1

I am running a small server where I want to block some special IPs using /etc/hosts.deny. If I make an entry like

ALL: <IP>

only the ssh service will be blocked for IP. All the others services like ftp, http etc. are still reachable by IP. Doesn't the host.deny file define global rules?

Improve this question
1
  • What exactly do you want to block? You want to prevent them completely from talking to your server? (firewall can do it) or just block from accessing particular service (smtp, imap, web) - this can be done either by firewall or by setting up restrictive configuration for those unwanted IP for particular services. Please, be more specific in your questions.
    – VL-80
    Commented Jan 7, 2014 at 16:17

3 Answers 3

Reset to default
6

/etc/hosts.deny and /etc/hosts.allow are part of TCP-Wrapper, a program developed to deny access to hackers by Wietse Venema in the nineties.

TCP wrappers controls TCP access of processes run from /etc/inetd.conf. Most modern Linux distros (all Debian-based, Arch Linux,...) do not have inetd any longer.

Some applications are yet controlled by TCPwrapper, because they are compiled with the libwrap library, and are thus tcpwrapper-aware even if they are not run from /etc/inetd.conf. These applications include, to the best of my knowledge, telnet, ssh, sendmail, pop3, and stunnel.

You can check whether your application is tcp-wrapper-aware by means of the strings command:

 # strings /usr/sbin/sshd|grep hosts_access
 hosts_access

or by means of ldd:

 # ldd /usr/sbin/sshd | grep libwrap
    libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007f7059e7a000)

The correct way, nowadays, to bar intruders from accessing your system, is to use iptables:

  iptables -A INPUT -s 11.22.33.44 -j DROP
Improve this answer
8
  • Nice answer! I know iptables but unfortunately it only alowes a few (64) entries. Do you know any other methods which does not use iptables?
    – Tik0
    Commented Jan 7, 2014 at 16:44
  • 1
    @Tik0 Yes, you should install and use ipset. It is in all repos. This Web page from the Arch Linux Wiki, wiki.archlinux.org/index.php/Ipset, is very easy to read and very informative, even if you do not use Arch Linux.
    – MariusMatutiae
    Commented Jan 7, 2014 at 16:56
  • Who told you iptables only allows 64 entries ? I have systems using just iptables for firewalling with about 500 entries. Also, the more secure way to firewall is to deny everything, then allow "established and related" and then allow what you want. The systems definately work as intended as they have been extensively tested.
    – davidgo
    Commented Jan 7, 2014 at 17:26
  • @Tik0 The problem here is not the 64 entries, but the speed with which packet manipulation occurs. ipset is much faster, especially when you have massive lists of IPs to block.
    – MariusMatutiae
    Commented Jan 7, 2014 at 17:29
  • It's complex to setup, but if you want to block many IPs, look into nfblock. It's based on nfqueue (you send traffic you want to filter to the NFQUEUE target) and then nfblock approves or denies it based on a blocklist.
    – LawrenceC
    Commented Jan 7, 2014 at 17:41
0

From memory hosts.allow / hosts.deny are only read by sshd. You'll need to set up a firewall to restrict other services.

Improve this answer
2
  • Your memory is faulty.
    – JdeBP
    Commented Jan 7, 2014 at 21:04
  • It is not my memory, the serversettings doesn't allow me more lines :(. It's a virtual one.
    – Tik0
    Commented Jan 7, 2014 at 21:45
0

Only services that use the tcpd wrapper or sshd, itself, pay attention to hosts.deny and hosts.allow. Most services utilize either their own TCP wrapper or the x?inetd wrapper.

Soure: http://its.virginia.edu/unixsys/sec/hosts.html

P.S., Some time ago I came across a note saying xinitd can be compiled to support libwrap (or something that that affect) which uses hosts.deny/allow.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .