[GRLUG] hosts.allow/deny

Matthew Whitaker Matthew.Whitaker at Haworth.com
Fri Apr 14 06:39:46 EDT 2006 

I agree with Raymond, although I would suggest this approach instead.
Leave the hosts.allow file empty and put a statement like this in
hosts.deny:

Vsftpd: ALL EXCEPT www.xxx.yyy.zzz

That will allow ONLY the one host that you want to have access.

-----Original Message-----
From: grlug-bounces at grlug.org [mailto:grlug-bounces at grlug.org] On Behalf
Of Raymond McLaughlin
Sent: Thursday, April 13, 2006 5:50 PM
To: grlug at grlug.org
Subject: Re: [GRLUG] hosts.allow/deny

Topher wrote:
> I hate ftp, so I never run any daemons on my box.  I have one app that
can 
> only export to the web via ftp however, so I'm thinking of putting an
ftpd 
> on one of my boxes.  I on;y want to allow connections from that one
box 
> however.
> 
> A friend mentioned that I should look into just setting up hosts.allow
and 
> .deny properly, so I'm going to head down that path.
> 
> I thought I'd ask here to see if anyone has these kind of rules
already 
> set up though, or if there are better suggestions.

At the risk of coming too close to answering the question you actually
asked...
Yes I have used them it's not complicated. The sytax you may want in 
/etc/hosts.allow might be something like:

     FTP : www.xxx.yyy.zzz : ALLOW

Beyond that,
     man 5 host_access
is your friend. The most significant part might be:
     ACCESS CONTROL FILES
            The access control software consults two files. The search
stops
     at the first match:
     o      Access will be granted when a (daemon,client) pair matches
an entry
     in the /etc/hosts.allow file.
     o      Otherwise, access will be denied when a (daemon,client) pair
matches
     an  entry  in  the  /etc/hosts.deny
               file.
     o      Otherwise, access will be granted.

     A  non-existing  access  control file is treated as if it were an
empty
     file. Thus, access control can be turned off by providing no access
     control files.

I hope this helps
Raymond McLaughlin
_______________________________________________
grlug mailing list
grlug at grlug.org
http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug

More information about the grlug mailing list