[NTLUG:Discuss] Killing Bad People

Bug Hunter bughuntr at one.ctelcom.net
Wed Feb 6 16:39:47 CST 2002 

  Yes.  You are correct.

  The best way to look at this is to set the default to DENY, by setting
hosts.deny to ALL:ALL

  Then you explicitly allow by allowing hosts.allow, and only allow those
services you really want to allow.

  This is the most paranoid way of using hosts.deny/hostw.allow, and has
saved us much grief.

  It is also the most troublesome, because you must be actively involved
in each "opening up" of the permissions to your server, usually on a
service by service basis.

  We have lines for in.ftpd, sshd, ipop3d, etc.

  The bottom line is that opening up for friends is much easier than
cleaning up after a hack.  I've had to do both.

bug



On Wed, 6 Feb 2002, m m wrote:

> >From: Bug Hunter <bughuntr at one.ctelcom.net>
> >
> >   Well, we do run the latest version of sshd.  And we put it on a
> >non-standard port, up there.  You can then open sshd up in hosts.allow
> >
> >sshd: ALL
> >
> >   so that it is accessible from anywhere.
> >
> >   Note the order of the search for tcp_wrappers (and sshd) is
> >
> >hosts.allow, hosts.deny
> >
> >   if the host is in hosts.allow, then allow. otherwise, check hosts.deny
> >and see if it is not allowed.  If it is NOT REFUSED in hosts.deny, then
> >let the service work.
> This seems a little strange to me.
> what is the final results of each condition?
> use ip 1.2.3.4 for example.
> 
> a) 1.2.3.4 in hosts.allow, in hosts.deny
> b) 1.2.3.4 not in hosts.allow, in hosts.deny
> c) 1.2.3.4 in hosts.allow, not in hosts.deny
> d) 1.2.3.4 not hosts.allow, not hosts.deny
> 
> according to Bug, a) not allowed, b) not allowed, c) allowed, d)?
> 
> on d), I guess the result is deny, if this is the case
> it seems that hosts.deny is only useful to _deny_ hosts.allow.
> 
> 
> 
> >
> >bug
> 
> 
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
> 
> 
> _______________________________________________
> http://www.ntlug.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list