Comments on: Network Security with tcpwrappers (hosts.allow and hosts.deny) http://ubuntu-tutorials.com/2007/09/02/network-security-with-tcpwrappers-hostsallow-and-hostsdeny/ Enhancing your Ubuntu experience! Fri, 11 May 2012 05:04:26 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: Christer Edwards http://ubuntu-tutorials.com/2007/09/02/network-security-with-tcpwrappers-hostsallow-and-hostsdeny/#comment-11152 Christer Edwards Tue, 08 Jun 2010 23:53:41 +0000 http://ubuntu-tutorials.com/?p=433#comment-11152 I don't believe the commas are proper syntax. I generally break my lines up, for readability: <code> ALL : 127.0.0.1 : allow ALL : 3.21. : allow ALL : 23.10 : allow </code> The allow appended to the end is not required, but technically the hosts.deny file is deprecated so it is "proper" to define :allow or :deny explicitly for each line. I don’t believe the commas are proper syntax. I generally break my lines up, for readability:


ALL : 127.0.0.1 : allow
ALL : 3.21. : allow
ALL : 23.10 : allow

The allow appended to the end is not required, but technically the hosts.deny file is deprecated so it is “proper” to define :allow or :deny explicitly for each line.

]]> By: sjoshi http://ubuntu-tutorials.com/2007/09/02/network-security-with-tcpwrappers-hostsallow-and-hostsdeny/#comment-11150 sjoshi Tue, 08 Jun 2010 22:13:36 +0000 http://ubuntu-tutorials.com/?p=433#comment-11150 I am troubleshooting a networking problem and i wand to find out if the following line in the hosts.allow is correct or not? ALL:127.0.0.1,3.21.,23.10.:allow One thing I don't understand is why is there ":allow" at the end? What if I remove it? It is a typo? Thanks. I am troubleshooting a networking problem and i wand to find out if the following line in the hosts.allow is correct or not?
ALL:127.0.0.1,3.21.,23.10.:allow

One thing I don’t understand is why is there “:allow” at the end? What if I remove it? It is a typo?
Thanks.

]]> By: texaslabrat http://ubuntu-tutorials.com/2007/09/02/network-security-with-tcpwrappers-hostsallow-and-hostsdeny/#comment-9321 texaslabrat Wed, 29 Jul 2009 15:57:50 +0000 http://ubuntu-tutorials.com/?p=433#comment-9321 @Paul: No, in Ubuntu (at least in 8.04, anyway) the binary is actually called apache2 as noted in the article: texaslabrat@ratnest:~$ which httpd texaslabrat@ratnest:~$ which apache2 /usr/sbin/apache2 texaslabrat@ratnest:~$ ls -asl /usr/sbin/apache2 412 -rwxr-xr-x 1 root root 414016 2009-07-10 13:57 /usr/sbin/apache2 @Gary: Have you tried putting your work IP address in the hosts.allow file? The allow file is searched first, and tcpwrappers stops at the first match. And I don't know about your implementation, but my denyhosts database appears to be in /var/lib/denyhosts: texaslabrat@ratnest:/var/lib/denyhosts$ ls hosts hosts-root offset users-hosts users-valid hosts-restricted hosts-valid suspicious-logins users-invalid texaslabrat@ratnest:/var/lib/denyhosts$ cat hosts-restricted 117.102.90.158:0:Tue Jul 28 21:47:10 2009 149.217.72.19:0:Mon Jul 27 05:32:37 2009 ... @Paul:

No, in Ubuntu (at least in 8.04, anyway) the binary is actually called apache2 as noted in the article:

texaslabrat@ratnest:~$ which httpd
texaslabrat@ratnest:~$ which apache2
/usr/sbin/apache2
texaslabrat@ratnest:~$ ls -asl /usr/sbin/apache2
412 -rwxr-xr-x 1 root root 414016 2009-07-10 13:57 /usr/sbin/apache2

@Gary:
Have you tried putting your work IP address in the hosts.allow file? The allow file is searched first, and tcpwrappers stops at the first match. And I don’t know about your implementation, but my denyhosts database appears to be in /var/lib/denyhosts:
texaslabrat@ratnest:/var/lib/denyhosts$ ls
hosts hosts-root offset users-hosts users-valid
hosts-restricted hosts-valid suspicious-logins users-invalid
texaslabrat@ratnest:/var/lib/denyhosts$ cat hosts-restricted
117.102.90.158:0:Tue Jul 28 21:47:10 2009
149.217.72.19:0:Mon Jul 27 05:32:37 2009

]]> By: vidyadhara http://ubuntu-tutorials.com/2007/09/02/network-security-with-tcpwrappers-hostsallow-and-hostsdeny/#comment-8138 vidyadhara Fri, 13 Mar 2009 06:22:35 +0000 http://ubuntu-tutorials.com/?p=433#comment-8138 I need a script for automatic backup. I want to take a backup different ip address like this is my server ip 192.168.0.2 so i need to put a backup to 192.168.0.71. I need a script for automatic backup. I want to take a backup different ip address like this is my server ip 192.168.0.2 so i need to put a backup to 192.168.0.71.

]]> By: Paul http://ubuntu-tutorials.com/2007/09/02/network-security-with-tcpwrappers-hostsallow-and-hostsdeny/#comment-7973 Paul Mon, 02 Mar 2009 22:54:45 +0000 http://ubuntu-tutorials.com/?p=433#comment-7973 The reason you can't find apache2 in libwrap is because there is no such thing. The executable for Apache 2 is httpd. The reason you can’t find apache2 in libwrap is because there is no such thing. The executable for Apache 2 is httpd.

]]> By: gary http://ubuntu-tutorials.com/2007/09/02/network-security-with-tcpwrappers-hostsallow-and-hostsdeny/#comment-5736 gary Tue, 02 Sep 2008 14:48:29 +0000 http://ubuntu-tutorials.com/?p=433#comment-5736 I installed two packages Rootkit Hunter and Chkrootkit on ubuntu 8.04 ever since that it keeps updating my /etc/hosts.deny file with a valid ip address so I cannot loggin from my work to my home server. I tried the following below but ubuntu 8.04 does not have a /usr/share/denyhosts/data/* directory 1. Stop DH daemon. /etc/init.d/denyhosts stop 2. Remove usr's IP from /etc/hosts.deny 3. Grep DH's data directory for usr's IP. grep 'xxx.xxx.xxx.xxx' /usr/share/denyhosts/data/* 4. Here's the best part... Remove usr's IP from all the files that grep showed in step 3. 5. Start DH daemon. /etc/init.d/denyhosts start 6. Ask usr to log in now. Step 1-5 does not work in ubuntu becuase there is no /usr/share/denyhosts/data/* Please help Thanks gary I installed two packages Rootkit Hunter and Chkrootkit on ubuntu 8.04 ever since that it keeps updating my /etc/hosts.deny file with a valid ip address so I cannot loggin from my work to my home server. I tried the following below but ubuntu 8.04 does not have a /usr/share/denyhosts/data/* directory

1. Stop DH daemon. /etc/init.d/denyhosts stop
2. Remove usr’s IP from /etc/hosts.deny
3. Grep DH’s data directory for usr’s IP. grep ‘xxx.xxx.xxx.xxx’ /usr/share/denyhosts/data/*
4. Here’s the best part… Remove usr’s IP from all the files that grep showed in step 3.
5. Start DH daemon. /etc/init.d/denyhosts start
6. Ask usr to log in now.

Step 1-5 does not work in ubuntu becuase there is no /usr/share/denyhosts/data/*

Please help
Thanks
gary

]]> By: Jeff http://ubuntu-tutorials.com/2007/09/02/network-security-with-tcpwrappers-hostsallow-and-hostsdeny/#comment-2321 Jeff Tue, 04 Sep 2007 22:25:46 +0000 http://ubuntu-tutorials.com/?p=433#comment-2321 You missed the coolest function of tcpwrappers and that is the spawn command. Try something like this: sshd: ALL: spawn (echo "Attempt from %h %a to %d at `date` by %u" | tee -a /var/log/sshd.log) You missed the coolest function of tcpwrappers and that is the spawn command. Try something like this:

sshd: ALL: spawn (echo “Attempt from %h %a to %d at `date` by %u” | tee -a /var/log/sshd.log)

]]> By: ThaddeusQ http://ubuntu-tutorials.com/2007/09/02/network-security-with-tcpwrappers-hostsallow-and-hostsdeny/#comment-2320 ThaddeusQ Tue, 04 Sep 2007 15:05:32 +0000 http://ubuntu-tutorials.com/?p=433#comment-2320 Joe - really good security people always believe in security in layers. Having an additional layer of security doesn't hurt and in many cases can help. Maybe my iptables rules get borked some how. In that case, it's helpful to have tcp wrappers implemented. I think it is worth mentioning the strings command as well. Some versions of portmap use tcpwrappers, but, if you run ldd against them, you won't see that it does. Also nagios is compiled the same way. i.e.: strings /path/to/binary | grep hosts will show that it checks the hosts.allow and hosts.deny files. Joe – really good security people always believe in security in layers. Having an additional layer of security doesn’t hurt and in many cases can help. Maybe my iptables rules get borked some how. In that case, it’s helpful to have tcp wrappers implemented.

I think it is worth mentioning the strings command as well. Some versions of portmap use tcpwrappers, but, if you run ldd against them, you won’t see that it does. Also nagios is compiled the same way.
i.e.:
strings /path/to/binary | grep hosts
will show that it checks the hosts.allow and hosts.deny files.

]]> By: Ubuntu Tutorials http://ubuntu-tutorials.com/2007/09/02/network-security-with-tcpwrappers-hostsallow-and-hostsdeny/#comment-2323 Ubuntu Tutorials Sun, 02 Sep 2007 22:13:01 +0000 http://ubuntu-tutorials.com/?p=433#comment-2323 Joe - yes, iptables is a much more powerful solution. Let's give people something they can walk with before they run with iptables :) Joe – yes, iptables is a much more powerful solution. Let’s give people something they can walk with before they run with iptables :)

]]> By: Joe Terranova http://ubuntu-tutorials.com/2007/09/02/network-security-with-tcpwrappers-hostsallow-and-hostsdeny/#comment-2322 Joe Terranova Sun, 02 Sep 2007 21:02:08 +0000 http://ubuntu-tutorials.com/?p=433#comment-2322 Though not as user-friendly, ip tables is a much more efficient solution; it works at a layer lower, and also doesn't depend on tcp wrappers. Though not as user-friendly, ip tables is a much more efficient solution; it works at a layer lower, and also doesn’t depend on tcp wrappers.

]]>