Thread: allow and deny ih fedora 7
View Single Post

  #5 (permalink)  
Old 09-10-2007
Moe Trin
 
Posts: n/a
Default Re: allow and deny ih fedora 7
On Mon, 10 Sep 2007, in the Usenet newsgroup comp.os.linux.security, in article
<pM9Fi.109671$U01.916744@twister1.libero.it>, john toynbee wrote:

>Nico wrote:

>> And what exactly is your question? What does this work for, or not work
>> for?

>Here:
>http://tldp.org/HOWTO/Security-HOWTO...-security.html

-rw-rw-r-- 1 gferg ldp 155096 Jan 23 2004 Security-HOWTO

>it is written:
>"For example, a normal dial-up user can prevent outsiders from connecting
>to his machine, yet still have the ability to retrieve mail, and make
>network connections to the Internet.

As I showed in response to your post in 'comp.security.firewalls' a week
ago, use /bin/netstat -anptu' to see what is listening. FIX THAT FIRST.

>To do this, you might add the following to your /etc/hosts.allow:
> ALL: 127.
> And of course /etc/hosts.deny would contain:
> ALL: ALL
> which will prevent external connections to your machine, yet still allow
>you from the inside to connect to servers on the Internet.
> Keep in mind that tcp_wrappers only protects services executed from
>inetd, and a select few others."

So, if you are not running the server, there is nothing to protect.

>But in Fedora 7 by default there is neither inetd nor xinetd.

'inetd' was replaced in the Red Hat line in 7.0 - about seven years ago.
I don't use Fedora, so I don't know why xinetd is not included in FC7
(it is part of FC6 and earlier versions, and there is nothing in the
RELEASE-NOTES file).

>Then, is changing /etc/hosts.allow and /etc/hosts.deny always useful?

/bin/netstat -anptu

Is anything listening? Does what-ever application is listening know
about tcp_wrappers or libwrap?

>Moreover, in
>
>ALL: 127.
>
>is the full stop a misprint or not?

[compton ~]$ whatis hosts_access tcpd
hosts_access (3) - access control library
hosts_access (5) - format of host access control files
tcpd (8) - access control facility for internet services
[compton ~]$

man 5 hostaccess

o A string that ends with a `.' character. A host address is
matched if its first numeric fields match the given
string. For example, the pattern `131.155.' matches the
address of (almost) every host on the Eindhoven University
network (131.155.x.x).

Thus, '127.' matches 127.0.0.0 - 127.255.255.255.

Old guy

Reply With Quote