Syntax of ip ranges in /etc/hosts.allow
How does one define a range of IP addresses in the /etc/hosts.allow? Pasted from the ssh wiki article
# let everyone connect to you
sshd: ALL
# OR you can restrict it to a certain ip
sshd: 192.168.0.1
# OR restrict for an IP range
sshd: 10.0.0.0/255.255.255.0
# OR restrict for an IP match
sshd: 192.168.1.
If I just want 192.168.1.2 - 192.168.1.10 (inclusive), what would the syntax be for this?
192.168.1.2/192.168.1.10 didn't work for me.
Thanks.
You can't do this on a single line AFAIK since .2 to .10 doesn't fit in any valid CIDR mask. You will need to add a line for each host individually:
sshd: 192.168.1.2
sshd: 192.168.1.3
sshd: 192.168.1.4
sshd: 192.168.1.5
sshd: 192.168.1.6
sshd: 192.168.1.7
sshd: 192.168.1.8
sshd: 192.168.1.9
sshd: 192.168.1.10
Technically there are multiple /30 masks that fit within that, but you'd still have to have multiple lines.
Last edited by fukawi2 (2009-06-06 22:45:26)
Similar Messages
-
Entry in /etc/hosts.allow for insecure VNC?
I read the ssh wiki article which teaches to add an entry to /etc/hosts.allow for sshd. I am know that tunneling vnc through sshd is the way to go security wise, however, there are cases where I need to switch on un-encrypted vnc for the purposes of sharing my X11 session with family members. Anyway, my question deals with an entry in the /etc/hosts.allow for gnome's desktop sharing (which is vnc as I understand it). Does anyone know the syntax to allow vnc for any incoming connection (default port of 5900).
I have tried:
vino: ALL
Xvnc: ALL
X11vnc: ALL
None of which worked.
Thanks!when I don't know what's the name of the process listening to specific port, I always execute
netstat -tnlp
to get the proper processes' names. -
Sshd ignores /etc/hosts.allow and /etc/hosts.deny
Hello everyone,
I've just found out that sshd ignores /etc/hosts.allow and /etc/hosts.deny completely on my machine. It doesn't make use of tcp_wrappers. I am using the standard Arch package. Either my settings are wrong, or this is a severe security problem. It was a terrible surprise to find out that my server is under severe dictionary attacks all the time, despite the denyhosts script I am using.
These are my settings:
/etc/hosts.deny:
ALL: ALL
/etc/hosts.allow:
# some nfs daemons: 192.168.1.0/255.255.255.0
sshd sshd1 sshd2: ALL EXCEPT /etc/hosts.evil
mysqld: 192.168.1.0/255.255.255.0
/etc/hosts.evil:
195.113.21.131
60.10.6.53
A simple experiment to verify the settings:
[root@charon etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.131
warning: sshd: no such process name in /etc/xinetd.conf
client: address 195.113.21.131
server: process sshd
matched: hosts.deny line 5
access: denied
[root@charon etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.130
warning: sshd: no such process name in /etc/xinetd.conf
client: address 195.113.21.130
server: process sshd
matched: hosts.allow line 10
access: granted
This seems to be fine. But when I go to the machine 195.113.21.131, I can simply log in with no trouble at all.
This is really strange. Does it have something to do with the xinetd warning? I am not using xinetd... Maybe I'm doing something wrong. If you have experienced such a trouble, please give me a hint.elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default? My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid. That was users don't have to specify their local IP address. Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug. -
/etc/hosts.allow versus iptables/firewall?
What's the relation between the /etc/hosts.allow and /etc/hosts.deny files, on the one hand, and a host firewall on the other? If I'm going to configure iptables on a machine, is there any point to having any non-trivial rules in /etc/hosts.allow and /etc/hosts.deny too? Or should I just set them to let everything connect and do all my configuration through iptables?
(Well, really, I'm going to use some iptables-for-dummies tool like ufw or firehol.)I cannot agree that hosts.{allow,deny} are 'a lot more basic' They're different from iptables, they work on different level and offer different capabilities, but it would be much harder with iptables to grant/deny access according to:
- ident lookup
- NIS netgroup
- domain name
- consistent ip->name and name->ip mapping
and so on; man 5 hosts_access and man hosts_options contain some examples. On the actions side, in addition to granting or denying access, arbitrary command can be run in parallel or instead of called service, with some useful informations about connection available as %variables.
Tcp_wrappers do not have to be called by protected service itself; they can be used with everything that uses TCP and can be run via (x)inetd, with a little help from tcpd(8).
I prefer iptables myself (no use in letting unwanted traffic pass any further than strictly necessary), but tcp_wrappers make a really nice and useful complementary solution. -
Tcp wrappers /etc/hosts.allow format
since most of the services that were originally run from
the /etc/inet/inetd.conf file on pre-Solaris 10 systems
are now run from smf, what are the "in.*" service names
that should be placed in the /etc/hosts.allow file?
also is there a "safe_finger" available for use that can
be used in the /etc/hosts.deny file or should the
"standard" Solaris 10 finger be used?
Thankselasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default? My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid. That was users don't have to specify their local IP address. Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug. -
Having issues-/etc/hosts.deny /etc/hosts.allow!
OK-I just did an install of Arch '09 x86_64 core on my HP Pavillion a810n AMD Athlon64 3300+. I got to the part about configuring and the directions just aren't very clear...What EXACTLY do I input to both deny/allow to be able to get on the net to install gnome/X, etc??
Why would anyone by default have the net services turned off when to have a Viable OS you need more packages-did someone miss that?
Thanks.From the Beginners Guide:
If you do not plan on using the ssh daemon, leave this file at the default, (empty), for added security.
It seems you may be confusing the contents of this file with your inability to reach the network.
What is the exact error(s) you are receiving?
Did you leave the file empty (all lines commented out) ? -
Pure-ftpd setup (hosts.allow & hosts.deny)
hello,
i have installed pure-ftpd. i have it in daemon section in rc.conf and it's working (wisible from outside) althought my /etc/hosts.deny is
ALL: ALL: DENY
and in /etc/hosts.allow isn't any notice about pure-ftpd (just sshd).
isn't that weird?
thanx for answers.If your version of pure-ftpd was build without tcpwrappers, but might explain it.
-
Hosts.allow option spawn parameter not work
Hi,
I would like to use BlockHosts and spawn it with spawn keyword from hosts:allow, but option parameter does nothing for me.
I tried several configurations with different sshd entries and results are below
hosts.deny:
ALL:ALL:DENY
With hosts.allow:
sshd:ALL
I can connect to sshd.
With hosts.allow:
sshd:ALL:DENY
I can still connect to sshd. But I do not know why.
With hosts.allow:
sshd:ALL:spawn (echo "some tries to log" >> /var/tmp/sshd.tmp)
I can connect but nothing is written to temporary log file.
With empty hosts:allow I cannot connect to sshd.
I cannot find any clue, from man entry everything seems clear, but it does not work as it is written in doc.
Thanks,
Ondra
Last edited by xnovako2 (2010-02-20 16:53:23)the Access files are read in order of /etc/hosts.allow, and /etc/hosts.deny
by default, /etc/hosts.deny contains ALL:ALL:DENY, only the first two are important, then third DENY is the placeholder for shell scripts, only the first two are considered, so ALL:ALL means that all daemons for all connections will not be allowed access, you can specifically add a specific service like sshd using sshd:ALL in /etc/hosts.allow to allow access.
sshd:ALL:DENY, the DENY part is the place where you should put the location of your shell script (absolute path), writing DENY will not deny it access
http://linux.die.net/man/5/hosts.allow
use the above link for a complete help on this. -
Is SID allowed to show up in /etc/hosts file?
Experts:
I am looking into a /etc/hosts which has something I never saw before.
Every entry in that /etc/hosts file has a format as follows:
123.23.456.678 CHERRY CHERRY.RIO.COM SID CHERRY.BRAVO.NET
For example:
123.23.456.678 CHERRY CHERRY.RIO.COM PRO CHERRY.BRAVO.NET
Observation:
0) WHY SID (here is PRD) gets into the hosts file? Would it cause some issues?
1) each entry has 2 aliases ;
2) "nslookup CHERRY.RIO.COM "
2a) will return the correct IP address IF I run this nslookup on the server
2b) will say "non-exist domain" on my PC
3) "nslookup CHERRY.BRAVO.NET"
3a) will say "non-exist domain" IF I run nslookup on the server
3b) will give the correct IP address on my PC
Thank you for help.Hi,
If your system in domain than the entries look like below
192.192.192.192 prdserver prdserver.na.jjjjjjj.com
Prd server is an host name where your SAP application is running/installed & prdserver.na.jjjjjjj.com is a hostname in domain
Thnaks
Karan -
Adding the /etc/host.deny file like linux in solaris 10.
Dears,
I need to add a file which will works like the file of /etc/hosts.deny of Linux in Solaris.
If it is possible in the same manner please let me know that, and if it need some other trick to deny a specific host to access the system please tell me the way to do that.
Eagerly waiting to hear from you.
BR//
Sohel.IPfilter can deny a specific IP address access to the host - enable IPFilter with svcadm and edit the /etc/ipf/ipf.conf file to add the IP to block. An example could be:
block in log quick on bnx0 proto tcp from 192.168.1.5/32 to any
I use IPfilter to pass and block all sorts of specific IP addresses as well as block/allow specific ports (like only specific hosts can use port 22, ssh). -
Oracle 11gR2 RAC VM and SCAN and DNS and /etc/hosts (two) setup questions
Hi,
I am looking forward to setting up two Oracle 11gR2 RAC instances
on my Oracle VM test machine.
I plan on using the Oracle 11gR2 RAC VM template.
I want the final Oracle 11gR2 RAC instances to have SCAN that uses DNS.
The DNS will be pre-installed in the JeOS.
My first simple question about the setup is the following.
In my DNS name file, for example,
/var/named/chroot/var/named/milkyway.univ.db
do I need to provide the racnode1 and racnode2 information,
for example,
# DNS name file (snippet)
myjeos IN A 192.168.1.150
racnode1 IN A 192.168.1.161
racnode1-vip IN A 192.168.1.163
racnode2 IN A 192.168.1.162
racnode2-vip IN A 192.168.1.164
rac-scan IN A 192.168.1.131
rac-scan IN A 192.168.1.132
rac-scan IN A 192.168.1.133
Or, can I just provide only the rac-scan information
# DNS name file alternate (snippet)
myjeos IN A 192.168.1.150
rac-scan IN A 192.168.1.131
rac-scan IN A 192.168.1.132
rac-scan IN A 192.168.1.133
What I am getting at is the following.
Within the install process, will racnode1, racnode1-vip, racnode2,
and racnode2-vip host names and their IP address be written
to the RAC instances /etc/hosts files? (So I should not bother
to put them in the DNS name file like '# DNS name file alternate (snippet)'?)
Or, should I put the racnode and racnode-vip host names and IP addresses
in the DNS name file like '# DNS name file (snippet)'?
The second question is the following.
Are the cluster name and the scan name allowed to be different?
Currently, I would plan them to be different,
for example, rac-cluster and rac-scan.
Or, are they required to be the same,
for example, rac-cluster and rac-cluster.
Thank you.
AIMAIM wrote:
do I need to provide the racnode1 and racnode2 information,
Or, can I just provide only the rac-scan information You need to provide all of it in DNS, because other hosts in your network will need to be able to resolve all of the normal, VIP and SCAN addresses for your RAC nodes. We write this data out to /etc/hosts just to reduce the amount of round-trip DNS requests the cluster nodes make for themselves.
Are the cluster name and the scan name allowed to be different?They can be different. -
[SOLVED] globbing in /etc/hosts or something similar
Is there any way to glob addresses in /etc/hosts?
If not, which seems to be the case, is there something else that could achieve a similar effect?
Example:
127.0.0.1 *.localhost # enable subdomains on localhost (with Apache virtual hosts)
It's not that tedious to manually add them and I could probably write a script, but it would be useful for other things (127.0.0.1 *.google.* )
Last edited by Xyne (2010-03-24 09:04:25)BIND supports DNS wildcards, which seems to be what you're after.
Just for fun I went through the process of setting this up, and it's not too difficult. I did need to do a bit of research to figure out the syntax for the DNS zones. Fortunately, there are plenty of resources which describe this.
Briefly, the process I went through for wildcard domain resolution:
1) Install bind and invoke named
2) Ensure the nameserver is included in resolv.conf and that the DNS service is in the host DB of /etc/nsswitch.conf
3) Edit /etc/named.conf and the corresponding zone file.
There's an article on debian-administration which focuses on exactly the case you proposed.
Last edited by chpln (2010-03-23 11:04:56) -
/etc/hosts in Snow Leopard: ping works, browsers don't?
I've had success in the past using /etc/hosts to direct web browsers to a test server instead of the production server, but it's not working in OS X 10.6.7.
I edit the hosts file:
$ sudo vi /etc/hosts
Add my entry:
# Host Database
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
127.0.0.1 localhost dev.localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
111.111.111.111 server.com
Flush the cache:
$ dscacheutil -flushcache
Test with ping:
PING server.com (111.111.111.111): 56 data bytes
64 bytes from 111.111.111.111: icmp_seq=0 ttl=46 time=220.423 ms
64 bytes from 111.111.111.111: icmp_seq=1 ttl=46 time=242.509 ms
All seems good, but when I load http://server.com in a browser (safari, firefox, chrome), I get the production server and not 111.111.111.111. What did I miss?Yep, thank you. It's not my server and is coughing up responses that somehow eventually kick me back over to the production content.
I don't expect further help (I probably won't pursue it further myself), but just for grins here's an example telnet request:
$ telnet server.com 80
Trying 111.111.111.111...
Connected to server.com.
Escape character is '^]'.
GET / HTTP/1.1
Host: server.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 06 Jul 2011 20:06:43 GMT
Server: Apache
Last-Modified: Thu, 24 Mar 2011 11:40:59 GMT
ETag: "62206ad-6f-49f38f37ec8c0"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Type: text/html
Content-Length: 111
<html><head><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html>
Definitely not what I expect. Another request for /cgi-sys/defaultwebpage.cgi just gives a 404 page. Maybe the browser tries a real DNS lookup at that point. -
How could a java process bypass etc\hosts file while doing dns lookup ?
Hi,
I am developing a java web proxy and developer tool [http://www.tcpcatcher.org|http://www.tcpcatcher.org] .
Right now it is working as a none transparent web proxy.
In some situation and for some hosts, I would like to turn it into a transparent web proxy.
Suppose, user's browser and java proxy are running on same host (typically on localhost). An entry is added in etc\hosts file, for example:
127.0.0.1 google.com
So without any change in browser config , if user visits google.com with its browser , http request is received at proxy level.
Now my proxy has to get the actual ip address of google.com bypassing the etc\hosts file (right now the proxy is doing a loop on itself).
Any idea how this could be achieved ?
Am I searching in wrong direction ?
thanks !This is a shot in the dark, but I'll try anyway.
Take a look at dnsjava (open source, I never played with it).
My understanding is that using this to resolve names instead of normal Java API's would allow you to bypass etc/hosts in the java code
(see [http://old.nabble.com/DNS-Resolve-from-hosts-file-first-then-DNS-Server-td15431381.html]). -
Proper /etc/hosts for my situation
Hello all,
I just (finally) got set up through an ISP which assigns me (well the DSL modem) a publicly routable dynamic address. Anyway, I've setup a dyndns.org hostname, and ddclient to update it, and it routes beautifully to my linux box, through the dsl modem which has the ssh port (and other services as they come up) forwarded to the proper box.
Anyway, I was updating my /etc/hosts, and I'm wondering if I have it setup correctly.
#<ip-address> <hostname.domain.org> <hostname>
127.0.0.1 XXXXXXXX.homelinux.org localhost.localdomain localhost XXXXXXXX
192.168.0.51 XXXXXXXX.homelinux.org XXXXXXXX
192.168.0.50 regulator-pc regulator-pc.localdomain
192.168.0.1 qwest-modem qwest-modem.localdomain
192.168.0.2 regulator-bridge regulator-bridge.localdomain
# End of file
Please replace all instances of XXXXXXXX with my actual hostname.
This box (XXXXXXXX) has a static IP of 192.168.0.51, is that line correct?
I've left the (hostname.localdoman) stuff in my hosts lists since at one point I had a caching bind server running on my local net, but I've yet to set that up on this network.
regulator-bridge is my dd-wrt'd wrt54g, which now is set up in client bridge mode to allow the boxes with ethernet ports to join the network (routed off the DSL modem), and so I don't have to run an ethernet cable across the living room to the DSL modem. Works like a champ.
Appreciate any input.
Thanks.Hi,
In the etc/hosts you have add ur ip address with hostname, something like this it should be.
127.0.0.1 localhost.localdomain localhost
10.93.10.XX mysystem.localdomai
because, i think so,so here is what my /etc/hosts file looks like
127.0.0.1 unknown485b39d0b515.local.lan unknown485b39d0b515
127.0.0.1 localhost.localdomain localhostFor the below TNS lost contact error, recently I faced a similar kind of error:
and the error i am right now getting is this
[oracle@unknown485b39d0b515 ~]$ sqlplus "/as sysdba"
SQL*Plus: Release 11.2.0.1.0 Production on Wed Aug 8 12:03:27 2012
Copyright (c) 1982, 2009, Oracle. All rights reserved.
ERROR:
ORA-12547: TNS:lost contact
Check your ORACLE_HOME/bin folders rights.
$ ls -ltr oracle
-rwxr-xr-x 1 oracle dba 25485683 Jul 2 12:02 oracle
$ chmod 6751 oracle
$ ls -ltr oracle
-rwsr-s--x 1 oracle dba 25485683 Jul 2 12:02 oracle
And check whether your user has dba group.
This may help you..
Thanks,
nonuday
Maybe you are looking for
-
How to get sso_userid from Database
Hi. I use the SSO in my forms application 10g, and All the Users are connected to Data Base with only one resource conexion, and I want to know the SSO_USERID from a Trigger in the database to insert in a log table. I want to chance de "USER VARIABLE
-
Is there a way of importing projects in imovie 11?
hello today me and my cousins made a star wars film and trailer i shared the projects and they disappeared from imovie and were sat on my desktop! IS THERE A WAY TO PUT IT BACK IN IMOVIE! please help my cousins be annoyed that we can't put stuff on
-
"more info" in Get Info showing "--" instead of actual infos for newer videos and images
I've just noticed that when I click on "Get Info" on my newer pictures and videos, the "more info" section is now showing "--" instead of the dimensions of the images and videos. However when I go to my older files, the info is showing. Also if I sea
-
An error occurred when attempting to change modules - huh?
i am using iMac OS 10.8.2 ... i get that error message when i click on Preferences and/or Library what does that error message mean and how do i get to use Lightroom if i cant open the Library?
-
Labview IMAQ VI for capturing images and saving with incremental file names
Hello, I am using LabView 7.1(IMAQ) to capture images with NI's PCI 1426 card, and a JAI CV-M2 camera. Now, with the example VI's like LL Grab, or LL Sequence, or Snap and Save to File.vi, I can capture the images. But what I actually want is to capt