Sshd ignores /etc/hosts.allow and /etc/hosts.deny

Similar Messages

• [SOLVED] how do hosts.allow and hosts.deny work?

  I understand the basic concepts of hosts.allow and hosts.deny, but I am interested in how it works.  What actually blocks access to the services?  Do they do it themselves?  Or it is something in the kernel that does it?
  For example, if I have this in my hosts.allow:
  sshd:all
  #mysqld: all
  And this is my hosts.deny:
  ALL: ALL: DENY
  This will result in people being able to connect to sshd but not mysqld.  Are sshd and mysqld programmed to read these hosts.allow and hosts.deny files?  Or is there something stopping the connection before it even gets to the daemon?
  The hosts.allow and hosts.deny man pages refer to tcpd, but it is not running on my system.  Also, hosts.allow and hosts.deny never show up in the output of `lsof`.  hosts.allow and hosts.deny belong to the tcp_wrappers package, but there is nothing else in the package that illuminates my question.
  Last edited by partner55083777 (2010-03-15 12:35:51)

  Thanks guys.
  However most common network service daemons today can be linked against libwrap directly.
  Sure enough,
  $ ldd /usr/sbin/sshd
      linux-vdso.so.1 =>  (0x00007123451ff000)
      libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00007fffbd6d000)
      libpam.so.0 => /lib/libpam.so.0 (0x00007f99765f1000)
  $
  Here is also a little bit more information about libwrap:
  http://en.wikipedia.org/wiki/Libwrap
  Last edited by partner55083777 (2010-03-15 20:03:11)

• Daemons for hosts.allow and hosts.deny?

  I want to use hosts.allow and hosts.deny to restrict access to my servers, but I'm not sure what daemons to use in the config files for services like remote desktop or server admin. Is there any way to specify those services? Can you do it with port numbers instead of service names (man 5 hosts_access wasn't very clear to me).
  For services like http and ssh, its a no-brainer, but I can't figure out the Apple specific stuff.
  Thanks,
  Miles
  11 G4 XServes...   Mac OS X (10.4.5)  

  If you are referring to the python script, "denyhosts" that works in conjunction with xinetd, this simply works under 10.3.x, I've used it once successfully. It needs to be configured correctly, but it does work. Did not try it with 10.4, but...
  the far better option is described by Leland.

• How to get the "host printer" and "destination host" as part of spad output

  Hi ..
  If i run the spad tcode and then i choose one printer, i see 4 folders: Device Attributes, Access Method, Output Attributes and Tray Info.
  if i go to Devicess attributes i see: Device Type, Spool Server, Host, Device Class, Model, location , Message, lock printer in sap system.
  If i go to Access Method i see the fields: Host Spool Access Method, Host Printer and Destination Host.
  I am creating a report that needs the information mixed between the folder Device Type and Access Method folder
  If i run spad tcode and enter "*" in Output devices i see only some of the fields i need but i need to see other fields that are contained into Access Method folder, this means, i need the complete report of all printers i have in my system with this fields:
  Device Attribute - Output device   (spad - entering "*")
  Device Attribute - Spool Server (spad - entering "*")
  Device Attribute - Location or message  (spad - entering "*")
  Device Attribute - Lock printer in SAP system (i do not see it if i run spad and choose all "*")
  Access Method - Host Printer  (i do not see it if i run spad and choose all "*")
  Access Method - Destination Host  (i do not see it if i run spad and choose all "*")
  Access Method - Do not Query Host Spooler for Output Status.  (i do not see it if i run spad and choose all "*")
  Could you please le tme know how can i get the output of all the devices (printers) i have in my system with the above fields showed?
  Thanks in advance.
  Sapskystars.

  As far as I can read you can find all that info in table TSP03D
  Regards
  Juan

• Setting global umask via NSUmask or /etc/launchd.conf and /etc/launchd-user.conf broken?

  The procedure to change the default global umask from 0022 to 0002, so that most files created by one user on a machine will be read-write by other users in the same group, seems to have been broken or to have been changed in OS X Lion from OS X Snow Leopard.  What worked as far back as OS X 10.4 and was officially documented was done from Terminal: "defaults write /Library/Preferences/.GlobalPreferences NSUmask 2" (with a sudo, if not logged in as 'root').
  Another way documented in various places and which I actually used through OS X 10.6 was also done via Terminal. Two files were created: /etc/launchd.conf (for system-wide global umask) or /etc/launchd-user.conf (for user-specific global umask).  The contents of each were simply the single umask command, "umask 002" or ("umask u=rwx,g=rwx,o=rx", I can't remember which variant I used - they're functionally the same, though).
  No matter which method I use, the 2nd or the 1st, the global umask no longer changes.
  Does anyone know whether this has been deliberately hobbled under OS X Lion, requiring purchase of OS X Lion Server?  Is this an OS X Lion bug?  Or, am I looking at something wrong?

  See this support article, which was written for OS X Server, but seems applicable to  Mac OS X client versions as well:
  Mac OS X Server v10.5, 10.6: Setting a custom umask
  The excerpt below describes the use of /etc/launchd-user.conf, and strongly cautions against using /etc/launchd.conf.
  Umask for user applications
  In Mac OS X v10.5.3 and later, you can create the file /etc/launchd-user.conf with the contents "umask nnn". Do not include the quotation marks and replace nnn with the desired umask value, such as 027 or 002.
  This will set the user's umask for all applications they launch, such as Finder, TextEdit, or Final Cut Pro, and control the permissions set on new files created by any of these applications.
  Umask for system processes
  In Mac OS X v10.4 and later, create the file /etc/launchd.conf with the contents "umask nnn". Do not include the quotation marks and replace nnn with the desired umask value, such as 027 or 002.
  This will set the umask for all processes. Changing this value is strongly discouraged because it changes the permissions on files used by the system software. If the permissions are too restrictive, dependent software may not work. If the permissions are too open, they may introduce security issues.

• [SOLVED] grub2 recreate /etc/default/grub and /etc/grub.d

  I made lot of changes on /etc/default/grub so i decided to remove it along with the /etc/grub.d/* to start from scratch. I thought that after reinstalling grub-bios package these files will be automatically recreated. But I wasn't right. How can I get them recreated?
  Last edited by dummyan (2012-08-25 19:06:29)

  Found the solution, files are actually included in grub-common package. Marking as solved.

• /etc/hosts.allow versus iptables/firewall?

  What's the relation between the /etc/hosts.allow and /etc/hosts.deny files, on the one hand, and a host firewall on the other? If I'm going to configure iptables on a machine, is there any point to having any non-trivial rules in /etc/hosts.allow and /etc/hosts.deny too? Or should I just set them to let everything connect and do all my configuration through iptables?
  (Well, really, I'm going to use some iptables-for-dummies tool like ufw or firehol.)

  I cannot agree that hosts.{allow,deny} are 'a lot more basic' They're different from iptables, they work on different level and offer different capabilities, but it would be much harder with iptables to grant/deny access according to:
  - ident lookup
  - NIS netgroup
  - domain name
  - consistent ip->name and name->ip mapping
  and so on; man 5 hosts_access and man hosts_options contain some examples. On the actions side, in addition to granting or denying access, arbitrary command can be run in parallel or instead of called service, with some useful informations about connection available as %variables.
  Tcp_wrappers do not have to be called by protected service itself; they can be used with everything that uses TCP and can be run via (x)inetd, with a little help from tcpd(8).
  I prefer iptables myself (no use in letting unwanted traffic pass any further than strictly necessary), but tcp_wrappers make a really nice and useful complementary solution.

• Hosts.allow option spawn parameter not work

  Hi,
  I would like to use BlockHosts and spawn it with spawn keyword from hosts:allow, but option parameter does nothing for me.
  I tried several configurations with different sshd entries and results are below
  hosts.deny:
  ALL:ALL:DENY
  With hosts.allow:
  sshd:ALL
  I can connect to sshd.
  With hosts.allow:
  sshd:ALL:DENY
  I can still connect to sshd. But I do not know why.
  With hosts.allow:
  sshd:ALL:spawn (echo "some tries to log" >> /var/tmp/sshd.tmp)
  I can connect but nothing is written to temporary log file.
  With empty hosts:allow I cannot connect to sshd.
  I cannot find any clue, from man entry everything seems clear, but it does not work as it is written in doc.
  Thanks,
  Ondra
  Last edited by xnovako2 (2010-02-20 16:53:23)

  the Access files are read in order of /etc/hosts.allow, and /etc/hosts.deny
  by default, /etc/hosts.deny contains ALL:ALL:DENY, only the first two are important, then third DENY is the placeholder for shell scripts, only the first two are considered, so ALL:ALL means that all daemons for all connections will not be allowed access, you can specifically add a specific service like sshd using sshd:ALL in /etc/hosts.allow to allow access.
  sshd:ALL:DENY, the DENY part is the place where you should put the location of your shell script (absolute path), writing DENY will not deny it access
  http://linux.die.net/man/5/hosts.allow
  use the above link for a complete help on this.

• How to use the hosts.allow option in Directory Server?

  I would like to limit access to a directory server instance to localhost. I see in the Directory Server Control Center that there is an option to do this with a hosts.allow and/or hosts.deny file.
  What do I enter as the service name for the instance in the hosts.allow file?
  Thank you.

  See:
  http://docs.sun.com/app/docs/doc/820-2491/6ne3dhdgt?l=en&a=view#gcwym
  And perhaps more useful:
  http://docs.sun.com/app/docs/doc/820-2495/6ne3hbg4j?l=en&a=view
  This feature is basically an app-specific instance of TCP wrappers, so look up "TCP wrappers" in your favorite search engine for more.

• Set Forwarder mail between hosting company and MS online exchange

  Hello,
  This is Dharam from Ahmedabad, I can be contacted on 9638208855 ([email protected]).
  I wants to use ms online exchange for some of users in my company. I have 10 users having mail ids with hosting company and 2 users are having exchange plan with other company by forwarding mails to particular link on 123together.com
  Yesterday, i have signup for free 365 account for 1 month, as i am expected to buy only mail exchange plan for 5 users but after getting my requirements.
  I have set the forwarder to mail id i am able to receive through the [email protected] on all application of mail such as on desktop, mobile, owa etc... but while i am replying to those users its using id [email protected]
  which can be used by [email protected] which my domain and forwarded to online exchange services.
  As my boss is having exchange plan with 123together.com i have observed that they are using forwarder and same thing but receiving and sending mail from [email protected] on all the application of mail, they didn't even asked for domain setup.
  So i want to clear some my confusion before to proceed for the paid services, that can i able to serve this service for some users and some can be able to use the existing one without exchange on the hosting company by forwarding some users to online exchange.
  I hope to hear more from you.
  Dharam Kappadiya.
  9638208855

  Hi Matthew,
  Thanks for the reply,
  My concern is i don't want to transfer my whole domain to MS Online Exchange just wants to create Account and wants to set forwarder to my [email protected] from MS to etc... and from hosting company i have to set forwarder for [email protected]
  to usera@.... whatever the id has been created.
  So is it possible to do this because while setting up an account users its asking for DNS MX Record and TXT, which is for the whole domain users and i don't wants to do than.
  So Please guide me before i can go somewhere else.

• Tcp wrappers /etc/hosts.allow format

  since most of the services that were originally run from
  the /etc/inet/inetd.conf file on pre-Solaris 10 systems
  are now run from smf, what are the "in.*" service names
  that should be placed in the /etc/hosts.allow file?
  also is there a "safe_finger" available for use that can
  be used in the /etc/hosts.deny file or should the
  "standard" Solaris 10 finger be used?
  Thanks

  elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default?  My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid.  That was users don't have to specify their local IP address.  Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
  This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug.

• Oracle 11gR2 RAC VM and SCAN and DNS and /etc/hosts (two) setup questions

  Hi,
  I am looking forward to setting up two Oracle 11gR2 RAC instances
  on my Oracle VM test machine.
  I plan on using the Oracle 11gR2 RAC VM template.
  I want the final Oracle 11gR2 RAC instances to have SCAN that uses DNS.
  The DNS will be pre-installed in the JeOS.
  My first simple question about the setup is the following.
  In my DNS name file, for example,
  /var/named/chroot/var/named/milkyway.univ.db
  do I need to provide the racnode1 and racnode2 information,
  for example,
  # DNS name file (snippet)
  myjeos IN A 192.168.1.150
  racnode1 IN A 192.168.1.161
  racnode1-vip IN A 192.168.1.163
  racnode2 IN A 192.168.1.162
  racnode2-vip IN A 192.168.1.164
  rac-scan IN A 192.168.1.131
  rac-scan IN A 192.168.1.132
  rac-scan IN A 192.168.1.133
  Or, can I just provide only the rac-scan information
  # DNS name file alternate (snippet)
  myjeos IN A 192.168.1.150
  rac-scan IN A 192.168.1.131
  rac-scan IN A 192.168.1.132
  rac-scan IN A 192.168.1.133
  What I am getting at is the following.
  Within the install process, will racnode1, racnode1-vip, racnode2,
  and racnode2-vip host names and their IP address be written
  to the RAC instances /etc/hosts files? (So I should not bother
  to put them in the DNS name file like '# DNS name file alternate (snippet)'?)
  Or, should I put the racnode and racnode-vip host names and IP addresses
  in the DNS name file like '# DNS name file (snippet)'?
  The second question is the following.
  Are the cluster name and the scan name allowed to be different?
  Currently, I would plan them to be different,
  for example, rac-cluster and rac-scan.
  Or, are they required to be the same,
  for example, rac-cluster and rac-cluster.
  Thank you.
  AIM

  AIM wrote:
  do I need to provide the racnode1 and racnode2 information,
  Or, can I just provide only the rac-scan information You need to provide all of it in DNS, because other hosts in your network will need to be able to resolve all of the normal, VIP and SCAN addresses for your RAC nodes. We write this data out to /etc/hosts just to reduce the amount of round-trip DNS requests the cluster nodes make for themselves.
  Are the cluster name and the scan name allowed to be different?They can be different.

• Entry in /etc/hosts.allow for insecure VNC?

  I read the ssh wiki article which teaches to add an entry to /etc/hosts.allow for sshd.  I am know that tunneling vnc through sshd is the way to go security wise, however, there are cases where I need to switch on un-encrypted vnc for the purposes of sharing my X11 session with family members.  Anyway, my question deals with an entry in the /etc/hosts.allow for gnome's desktop sharing (which is vnc as I understand it).  Does anyone know the syntax to allow vnc for any incoming connection (default port of 5900).
  I have tried:
  vino: ALL
  Xvnc: ALL
  X11vnc: ALL
  None of which worked.
  Thanks!

  when I don't know what's the name of the process listening to specific port, I always execute
  netstat -tnlp
  to get the proper processes' names.

• Syntax of ip ranges in /etc/hosts.allow

  How does one define a range of IP addresses in the /etc/hosts.allow?  Pasted from the ssh wiki article
  # let everyone connect to you
  sshd: ALL
  # OR you can restrict it to a certain ip
  sshd: 192.168.0.1
  # OR restrict for an IP range
  sshd: 10.0.0.0/255.255.255.0
  # OR restrict for an IP match
  sshd: 192.168.1.
  If I just want 192.168.1.2 - 192.168.1.10 (inclusive), what would the syntax be for this?
  192.168.1.2/192.168.1.10 didn't work for me.
  Thanks.

  You can't do this on a single line AFAIK since .2 to .10 doesn't fit in any valid CIDR mask. You will need to add a line for each host individually:
  sshd: 192.168.1.2
  sshd: 192.168.1.3
  sshd: 192.168.1.4
  sshd: 192.168.1.5
  sshd: 192.168.1.6
  sshd: 192.168.1.7
  sshd: 192.168.1.8
  sshd: 192.168.1.9
  sshd: 192.168.1.10
  Technically there are multiple /30 masks that fit within that, but you'd still have to have multiple lines.
  Last edited by fukawi2 (2009-06-06 22:45:26)

• DHCP Reservation Sync and DNS Host record sync etc shown in IPAM GUI

  Hello all,
  I am aware of the scripts in the TechNet script center to sync DHCP leases etc to IPAM, however my question is about something else -
  If you highlight an IP address (IP address inventory->select an IP), You can see fields that say: "DHCP reservation sync", "DNS PTR record sync" and "DNS host record sync" as below:
  I was curious as to what these are for. Is there some built-in sync functionality for these that I perhaps have not enabled? (Don't see such options any where..)
  thanks,
  -Ravi

  Hi  Ravi ,
  The three columns tell us the information of the synchronization between IPAM server and DNS server (or DHCP server) .
  Here is the detailed guide for using IPAM :
  Using the IPAM Client Console :
  https://technet.microsoft.com/en-us/library/jj878351.aspx#inventory
  IPAM can sync DNS and DHCP records .
  The IPAM database is separate from DHCP and DNS servers on our network ,and full synchronization of hosts and IP addresses between IPAM and managed DNS or DHCP servers does not occur automatically
  unless we have configured automated tasks to perform this synchronization .
  For detailed information ,see
  DNS and DHCP record synchronization chapter in the following link :
  Multi-server Management :
  https://technet.microsoft.com/en-us/library/jj878329.aspx
  Best Regards,
  Leo
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]