Using /etc/hosts.deny to block remote machine (Core4)

[nade]

Hi,

I've tried to drop myself in the deep end back into Fedora. I've used FC3 in the past and setup as a DHCP server with success

But now i'm having a go at setting up a DNS server using bind.

What i'm trying to do at the moment is block any access from a specific hostname/ip by adding it in the /etc/hosts.deny file.

I've used the ip like this "10.10.200.1.deny" and restarted the network services which didn't work. I then tried using "srv-0220.deny" in the file and that didn't work either. So i then tried using the full dns name for the server with .deny on the end and that didn't work either.

Anyone able to point me in the right direction?

Thanks for reading.

EDIT: Oh forgot to mention. As the machine i am trying to build is within a private corporate network i didn't bother enabling the firewall when i did the original install of FC4. I didn't even bother installing gnome/kde, just using the cli.

[hiberphoptik]

the syntax would be 10.0.0.1:deny

really the proper way to do it would be to add ALL:deny to /etc/hosts.deny and then edit /etc/hosts.allow to allow 10.0.0.1 to a service

[nade]

Quote:

Originally Posted by hiberphoptik

the syntax would be 10.0.0.1:deny

really the proper way to do it would be to add ALL:deny to /etc/hosts.deny and then edit /etc/hosts.allow to allow 10.0.0.1 to a service

Ah ok. Thanks for quick reply!

I'll give it a shot.

[Zigzagcom]

The /etc/hosts.allow and /etc/hosts.deny files work in tandem.

I have only used them to filter sshd traffic to my machine.

Mine looks like this:

Code:

/etc/hosts.deny
sshd : ALL

Code:

/etc/hosts.allow
sshd : 127.0.0.1   192.168.1.0/24   xxx.xxx.xxx.xxx/xx

In your case you want to reverse the order possibly

Code:

/etc/hosts.allow
service : ALL

Code:

/etc/hosts.deny
service : xxx.xxx.xxx.xxx./xx

but I am not sure if it works for all services.

[nade]

Is there a service i need to restart after modifying the .deny and .allow host files?

[nade]

Quote:

Originally Posted by Zigzagcom

Code:

/etc/hosts.allow
sshd : 127.0.0.1   192.168.1.0/24   xxx.xxx.xxx.xxx/xx

That's exactly what i'm after. Just trying to secure it from anyone else trying to ssh onto the machine

But please forgive my newbie-ness but i'm guessing the part you have as xxx.xxx.xxx.xxx/xx will be the subnet mask? And the 192 address is your own PC that's connecting to the linux machine?

[Zigzagcom]

Almost correct,
xxx.xxx.xxx.xxx / xxCIDR notation.
Example: 192.168.1.100 is specific, but 192.168.0.0/16 is a block. (OOPS)
I am allowing connections on the loopback, the LAN, and then select IP's that could be in the form
of a defined IP or a subnet. For instance, I have DSL where the IP address might change ( it's fairly constant, but yet it's DHCP), so I set a network block on the remote server I administer, that is large enough to cover the pool of IP's from my local box.
It is not a guarantee, 'cause the ISP might decide to assign a new IP from a totally different pool, but then I have a backdoor via Webmin. ( Or its a twenty mile ride out to the server).

P.S. I try to refrain from using DNS names, cause they can be easily spoofed.

[nade]

OK, Cool

Think i've got it sussed.... i've got this working:

Code:

/etc/hosts.deny
sshd : ALL

Code:

/etc/hosts.allow
sshd : 10.10.201.

I've tried putty on a windows server on the 10.10.200.0 subnet and it ain't getting in, but my laptop on the 10.10.201.0 subnet is fine

I can't imagine the amount of crap i'd had to install on a windows server to do something as simple as this! I'm liking linux/fedora more and more.

Thanks Zigzagcom and hiberphoptik for the help

[Zigzagcom]

Cool, nice to see you happy....

The way you have it set up works, because you are defining the network blocks on the byte boundary. If you were to shift some of the host bits around, use CIDR notation then.