hosts.allow / hosts.deny question

[Midridth]

Hey guys.
I'm running RedHat 7.3 and I am trying to set up the hosts.allow/deny files in /etc. Here's what I have so far...

hosts.deny:
-this is blank because it auto blocks everything

hosts.allow:
ftpd, sshd: LOCAL, 10.194.30.245

Now I want to set it so that hosts.allow also includes allowing everyone to access apache, but I dont know the acronym for it. www doesn't work, http-www doesn't work, and so on. Could anyone please enlighten me?

Thanks.

[Sevari]

httpd ?

[MrLinus]

Originally posted here by Midridth
Hey guys.
I'm running RedHat 7.3 and I am trying to set up the hosts.allow/deny files in /etc. Here's what I have so far...

hosts.deny:
-this is blank because it auto blocks everything

hosts.allow:
ftpd, sshd: LOCAL, 10.194.30.245

Now I want to set it so that hosts.allow also includes allowing everyone to access apache, but I dont know the acronym for it. www doesn't work, http-www doesn't work, and so on. Could anyone please enlighten me?

Thanks.

Umm. You may want to re-check that. Do a man on hosts.deny and hosts.allow. You're syntax is wrong and it will not work. You need to specify WHO you are allowing and WHO you are blocking. You also need to specify the service by it's inetd name or xinetd (in.telnetd, etc.).

Man pages are wonderful. Use 'em.

I found this site had a good example for their usage. It might help. http://www.itc.virginia.edu/unixsys/sec/hosts.html

[Midridth]

MsMittens: I did do a man on it and it did not come up with the information that I need. I agree, though, man pages ARE wonderful. Also I did use the correct syntax (I checked). The syntax is...

service_name, service_name_2_optional: LOCAL/ALL/ip.addr.ess.here/whatever

All that I need is the service name that you are supposed to use in the hosta.allow/deny files.

Sevari: I tried httpd, doesn't work. :-\

[MrLinus]

Originally posted here by Midridth
Hey guys.
I'm running RedHat 7.3 and I am trying to set up the hosts.allow/deny files in /etc. Here's what I have so far...

hosts.deny:
-this is blank because it auto blocks everything
<*snip*>

You're using RH 7.3 and you stated that leaving hosts.deny blank because it auto blocks everything. That's incorrect. You have to specify what it is to block. So, your hosts.deny should be:

ALL: ALL

Since it will try to match up hosts.allow first and then try to match up hosts.deny (like a firewall does in the way it reads the rules). Deny all should be your default last rule.

As for the format that you are using, yes correct in general but you may not be using identd. 7.3 does use xinetd which means it could be in.httpd. Alternatively, httpd might work. What is apachectl calling (and are you using apache or are you using another web server?)?


Network Security and Access Control HOWTO: http://www.tldp.org/HOWTO/Net-HOWTO/x810.html

[str34m3r]

Apache in it's default configuration doesn't use tcp wrappers, so you don't need to do anything to make the web server available to everyone. As for the rest, MsMittens is correct, your hosts.deny should say ALL:ALL so that the default action is to block incoming connections. Your hosts.allow should be something like this. The format you're using may work and be valid, but the recommended format is something like this:

in.ftpd:LOCAL,10.194.30.245
sshd:LOCAL,10.194.30.245

Obviously it doesn't matter that much for two services, but when you get to production servers with larger tcpwrappers files, the recommended format allows for more flexibility and easier maintenance.

Access to apache is controlled by .htaccess files in the individual directories and access control lists in the /etc/httpd/conf/httpd.conf file.