosts.deny contains ALL:ALL:DENY, only the first two are important, then third DENY is the placeholder for shell scripts, only the first two are considered, so ALL:ALL means that all daemons for all connections will not be allowed access, you can specifically add a specific service like sshd using sshd:ALL in /etc/hosts.allow to allow access.
    sshd:ALL:DENY, the DENY part is the place where you should put the location of your shell script (absolute path), writing DENY will not deny it access
    http://linux.die.net/man/5/hosts.allow
    use the above link for a complete help on this.

  • Is SID allowed to show up in /etc/hosts file?

    Experts:
    I am looking into a /etc/hosts which has something I never saw before.
    Every entry in that /etc/hosts file has a format as follows:
    123.23.456.678 CHERRY CHERRY.RIO.COM SID CHERRY.BRAVO.NET
    For example:
    123.23.456.678 CHERRY CHERRY.RIO.COM PRO CHERRY.BRAVO.NET
    Observation:
    0) WHY SID (here is PRD) gets into the hosts file? Would it cause some issues?
    1) each entry has 2 aliases ;
    2) "nslookup CHERRY.RIO.COM "
    2a) will return the correct IP address IF I run this nslookup on the server
    2b) will say "non-exist domain" on my PC
    3) "nslookup CHERRY.BRAVO.NET"
    3a) will say "non-exist domain" IF I run nslookup on the server
    3b) will give the correct IP address on my PC
    Thank you for help.

    Hi,
    If your system in domain than the entries look like below
    192.192.192.192    prdserver        prdserver.na.jjjjjjj.com 
    Prd server is an host name where your SAP application is running/installed &    prdserver.na.jjjjjjj.com is a hostname  in domain
    Thnaks
    Karan

  • New Package: Arno's iptables firewall scripts

    I made a PKGBUILD for Arno IPTABLES firewall script. This script has protected my home network for long time and I realized that some other Archers would also like to use it. Also, syslog-ng.conf example is included to get iptable logs into their own log file.
    Script has clear, easy and well commented configuration file. Nice list of
    Features
    Very secure stateful filtering firewall
    Both kernel 2.4 & 2.6 support
    It can be used for both single- and multi(eg. dual)-homed boxes
    Masquerading (NAT) and SNAT support
    Multiple external (internet) interfaces
    Support multiroute NAT & SNAT (load balancing over multiple (internet) interfaces)
    Port forwarding (NAT)
    Support MAC address filtering
    Support for DSL/ADSL modems
    Support for PPPoE, PPPoA and bridging modem setups
    Support for static and ISP assigned (DHCP) IPs
    Support for (transparent) proxies
    Full support for DMZ's and DMZ-2-LAN forwarding. You can also use it to isolate your eg. wireless LAN.
    (Nmap)(stealth) portscan detection
    Protection against SYN-flooding (DoS attacks)
    Protection against ICMP-flooding (DoS attacks)
    Extensive user-definable logging with rate limiting to prevent log flooding
    Includes options to optimize your throughput
    User definable open ports, closed ports, trusted hosts, blocked hosts etc.
    Log & protection options are both highly customizable
    Support for custom iptables rules in a seperate file
    It can be used with chkconfig runlevel system (eg. RedHat/Fedora)
    Main focus on TCP/UDP/ICMP but additional support for *ALL* IP protocols
    It works with Freeswan IPSEC (VPN) & SSH Sentinel (http://www.freeswan.org) (+virtual IP's)
    It works with PoPTop PPTP (http://www.poptop.org)
    It works with UPnP
    DRDOS protection/detection (experimental)
    It's easy to configure
    And much more...
    (edit) PKGBUILD is in the AUR.
    This is my first package ever so tell me what to fix. I will put this to AUR if supported and this really works.

    1c3d0g wrote:
    Is this similar to QuickTables?
    http://qtables.radom.org/
    Arno's iptables has a config file that will be edited as needed and script reads the config file everytime it is executed.
    I can put this pkgbuild to AUR. The init script is not Arch like. I decided to use Arno's script as is in /etc/rc.d/ because I want to see what happens. I could do a Arch type of init script that executes the firewall script arch way.
    What do you think?

  • Lenovo W530/W540 Getting Destination host Unreachable from our Firewall

    Hey Everyone!
    I'm having some bizarre issues with all of my Lenovo W530/W540's.  I'm not sure when the issue started, the first time it was reported to me was around March, and it has been persistant since the issue was discovered.  The issue is that, quite frequently, our Lenovo W530/W540's will get Destiantion Host Unreachable if I run a continuous ping (ping -t ...) to anything outside our firewall.
    I have run a ping to things inside our firewall (other computers/servers, etc.) and they will return good ping until the cows come home.
    However, if I try to ping anything outside our firewall (google.com, google DNS 8.8.8.8, yahoo.com, etc.) about every 30 seconds (every 30-35 returns) it starts returning Destitnation Host Unreachable from our Firewall.  This will last for around 10-25 returns, and then traffic goes back to normal.
    We are a majority Apple Shop, and when I attempt to ping from any Apple on the network, it get fine returns consistently.  I also tried pinging from the few non-Lenovo Windows Machines we have as well (my personal machine which is self-built Windows rig, a couple of windows test machines, and a Windows 2008 Server we have) and they also have consistently good returns as well.
    It is ONLY the Lenovo's that have this problem.  To compound things, they have no issue when they are connected to a different network other than the company network.  This ONLY happens when they try to interact with traffic going THROUGH our Firewall on our company network.  It happens regardless of whether they hardwired or wireless.  Also, during the Destination Host Unreachable moments, Windows does not detect a disruption, it keeps registering good connection.  I do not know how often Windows checks for connection, but these Destination Host Unreachable moments are so quick, I'm fairly certain that Windows can't even detect them.
    Our Firewall is a Linux CentOS server that is running Shorewall Firewall Software.  The Destination Host Unreachable notice is coming from our Firewall directly, not from our ISP, so for some reason, the Lenovo is having a problem talking to our FW.
    We currently only have 3 of these machines in circulation, but its having a pretty big impact on those with the machines, as going to a website is even a chore, as they often get "Page Not Found"  and other errors when they try to load a website.
    I'm a bit stumped, I've never seen a machine act this way where it only has problems on a particular network; usually its a global issue it has with everything.  Any and all help would be appreciated.
    Thanks!
    -Chris

    DNS is set to be automatic, though I did try setting  a permenent DNS server in the IPv4 settings to our local DNS server AND Google DNS, and the issue still occurred.
    The 2 Conflicting firewalls could be it, so I tested that.  I logged into the Local Administrator account on the machine so I could temporarily disable the firewall.  I disabled it, pinged out, and I still get Destination host unreachable, though weirdly, it seems to happen less than when on the other account (only about every 50-60 pings do I get Destination host Unreachable).

  • Adding the /etc/host.deny file like linux in solaris 10.

    Dears,
    I need to add a file which will works like the file of /etc/hosts.deny of Linux in Solaris.
    If it is possible in the same manner please let me know that, and if it need some other trick to deny a specific host to access the system please tell me the way to do that.
    Eagerly waiting to hear from you.
    BR//
    Sohel.

    IPfilter can deny a specific IP address access to the host - enable IPFilter with svcadm and edit the /etc/ipf/ipf.conf file to add the IP to block. An example could be:
    block in log quick on bnx0 proto tcp from 192.168.1.5/32 to any
    I use IPfilter to pass and block all sorts of specific IP addresses as well as block/allow specific ports (like only specific hosts can use port 22, ssh).

  • Oracle 11gR2 RAC VM and SCAN and DNS and /etc/hosts (two) setup questions

    Hi,
    I am looking forward to setting up two Oracle 11gR2 RAC instances
    on my Oracle VM test machine.
    I plan on using the Oracle 11gR2 RAC VM template.
    I want the final Oracle 11gR2 RAC instances to have SCAN that uses DNS.
    The DNS will be pre-installed in the JeOS.
    My first simple question about the setup is the following.
    In my DNS name file, for example,
    /var/named/chroot/var/named/milkyway.univ.db
    do I need to provide the racnode1 and racnode2 information,
    for example,
    # DNS name file (snippet)
    myjeos IN A 192.168.1.150
    racnode1 IN A 192.168.1.161
    racnode1-vip IN A 192.168.1.163
    racnode2 IN A 192.168.1.162
    racnode2-vip IN A 192.168.1.164
    rac-scan IN A 192.168.1.131
    rac-scan IN A 192.168.1.132
    rac-scan IN A 192.168.1.133
    Or, can I just provide only the rac-scan information
    # DNS name file alternate (snippet)
    myjeos IN A 192.168.1.150
    rac-scan IN A 192.168.1.131
    rac-scan IN A 192.168.1.132
    rac-scan IN A 192.168.1.133
    What I am getting at is the following.
    Within the install process, will racnode1, racnode1-vip, racnode2,
    and racnode2-vip host names and their IP address be written
    to the RAC instances /etc/hosts files? (So I should not bother
    to put them in the DNS name file like '# DNS name file alternate (snippet)'?)
    Or, should I put the racnode and racnode-vip host names and IP addresses
    in the DNS name file like '# DNS name file (snippet)'?
    The second question is the following.
    Are the cluster name and the scan name allowed to be different?
    Currently, I would plan them to be different,
    for example, rac-cluster and rac-scan.
    Or, are they required to be the same,
    for example, rac-cluster and rac-cluster.
    Thank you.
    AIM

    AIM wrote:
    do I need to provide the racnode1 and racnode2 information,
    Or, can I just provide only the rac-scan information You need to provide all of it in DNS, because other hosts in your network will need to be able to resolve all of the normal, VIP and SCAN addresses for your RAC nodes. We write this data out to /etc/hosts just to reduce the amount of round-trip DNS requests the cluster nodes make for themselves.
    Are the cluster name and the scan name allowed to be different?They can be different.

  • How could a java process bypass etc\hosts file while doing dns lookup ?

    Hi,
    I am developing a java web proxy and developer tool [http://www.tcpcatcher.org|http://www.tcpcatcher.org] .
    Right now it is working as a none transparent web proxy.
    In some situation and for some hosts, I would like to turn it into a transparent web proxy.
    Suppose, user's browser and java proxy are running on same host (typically on localhost). An entry is added in etc\hosts file, for example:
    127.0.0.1 google.com
    So without any change in browser config , if user visits google.com with its browser , http request is received at proxy level.
    Now my proxy has to get the actual ip address of google.com bypassing the etc\hosts file (right now the proxy is doing a loop on itself).
    Any idea how this could be achieved ?
    Am I searching in wrong direction ?
    thanks !

    This is a shot in the dark, but I'll try anyway.
    Take a look at dnsjava (open source, I never played with it).
    My understanding is that using this to resolve names instead of normal Java API's would allow you to bypass etc/hosts in the java code
    (see [http://old.nabble.com/DNS-Resolve-from-hosts-file-first-then-DNS-Server-td15431381.html]).

  • Proper /etc/hosts for my situation

    Hello all,
    I just (finally) got set up through an ISP which assigns me (well the DSL modem) a publicly routable dynamic address.  Anyway, I've setup a dyndns.org hostname, and ddclient to update it, and it routes beautifully to my linux box, through the dsl modem which has the ssh port (and other services as they come up) forwarded to the proper box.
    Anyway, I was updating my /etc/hosts, and I'm wondering if I have it setup correctly.
    #<ip-address> <hostname.domain.org> <hostname>
    127.0.0.1 XXXXXXXX.homelinux.org localhost.localdomain localhost XXXXXXXX
    192.168.0.51 XXXXXXXX.homelinux.org XXXXXXXX
    192.168.0.50 regulator-pc regulator-pc.localdomain
    192.168.0.1 qwest-modem qwest-modem.localdomain
    192.168.0.2 regulator-bridge regulator-bridge.localdomain
    # End of file
    Please replace all instances of XXXXXXXX with my actual hostname.
    This box (XXXXXXXX) has a static IP of 192.168.0.51, is that line correct?
    I've left the (hostname.localdoman) stuff in my hosts lists since at one point I had a caching bind server running on my local net, but I've yet to set that up on this network.
    regulator-bridge is my dd-wrt'd wrt54g, which now is set up in client bridge mode to allow the boxes with ethernet ports to join the network (routed off the DSL modem), and so I don't have to run an ethernet cable across the living room to the DSL modem.  Works like a champ.
    Appreciate any input.
    Thanks.

    Hi,
    In the etc/hosts you have add ur ip address with hostname, something like this it should be.
    127.0.0.1 localhost.localdomain localhost
    10.93.10.XX mysystem.localdomai
    because, i think so,so here is what my /etc/hosts file looks like
    127.0.0.1 unknown485b39d0b515.local.lan unknown485b39d0b515
    127.0.0.1 localhost.localdomain localhostFor the below TNS lost contact error, recently I faced a similar kind of error:
    and the error i am right now getting is this
    [[email protected] ~]$ sqlplus "/as sysdba"
    SQL*Plus: Release 11.2.0.1.0 Production on Wed Aug 8 12:03:27 2012
    Copyright (c) 1982, 2009, Oracle. All rights reserved.
    ERROR:
    ORA-12547: TNS:lost contact
    Check your ORACLE_HOME/bin folders rights.
    $ ls -ltr oracle
    -rwxr-xr-x 1 oracle dba 25485683 Jul 2 12:02 oracle
    $ chmod 6751 oracle
    $ ls -ltr oracle
    -rwsr-s--x 1 oracle dba 25485683 Jul 2 12:02 oracle
    And check whether your user has dba group.
    This may help you..
    Thanks,
    nonuday

Maybe you are looking for