Syntax of ip ranges in /etc/hosts.allow

Similar Messages

• Entry in /etc/hosts.allow for insecure VNC?

  I read the ssh wiki article which teaches to add an entry to /etc/hosts.allow for sshd.  I am know that tunneling vnc through sshd is the way to go security wise, however, there are cases where I need to switch on un-encrypted vnc for the purposes of sharing my X11 session with family members.  Anyway, my question deals with an entry in the /etc/hosts.allow for gnome's desktop sharing (which is vnc as I understand it).  Does anyone know the syntax to allow vnc for any incoming connection (default port of 5900).
  I have tried:
  vino: ALL
  Xvnc: ALL
  X11vnc: ALL
  None of which worked.
  Thanks!

  when I don't know what's the name of the process listening to specific port, I always execute
  netstat -tnlp
  to get the proper processes' names.

• Sshd ignores /etc/hosts.allow and /etc/hosts.deny

  Hello everyone,
  I've just found out that sshd ignores /etc/hosts.allow and /etc/hosts.deny completely on my machine. It doesn't make use of tcp_wrappers. I am using the standard Arch package. Either my settings are wrong, or this is a severe security problem. It was a terrible surprise to find out that my server is under severe dictionary attacks all the time, despite the denyhosts script I am using.
  These are my settings:
  /etc/hosts.deny:
  ALL: ALL
  /etc/hosts.allow:
  # some nfs daemons: 192.168.1.0/255.255.255.0
  sshd sshd1 sshd2: ALL EXCEPT /etc/hosts.evil
  mysqld: 192.168.1.0/255.255.255.0
  /etc/hosts.evil:
  195.113.21.131
  60.10.6.53
  A simple experiment to verify the settings:
  [root@charon etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.131
  warning: sshd: no such process name in /etc/xinetd.conf
  client: address 195.113.21.131
  server: process sshd
  matched: hosts.deny line 5
  access: denied
  [root@charon etc]# tcpdmatch -d -i /etc/xinetd.conf sshd 195.113.21.130
  warning: sshd: no such process name in /etc/xinetd.conf
  client: address 195.113.21.130
  server: process sshd
  matched: hosts.allow line 10
  access: granted
  This seems to be fine. But when I go to the machine 195.113.21.131, I can simply log in with no trouble at all.
  This is really strange. Does it have something to do with the xinetd warning? I am not using xinetd... Maybe I'm doing something wrong. If you have experienced such a trouble, please give me a hint.

  elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default?  My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid.  That was users don't have to specify their local IP address.  Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
  This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug.

• /etc/hosts.allow versus iptables/firewall?

  What's the relation between the /etc/hosts.allow and /etc/hosts.deny files, on the one hand, and a host firewall on the other? If I'm going to configure iptables on a machine, is there any point to having any non-trivial rules in /etc/hosts.allow and /etc/hosts.deny too? Or should I just set them to let everything connect and do all my configuration through iptables?
  (Well, really, I'm going to use some iptables-for-dummies tool like ufw or firehol.)

  I cannot agree that hosts.{allow,deny} are 'a lot more basic' They're different from iptables, they work on different level and offer different capabilities, but it would be much harder with iptables to grant/deny access according to:
  - ident lookup
  - NIS netgroup
  - domain name
  - consistent ip->name and name->ip mapping
  and so on; man 5 hosts_access and man hosts_options contain some examples. On the actions side, in addition to granting or denying access, arbitrary command can be run in parallel or instead of called service, with some useful informations about connection available as %variables.
  Tcp_wrappers do not have to be called by protected service itself; they can be used with everything that uses TCP and can be run via (x)inetd, with a little help from tcpd(8).
  I prefer iptables myself (no use in letting unwanted traffic pass any further than strictly necessary), but tcp_wrappers make a really nice and useful complementary solution.

• Tcp wrappers /etc/hosts.allow format

  since most of the services that were originally run from
  the /etc/inet/inetd.conf file on pre-Solaris 10 systems
  are now run from smf, what are the "in.*" service names
  that should be placed in the /etc/hosts.allow file?
  also is there a "safe_finger" available for use that can
  be used in the /etc/hosts.deny file or should the
  "standard" Solaris 10 finger be used?
  Thanks

  elasticdog wrote:So should our package not have the ListenAddress 0.0.0.0 line uncommented by default?  My guess would be that since it listens on all local addresses by default, we're just overwriting that when specifying 0.0.0.0, which isn't valid.  That was users don't have to specify their local IP address.  Unless I'm wrong, shouldn't this be a bug/feature request for the packager?
  This doesn't seem to be a package bug... IMHO, sshd must respect all the settings in hosts.deny and hosts.allow, regardless the IP address it listens on. The behaviour I noticed seems to be much more complicated. Basic settings (daemon name mentioned in hosts.*) worked, as far as I didn't want a "per IP" configuration. For example, including the daemon in hosts.allow really enabled remote connections, but any closer specifications (subdomains, EXCEPT operator...) were ignored. Access was simply granted without further evaluation. Excluding sshd from hosts.allow worked as one would assume. When I specified ListenAddress, everything started to work properly. This is mysterious. There are millions of computers using tcp wrappers and ssh, so it's hard to believe there could be a bug.

• Having issues-/etc/hosts.deny /etc/hosts.allow!

  OK-I just did an install of Arch '09 x86_64 core on my HP Pavillion a810n AMD Athlon64 3300+. I got to the part about configuring and the directions just aren't very clear...What EXACTLY do I input to both deny/allow to be able to get on the net to install gnome/X, etc??
  Why would anyone by default have the net services turned off when to have a Viable OS you need more packages-did someone miss that?
  Thanks.

  From the Beginners Guide:
  If you do not plan on using the ssh daemon, leave this file at the default, (empty), for added security.
  It seems you may be confusing the contents of this file with your inability to reach the network.
  What is the exact error(s) you are receiving?
  Did you leave the file empty (all lines commented out) ?

• Pure-ftpd setup (hosts.allow & hosts.deny)

  hello,
  i have installed pure-ftpd. i have it in daemon section in rc.conf and it's working (wisible from outside) althought my /etc/hosts.deny is
  ALL: ALL: DENY
  and in /etc/hosts.allow isn't any notice about pure-ftpd (just sshd).
  isn't that weird?
  thanx for answers.

  If your version of pure-ftpd was build without tcpwrappers, but might explain it.

• Hosts.allow option spawn parameter not work

  Hi,
  I would like to use BlockHosts and spawn it with spawn keyword from hosts:allow, but option parameter does nothing for me.
  I tried several configurations with different sshd entries and results are below
  hosts.deny:
  ALL:ALL:DENY
  With hosts.allow:
  sshd:ALL
  I can connect to sshd.
  With hosts.allow:
  sshd:ALL:DENY
  I can still connect to sshd. But I do not know why.
  With hosts.allow:
  sshd:ALL:spawn (echo "some tries to log" >> /var/tmp/sshd.tmp)
  I can connect but nothing is written to temporary log file.
  With empty hosts:allow I cannot connect to sshd.
  I cannot find any clue, from man entry everything seems clear, but it does not work as it is written in doc.
  Thanks,
  Ondra
  Last edited by xnovako2 (2010-02-20 16:53:23)

  the Access files are read in order of /etc/hosts.allow, and /etc/hosts.deny
  by default, /etc/hosts.deny contains ALL:ALL:DENY, only the first two are important, then third DENY is the placeholder for shell scripts, only the first two are considered, so ALL:ALL means that all daemons for all connections will not be allowed access, you can specifically add a specific service like sshd using sshd:ALL in /etc/hosts.allow to allow access.
  sshd:ALL:DENY, the DENY part is the place where you should put the location of your shell script (absolute path), writing DENY will not deny it access
  http://linux.die.net/man/5/hosts.allow
  use the above link for a complete help on this.

• Is SID allowed to show up in /etc/hosts file?

  Experts:
  I am looking into a /etc/hosts which has something I never saw before.
  Every entry in that /etc/hosts file has a format as follows:
  123.23.456.678 CHERRY CHERRY.RIO.COM SID CHERRY.BRAVO.NET
  For example:
  123.23.456.678 CHERRY CHERRY.RIO.COM PRO CHERRY.BRAVO.NET
  Observation:
  0) WHY SID (here is PRD) gets into the hosts file? Would it cause some issues?
  1) each entry has 2 aliases ;
  2) "nslookup CHERRY.RIO.COM "
  2a) will return the correct IP address IF I run this nslookup on the server
  2b) will say "non-exist domain" on my PC
  3) "nslookup CHERRY.BRAVO.NET"
  3a) will say "non-exist domain" IF I run nslookup on the server
  3b) will give the correct IP address on my PC
  Thank you for help.

  Hi,
  If your system in domain than the entries look like below
  192.192.192.192    prdserver        prdserver.na.jjjjjjj.com 
  Prd server is an host name where your SAP application is running/installed &    prdserver.na.jjjjjjj.com is a hostname  in domain
  Thnaks
  Karan

• Adding the /etc/host.deny file like linux in solaris 10.

  Dears,
  I need to add a file which will works like the file of /etc/hosts.deny of Linux in Solaris.
  If it is possible in the same manner please let me know that, and if it need some other trick to deny a specific host to access the system please tell me the way to do that.
  Eagerly waiting to hear from you.
  BR//
  Sohel.

  IPfilter can deny a specific IP address access to the host - enable IPFilter with svcadm and edit the /etc/ipf/ipf.conf file to add the IP to block. An example could be:
  block in log quick on bnx0 proto tcp from 192.168.1.5/32 to any
  I use IPfilter to pass and block all sorts of specific IP addresses as well as block/allow specific ports (like only specific hosts can use port 22, ssh).

• Oracle 11gR2 RAC VM and SCAN and DNS and /etc/hosts (two) setup questions

  Hi,
  I am looking forward to setting up two Oracle 11gR2 RAC instances
  on my Oracle VM test machine.
  I plan on using the Oracle 11gR2 RAC VM template.
  I want the final Oracle 11gR2 RAC instances to have SCAN that uses DNS.
  The DNS will be pre-installed in the JeOS.
  My first simple question about the setup is the following.
  In my DNS name file, for example,
  /var/named/chroot/var/named/milkyway.univ.db
  do I need to provide the racnode1 and racnode2 information,
  for example,
  # DNS name file (snippet)
  myjeos IN A 192.168.1.150
  racnode1 IN A 192.168.1.161
  racnode1-vip IN A 192.168.1.163
  racnode2 IN A 192.168.1.162
  racnode2-vip IN A 192.168.1.164
  rac-scan IN A 192.168.1.131
  rac-scan IN A 192.168.1.132
  rac-scan IN A 192.168.1.133
  Or, can I just provide only the rac-scan information
  # DNS name file alternate (snippet)
  myjeos IN A 192.168.1.150
  rac-scan IN A 192.168.1.131
  rac-scan IN A 192.168.1.132
  rac-scan IN A 192.168.1.133
  What I am getting at is the following.
  Within the install process, will racnode1, racnode1-vip, racnode2,
  and racnode2-vip host names and their IP address be written
  to the RAC instances /etc/hosts files? (So I should not bother
  to put them in the DNS name file like '# DNS name file alternate (snippet)'?)
  Or, should I put the racnode and racnode-vip host names and IP addresses
  in the DNS name file like '# DNS name file (snippet)'?
  The second question is the following.
  Are the cluster name and the scan name allowed to be different?
  Currently, I would plan them to be different,
  for example, rac-cluster and rac-scan.
  Or, are they required to be the same,
  for example, rac-cluster and rac-cluster.
  Thank you.
  AIM

  AIM wrote:
  do I need to provide the racnode1 and racnode2 information,
  Or, can I just provide only the rac-scan information You need to provide all of it in DNS, because other hosts in your network will need to be able to resolve all of the normal, VIP and SCAN addresses for your RAC nodes. We write this data out to /etc/hosts just to reduce the amount of round-trip DNS requests the cluster nodes make for themselves.
  Are the cluster name and the scan name allowed to be different?They can be different.

• [SOLVED] globbing in /etc/hosts or something similar

  Is there any way to glob addresses in /etc/hosts?
  If not, which seems to be the case, is there something else that could achieve a similar effect?
  Example:
  127.0.0.1 *.localhost # enable subdomains on localhost (with Apache virtual hosts)
  It's not that tedious to manually add them and I could probably write a script, but it would be useful for other things (127.0.0.1 *.google.* )
  Last edited by Xyne (2010-03-24 09:04:25)

  BIND supports DNS wildcards, which seems to be what you're after.
  Just for fun I went through the process of setting this up, and it's not too difficult.  I did need to do a bit of research to figure out the syntax for the DNS zones.  Fortunately, there are plenty of resources which describe this.
  Briefly, the process I went through for wildcard domain resolution:
  1) Install bind and invoke named
  2) Ensure the nameserver is included in resolv.conf and that the DNS service is in the host DB of /etc/nsswitch.conf
  3) Edit /etc/named.conf and the corresponding zone file.
  There's an article on debian-administration which focuses on exactly the case you proposed.
  Last edited by chpln (2010-03-23 11:04:56)

• /etc/hosts in Snow Leopard: ping works, browsers don't?

  I've had success in the past using /etc/hosts to direct web browsers to a test server instead of the production server, but it's not working in OS X 10.6.7.
  I edit the hosts file:
  $ sudo vi /etc/hosts
  Add my entry:
  # Host Database
  # localhost is used to configure the loopback interface
  # when the system is booting.  Do not change this entry.
  127.0.0.1   localhost dev.localhost
  255.255.255.255   broadcasthost
  ::1             localhost
  fe80::1%lo0 localhost
  111.111.111.111 server.com
  Flush the cache:
  $ dscacheutil -flushcache
  Test with ping:
  PING server.com (111.111.111.111): 56 data bytes
  64 bytes from 111.111.111.111: icmp_seq=0 ttl=46 time=220.423 ms
  64 bytes from 111.111.111.111: icmp_seq=1 ttl=46 time=242.509 ms
  All seems good, but when I load http://server.com in a browser (safari, firefox, chrome), I get the production server and not 111.111.111.111. What did I miss?

  Yep, thank you. It's not my server and is coughing up responses that somehow eventually kick me back over to the production content.
  I don't expect further help (I probably won't pursue it further myself), but just for grins here's an example telnet request:
  $ telnet server.com 80
  Trying 111.111.111.111...
  Connected to server.com.
  Escape character is '^]'.
  GET / HTTP/1.1
  Host: server.com
  Cache-Control: no-cache
  HTTP/1.1 200 OK
  Date: Wed, 06 Jul 2011 20:06:43 GMT
  Server: Apache
  Last-Modified: Thu, 24 Mar 2011 11:40:59 GMT
  ETag: "62206ad-6f-49f38f37ec8c0"
  Accept-Ranges: bytes
  Vary: Accept-Encoding
  Content-Type: text/html
  Content-Length: 111
  <html><head><META HTTP-EQUIV="refresh" CONTENT="0;URL=/cgi-sys/defaultwebpage.cgi"></head><body></body></html>
  Definitely not what I expect. Another request for /cgi-sys/defaultwebpage.cgi just gives a 404 page. Maybe the browser tries a real DNS lookup at that point.

• How could a java process bypass etc\hosts file while doing dns lookup ?

  Hi,
  I am developing a java web proxy and developer tool [http://www.tcpcatcher.org|http://www.tcpcatcher.org] .
  Right now it is working as a none transparent web proxy.
  In some situation and for some hosts, I would like to turn it into a transparent web proxy.
  Suppose, user's browser and java proxy are running on same host (typically on localhost). An entry is added in etc\hosts file, for example:
  127.0.0.1 google.com
  So without any change in browser config , if user visits google.com with its browser , http request is received at proxy level.
  Now my proxy has to get the actual ip address of google.com bypassing the etc\hosts file (right now the proxy is doing a loop on itself).
  Any idea how this could be achieved ?
  Am I searching in wrong direction ?
  thanks !

  This is a shot in the dark, but I'll try anyway.
  Take a look at dnsjava (open source, I never played with it).
  My understanding is that using this to resolve names instead of normal Java API's would allow you to bypass etc/hosts in the java code
  (see [http://old.nabble.com/DNS-Resolve-from-hosts-file-first-then-DNS-Server-td15431381.html]).

• Proper /etc/hosts for my situation

  Hello all,
  I just (finally) got set up through an ISP which assigns me (well the DSL modem) a publicly routable dynamic address.  Anyway, I've setup a dyndns.org hostname, and ddclient to update it, and it routes beautifully to my linux box, through the dsl modem which has the ssh port (and other services as they come up) forwarded to the proper box.
  Anyway, I was updating my /etc/hosts, and I'm wondering if I have it setup correctly.
  #<ip-address> <hostname.domain.org> <hostname>
  127.0.0.1 XXXXXXXX.homelinux.org localhost.localdomain localhost XXXXXXXX
  192.168.0.51 XXXXXXXX.homelinux.org XXXXXXXX
  192.168.0.50 regulator-pc regulator-pc.localdomain
  192.168.0.1 qwest-modem qwest-modem.localdomain
  192.168.0.2 regulator-bridge regulator-bridge.localdomain
  # End of file
  Please replace all instances of XXXXXXXX with my actual hostname.
  This box (XXXXXXXX) has a static IP of 192.168.0.51, is that line correct?
  I've left the (hostname.localdoman) stuff in my hosts lists since at one point I had a caching bind server running on my local net, but I've yet to set that up on this network.
  regulator-bridge is my dd-wrt'd wrt54g, which now is set up in client bridge mode to allow the boxes with ethernet ports to join the network (routed off the DSL modem), and so I don't have to run an ethernet cable across the living room to the DSL modem.  Works like a champ.
  Appreciate any input.
  Thanks.

  Hi,
  In the etc/hosts you have add ur ip address with hostname, something like this it should be.
  127.0.0.1 localhost.localdomain localhost
  10.93.10.XX mysystem.localdomai
  because, i think so,so here is what my /etc/hosts file looks like
  127.0.0.1 unknown485b39d0b515.local.lan unknown485b39d0b515
  127.0.0.1 localhost.localdomain localhostFor the below TNS lost contact error, recently I faced a similar kind of error:
  and the error i am right now getting is this
  [oracle@unknown485b39d0b515 ~]$ sqlplus "/as sysdba"
  SQL*Plus: Release 11.2.0.1.0 Production on Wed Aug 8 12:03:27 2012
  Copyright (c) 1982, 2009, Oracle. All rights reserved.
  ERROR:
  ORA-12547: TNS:lost contact
  Check your ORACLE_HOME/bin folders rights.
  $ ls -ltr oracle
  -rwxr-xr-x 1 oracle dba 25485683 Jul 2 12:02 oracle
  $ chmod 6751 oracle
  $ ls -ltr oracle
  -rwsr-s--x 1 oracle dba 25485683 Jul 2 12:02 oracle
  And check whether your user has dba group.
  This may help you..
  Thanks,
  nonuday