Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
n this regard, you can think of this tool as a host-based access control list, and not as
the ultimate security measure for your system. By using a firewall and TCP
wrappers, instead of favoring one over the other, you will make sure that your server
is not left with a single point of failure.
Understanding hosts.allow and hosts.deny
When a network request reaches your server, TCP wrappers
uses hosts.allow and hosts.deny (in that order) to determine if the client should
be allowed to use a given service.
By default, these files are empty, all commented out, or do not exist. Thus, everything
is allowed through the TCP wrappers layer and your system is left to rely on the
firewall for full protection. Since this is not desired, due to the reason we stated in the
introduction, make sure both files exist:
# ls -l /etc/hosts.allow /etc/hosts.deny
where,
sshd,vsftpd : ALL
ALL : ALL
#
sshd,vsftpd : ALL
ALL : ALL
TCP Wrappers – hosts.allow File
sshd,vsftpd : 192.168.0.102,LOCAL
These changes take place immediately without the need for a restart.
In the following image you can see the effect of removing the word LOCAL from the
last line: the FTP server will become unavailable for localhost. After we add the
wildcard back, the service becomes available again.
Verify FTP Access
To allow all services to hosts where the name contains example.com , add this line
in hosts.allow :
ALL : .example.com
vsftpd : 10.0.1.
On the last two examples, notice the dot at the beginning and the end of the client list.
It is used to indicate “ALL hosts and / or clients where the name or the IP contains
that string”.
Was this article helpful to you? Do you have any questions or comments? Feel free to
drop us a note using the comment form below.
Where,
Rules to remember
Before using TCP Wrappers, you need to know the following important rules.
Please be mindful that the TCP Wrapper consults only these two files
(hosts.allow and hosts.deny).
The access rules in the /etc/hosts.allow file are applied first. They takes
precedence over rules in /etc/hosts.deny file. Therefore, if access to a
service is allowed in /etc/hosts.allow file, and a rule denying access to
that same service in /etc/hosts.deny is ignored.
Only one rule per service is allowed in both files (hosts.allow and
hosts.deny).
The order of the rules is very important. Only the first matching rule for a
given service will be taken into account. The same applies for both files.
If there are no matching rules for a service in either files or if neither file
exist, then access to the service will be granted to all remote hosts.
Any changes in either files will come to effect immediately without
restarting the network services.
The recommended approach to secure your
server
Generally, the best practice to secure a Linux server is to block all incoming
connections, and allow only a few specific hosts or networks. To do so,
edit /etc/hosts.deny file:
$ sudo vi /etc/hosts.deny
Add the following line. This line refuses connections to ALL services and ALL
networks.
ALL: ALL
$ sudo vi /etc/hosts.allow
Also, you can specify valid hostnames instead of IP address as shown below.
sshd: server1.ostechnix.lan server2.ostechnx.lan
Alternatively, you can do the same by defining all rules (both allow and deny)
in /etc/hosts.allow file itself.
Now, try to SSH to your Linux server from any hosts except the above hosts,
you will get the following error.
You can verify this from your Linux server’s log files as shown below.
$ cat /var/log/secure
Sample output:
vsftpd: 192.168.43.192
Again, you don’t need to define any rules in /etc/hosts.deny file. As per the
above rule, a remote host with IP address 192.168.43.192 is allowed to
access the Linux server via FTP. All other hosts will be denied.
Also, you can define the access rules in different formats in /etc/hosts.allow
file as shown below.
In the above case, you don’t need to add any rules in /etc/hosts.deny file.
$ man tcpd