[GRLUG] hosts.allow/deny

Matthew Whitaker matthew.whitaker at haworth.com
Thu Apr 13 08:21:58 EDT 2006 

It just seems more secure to me, if you want to allow ONLY one host to a
specific service to explicitly deny all others and allow that one.
Either would work fine, that's the beauty of open source - there are
many ways to solve a problem.  You could also use IPtables like so:

iptables -A INPUT -p tcp --dport ftp -s www.xxx.yyy.zzz -j ACCEPT
iptables -A INPUT -p tcp --dport ftp -j REJECT

Making sure to put in the accept rule with the intended address first.
Whatever you feel most comfortable with.


On Fri, 2006-04-14 at 07:49 -0400, Benjamin Flanders wrote:
> Is there a reason to put the rule in the deny file?  It seems more
> natural to put allows in the allow file, instead of "not deny" in the
> deny file.
> 
> On 4/14/06, Matthew Whitaker <Matthew.Whitaker at haworth.com> wrote:
> > I agree with Raymond, although I would suggest this approach instead.
> > Leave the hosts.allow file empty and put a statement like this in
> > hosts.deny:
> >
> > Vsftpd: ALL EXCEPT www.xxx.yyy.zzz
> >
> > That will allow ONLY the one host that you want to have access.
> >
> > -----Original Message-----
> > From: grlug-bounces at grlug.org [mailto:grlug-bounces at grlug.org] On Behalf
> > Of Raymond McLaughlin
> > Sent: Thursday, April 13, 2006 5:50 PM
> > To: grlug at grlug.org
> > Subject: Re: [GRLUG] hosts.allow/deny
> >
> > Topher wrote:
> > > I hate ftp, so I never run any daemons on my box.  I have one app that
> > can
> > > only export to the web via ftp however, so I'm thinking of putting an
> > ftpd
> > > on one of my boxes.  I on;y want to allow connections from that one
> > box
> > > however.
> > >
> > > A friend mentioned that I should look into just setting up hosts.allow
> > and
> > > .deny properly, so I'm going to head down that path.
> > >
> > > I thought I'd ask here to see if anyone has these kind of rules
> > already
> > > set up though, or if there are better suggestions.
> >
> > At the risk of coming too close to answering the question you actually
> > asked...
> > Yes I have used them it's not complicated. The sytax you may want in
> > /etc/hosts.allow might be something like:
> >
> >      FTP : www.xxx.yyy.zzz : ALLOW
> >
> > Beyond that,
> >      man 5 host_access
> > is your friend. The most significant part might be:
> >      ACCESS CONTROL FILES
> >             The access control software consults two files. The search
> > stops
> >      at the first match:
> >      o      Access will be granted when a (daemon,client) pair matches
> > an entry
> >      in the /etc/hosts.allow file.
> >      o      Otherwise, access will be denied when a (daemon,client) pair
> > matches
> >      an  entry  in  the  /etc/hosts.deny
> >                file.
> >      o      Otherwise, access will be granted.
> >
> >      A  non-existing  access  control file is treated as if it were an
> > empty
> >      file. Thus, access control can be turned off by providing no access
> >      control files.
> >
> > I hope this helps
> > Raymond McLaughlin
> > _______________________________________________
> > grlug mailing list
> > grlug at grlug.org
> > http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
> >
> >
> > _______________________________________________
> > grlug mailing list
> > grlug at grlug.org
> > http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
> >
> 
> 
> --
> Share and Enjoy
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>

More information about the grlug mailing list