Re: allow and deny ih fedora 7



On 10 Sep, 12:20, john toynbee <john.toyn...@xxxxxxxxx> wrote:
On Mon, 10 Sep 2007 01:55:41 -0700, Nico wrote:
On 8 Sep, 16:59, john toynbee <john.toyn...@xxxxxxxxx> wrote:
If I write in /etc/hosts.allow:

ALL: 127.

and in /etc/hosts.deny:

ALL: ALL

then that works in Fedora 7, where is not installed xinetd by default?

John

And what exactly is your question? What does this work for, or not work
for?

Here:http://tldp.org/HOWTO/Security-HOWTO/network-security.html
it is written:
"For example, a normal dial-up user can prevent outsiders from connecting
to his machine, yet still have the ability to retrieve mail, and make
network connections to the Internet. To do this, you might add the
following to your /etc/hosts.allow:
ALL: 127.
And of course /etc/hosts.deny would contain:
ALL: ALL
which will prevent external connections to your machine, yet still allow
you from the inside to connect to servers on the Internet.
Keep in mind that tcp_wrappers only protects services executed from
inetd, and a select few others."

But in Fedora 7 by default there is neither inetd nor xinetd.
Then, is changing /etc/hosts.allow and /etc/hosts.deny always useful?
Moreover, in

ALL: 127.

is the full stop a misprint or not?

John- Hide quoted text -

- Show quoted text -

OK, what that *REALLY* means is "permit all services from IP addresses
127.0.0.0/8." This means that localhost, which is typically on
127.0.0.1, will be allowed to connect to and start inetd or xinetd
services which use the relevant software.

The relevant software is called "tcp_wrappers". xinetd, which is what
Fedora 7 uses to start services like rsync and has been used for many
different services. Xinetd follows these rules in these files. Other
software may, with the right libraries and functions compiled in, but
it's very hard for the authors of tcp_wrappers to guess what may use
these libraries, so they don't try.

Does this make sense? What are you trying to run that you might need
hosts.deny or xinetd?

.



Relevant Pages

  • Re: How secure is inetd nowadays?
    ... There is no predefined limit to the number of instances, in this case, an attacker can open thousands of connections resulting in thousands of processes. ... And no, xinetd won't necessarily save you, although it may provide you with some configuration options you can set that will help. ... In certain ways, inetd is superior to xinetd, and preferable. ...
    (comp.os.linux.security)
  • Re: Secure Servers (SMTP, POP3, FTP)
    ... >> You can also run ftpd with xinetd. ... >> connections. ... >> secure than inetd. ... with "unsubscribe freebsd-security" in the body of the message ...
    (FreeBSD-Security)
  • [UNIX] Xinetd Memory Leaks
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in Xinetd allows remote attackers to cause the program to ... leak memory, by causing enough memory leakage a computer running Xinetd ... It created> 5000 connections in 1 second. ...
    (Securiteam)
  • Re: xinetd -> danted fails [repost]
    ... I've checked and rechecked the danted and xinetd docs and FAQs. ... > *inetd ready. ... > command line option for it, but the sites are down and the cached ... Since the port cannot be listened on by more ...
    (comp.os.linux.networking)
  • Re: Changes to hosts.allow do no affect to inetd daemons some times
    ... updating /etc/hosts.allow and changing rules for ftpd won't take affect on ... >> inetd, there is no difference. ... > You are probably seeing the effect of persistent connections: ... > Note that long running services with the TCP wrappers functionality ...
    (freebsd-questions)