allow and deny ih fedora 7 - Security

This is a discussion on allow and deny ih fedora 7 - Security ; If I write in /etc/hosts.allow: ALL: 127. and in /etc/hosts.deny: ALL: ALL then that works in Fedora 7, where is not installed xinetd by default? John...

+ Reply to Thread
Results 1 to 8 of 8

Thread: allow and deny ih fedora 7

  1. allow and deny ih fedora 7

    If I write in /etc/hosts.allow:

    ALL: 127.

    and in /etc/hosts.deny:

    ALL: ALL

    then that works in Fedora 7, where is not installed xinetd by default?


    John

  2. Re: allow and deny ih fedora 7

    On 8 Sep, 16:59, john toynbee wrote:
    > If I write in /etc/hosts.allow:
    >
    > ALL: 127.
    >
    > and in /etc/hosts.deny:
    >
    > ALL: ALL
    >
    > then that works in Fedora 7, where is not installed xinetd by default?
    >
    > John


    And what exactly is your question? What does this work for, or not
    work for?


  3. Re: allow and deny ih fedora 7

    On Mon, 10 Sep 2007 01:55:41 -0700, Nico wrote:

    > On 8 Sep, 16:59, john toynbee wrote:
    >> If I write in /etc/hosts.allow:
    >>
    >> ALL: 127.
    >>
    >> and in /etc/hosts.deny:
    >>
    >> ALL: ALL
    >>
    >> then that works in Fedora 7, where is not installed xinetd by default?
    >>
    >> John

    >
    > And what exactly is your question? What does this work for, or not work
    > for?




    Here:
    http://tldp.org/HOWTO/Security-HOWTO...-security.html
    it is written:
    "For example, a normal dial-up user can prevent outsiders from connecting
    to his machine, yet still have the ability to retrieve mail, and make
    network connections to the Internet. To do this, you might add the
    following to your /etc/hosts.allow:
    ALL: 127.
    And of course /etc/hosts.deny would contain:
    ALL: ALL
    which will prevent external connections to your machine, yet still allow
    you from the inside to connect to servers on the Internet.
    Keep in mind that tcp_wrappers only protects services executed from
    inetd, and a select few others."

    But in Fedora 7 by default there is neither inetd nor xinetd.
    Then, is changing /etc/hosts.allow and /etc/hosts.deny always useful?
    Moreover, in

    ALL: 127.

    is the full stop a misprint or not?

    John

  4. Re: allow and deny ih fedora 7

    On 10 Sep, 12:20, john toynbee wrote:
    > On Mon, 10 Sep 2007 01:55:41 -0700, Nico wrote:
    > > On 8 Sep, 16:59, john toynbee wrote:
    > >> If I write in /etc/hosts.allow:

    >
    > >> ALL: 127.

    >
    > >> and in /etc/hosts.deny:

    >
    > >> ALL: ALL

    >
    > >> then that works in Fedora 7, where is not installed xinetd by default?

    >
    > >> John

    >
    > > And what exactly is your question? What does this work for, or not work
    > > for?

    >
    > Here:http://tldp.org/HOWTO/Security-HOWTO...-security.html
    > it is written:
    > "For example, a normal dial-up user can prevent outsiders from connecting
    > to his machine, yet still have the ability to retrieve mail, and make
    > network connections to the Internet. To do this, you might add the
    > following to your /etc/hosts.allow:
    > ALL: 127.
    > And of course /etc/hosts.deny would contain:
    > ALL: ALL
    > which will prevent external connections to your machine, yet still allow
    > you from the inside to connect to servers on the Internet.
    > Keep in mind that tcp_wrappers only protects services executed from
    > inetd, and a select few others."
    >
    > But in Fedora 7 by default there is neither inetd nor xinetd.
    > Then, is changing /etc/hosts.allow and /etc/hosts.deny always useful?
    > Moreover, in
    >
    > ALL: 127.
    >
    > is the full stop a misprint or not?
    >
    > John- Hide quoted text -
    >
    > - Show quoted text -


    OK, what that *REALLY* means is "permit all services from IP addresses
    127.0.0.0/8." This means that localhost, which is typically on
    127.0.0.1, will be allowed to connect to and start inetd or xinetd
    services which use the relevant software.

    The relevant software is called "tcp_wrappers". xinetd, which is what
    Fedora 7 uses to start services like rsync and has been used for many
    different services. Xinetd follows these rules in these files. Other
    software may, with the right libraries and functions compiled in, but
    it's very hard for the authors of tcp_wrappers to guess what may use
    these libraries, so they don't try.

    Does this make sense? What are you trying to run that you might need
    hosts.deny or xinetd?


  5. Re: allow and deny ih fedora 7

    On Mon, 10 Sep 2007, in the Usenet newsgroup comp.os.linux.security, in article
    , john toynbee wrote:

    >Nico wrote:


    >> And what exactly is your question? What does this work for, or not work
    >> for?


    >Here:
    >http://tldp.org/HOWTO/Security-HOWTO...-security.html


    -rw-rw-r-- 1 gferg ldp 155096 Jan 23 2004 Security-HOWTO

    >it is written:
    >"For example, a normal dial-up user can prevent outsiders from connecting
    >to his machine, yet still have the ability to retrieve mail, and make
    >network connections to the Internet.


    As I showed in response to your post in 'comp.security.firewalls' a week
    ago, use /bin/netstat -anptu' to see what is listening. FIX THAT FIRST.

    >To do this, you might add the following to your /etc/hosts.allow:
    > ALL: 127.
    > And of course /etc/hosts.deny would contain:
    > ALL: ALL
    > which will prevent external connections to your machine, yet still allow
    >you from the inside to connect to servers on the Internet.
    > Keep in mind that tcp_wrappers only protects services executed from
    >inetd, and a select few others."


    So, if you are not running the server, there is nothing to protect.

    >But in Fedora 7 by default there is neither inetd nor xinetd.


    'inetd' was replaced in the Red Hat line in 7.0 - about seven years ago.
    I don't use Fedora, so I don't know why xinetd is not included in FC7
    (it is part of FC6 and earlier versions, and there is nothing in the
    RELEASE-NOTES file).

    >Then, is changing /etc/hosts.allow and /etc/hosts.deny always useful?


    /bin/netstat -anptu

    Is anything listening? Does what-ever application is listening know
    about tcp_wrappers or libwrap?

    >Moreover, in
    >
    >ALL: 127.
    >
    >is the full stop a misprint or not?


    [compton ~]$ whatis hosts_access tcpd
    hosts_access (3) - access control library
    hosts_access (5) - format of host access control files
    tcpd (8) - access control facility for internet services
    [compton ~]$

    man 5 hostaccess

    o A string that ends with a `.' character. A host address is
    matched if its first numeric fields match the given
    string. For example, the pattern `131.155.' matches the
    address of (almost) every host on the Eindhoven University
    network (131.155.x.x).

    Thus, '127.' matches 127.0.0.0 - 127.255.255.255.

    Old guy


  6. Re: allow and deny ih fedora 7

    On Mon, 10 Sep 2007 11:40:08 -0700, Nico wrote:


    > Does this make sense? What are you trying to run that you might need
    > hosts.deny or xinetd?


    Nothing, I want only "prevent outsiders from
    connecting" as written in "Linux Security HOWTO".

    My problem is that in Fedora 7 by default tcp_wrappers is installed and
    xinetd not.
    I can install xinetd, of course, by Synaptic.
    All that because in "Linux Security HOWTO" is written:
    "Keep in mind that tcp_wrappers only protects services executed from
    inetd, and a select few others."


    John

  7. Re: allow and deny ih fedora 7

    On Mon, 10 Sep 2007 15:04:47 -0500, Moe Trin wrote:


    >
    >>Then, is changing /etc/hosts.allow and /etc/hosts.deny always useful?

    >
    > /bin/netstat -anptu



    I now use it


    > Is anything listening? Does what-ever application is listening know
    > about tcp_wrappers or libwrap?
    >



    No



    >>is the full stop a misprint or not?

    >
    > [compton ~]$ whatis hosts_access tcpd hosts_access (3) - access
    > control library hosts_access (5) - format of host access
    > control files tcpd (8) - access control facility for
    > internet services [compton ~]$
    >
    > man 5 hostaccess
    >
    > o A string that ends with a `.' character. A host address is
    > matched if its first numeric fields match the given
    > string. For example, the pattern `131.155.' matches the
    > address of (almost) every host on the Eindhoven University
    > network (131.155.x.x).
    >
    > Thus, '127.' matches 127.0.0.0 - 127.255.255.255.



    That is very interesting, I thank you, also for your sentence "Firewalls
    are always software", it changed completely my point of view about
    firewalls.


  8. Re: allow and deny ih fedora 7




    I did not understand TCP Wrappers. I read this

    http://itso.iu.edu/TCP_Wrappers

    and now understand.
    Anyway thank you.


    John




+ Reply to Thread