/etc/hosts.allow & /etc/hosts.deny
Has anything relating to those files changed between jessie and stretch to affect cups being blocked? Would a line in the allow file ALL: localhost:631 help or is the syntax incorrect?
Re: nfs / hosts.deny & alow
Hoi Paul, On 11/06/2016 12:07 PM, Paul van der Vlis wrote: Niet elke applicatie ondersteund tcp wrappers, soms moet support daarvoor specifiek worden ingecompileeerd. Hoe dit zit bij NFS weet ik niet. Verder doet de naam "tcp wrappers" mij denken dat het wellicht alleen werkt bij TCP, en NFS is veelal UDP. NFS4 is tcp volgens mij, en: root@server:~# ldd /sbin/rpcbind | grep wrap libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x7f110ca2b000) root@server:~# ldd /sbin/rpcbind | grep wrap libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x7f05f8a72000) root@server:~# ldd /sbin/rpc.statd | grep wrap libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x7f8af2fff000) root@server:~# Dat betekent volgens mij dat tcp wrappers 'erin' zouden moeten zitten. Ik zie daar geen fout. Ja, sorry, die foutmelding had ik al eerder laten zien: root@client:/srv# showmount -e server clnt_create: RPC: Port mapper failure - Authentication error Zie mijn opmerking boven. Uiteraard worden andere IP's ook geblokkeerd doordat alleen jouw IP in /etc/export staat van de server. Je instelling is dus dubbel op. Als je dat toch graag wilt zou ik dat doen via een firewall. Yep, dat kan natuurlijk ook. Maar ik ben vooral nieuwsgierig waarom dit niet werkt, in vrijwel alle HOWTO's wordt aangeraden om de zaak dmz hosts.deny/allow verder dicht te timmeren. Maar de suggestie Rik heeft één en ander verklaart, dus de zaak kan wat mij betreft gesloten worden. Dank voor t meedenken, Paul, Rik, en Geert! Fijne zondag, MJ
Re: nfs / hosts.deny & alow
Op 05-11-16 om 20:13 schreef mj: > Hoi allemaal, > > Ik wil een directory exporten naar een andere machine, over nfs. Heb op > de server in /etc/exports een export geconfigureerd: > >> /srv/datashare 192.168.2.5(ro,no_subtree_check) > > Daarna nfs-kernel-server gestart, en kan hem nu op de client met success > mounten, zelfs met nfs4. Prima. > > Nu wil ik graag tcp wrappers gebruiken om de zaak wat verder dicht te > timmeren. Niet elke applicatie ondersteund tcp wrappers, soms moet support daarvoor specifiek worden ingecompileeerd. Hoe dit zit bij NFS weet ik niet. Verder doet de naam "tcp wrappers" mij denken dat het wellicht alleen werkt bij TCP, en NFS is veelal UDP. > Dus, op de server in hosts.deny: > >> rpcbind : ALL >> rpc.statd : ALL >> rpc.idmapd : ALL >> rpc.mountd : ALL > > En dan, op de client, zoals verwacht: > >> root@client:/srv# showmount -e server >> clnt_create: RPC: Port mapper failure - Authentication error > > Dan, allow de specifieke client in hosts.allow op de server: > >> rpcbind : 192.168.2.5 >> rpc.statd : 192.168.2.5 >> rpc.idmapd : 192.168.2.5 >> rpc.mountd : 192.168.2.5 > > En inderdaad, op de client: > >> root@client:/srv# showmount -e server >> Export list for server: >> /srv/datashare 192.168.2.5 > > ECHTER (en nu komt het..!) het mounten van deze nfs share op de client > werkt stelselmatig wèl, ook ZONDER de uitzondering in hosts.allow op de > server. > > Dus, wanneer ik géén uitzondering maak in hosts.allow, kan ik op client > 192.168.2.5 TOCH de nfs export met succes mounten en de (actuele, > real-time) inhoud bekijken. > > Dus showmount geeft inderdaad een fout, maar: Ik zie daar geen fout. >> mount /srv/datashare > > werkt gewoon TOCH. Bovenstaande mount komt uit fstab, als: > >> server.company.com:/srv/datashare/srv/datashare/nfs4 >> ro,intr,noexec 0 0 > > Ik geloof niet dat ik snap waarom het gewoon blijft werken. > > Iemand hier wel? Wat zie ik over het hoofd? Waarom wordt hosts.deny / > hosts.allow genegeerd bij het daadwerkelijk mounten..?? Zie mijn opmerking boven. Uiteraard worden andere IP's ook geblokkeerd doordat alleen jouw IP in /etc/export staat van de server. Je instelling is dus dubbel op. Als je dat toch graag wilt zou ik dat doen via een firewall. Groet, Paul. -- Paul van der Vlis Linux systeembeheer Groningen https://www.vandervlis.nl/
Re: nfs / hosts.deny & allow
Beste, Showmount gebruikt volgens mij de rpc services en werkt niet zonder de uitzondering. NFS v4 heeft dit echter niet nodig en gebruikt enkel poort 2049. Als je expliciet een nfs v3 mount doet zou ik verwachten dat die niet werkt zonder uitzondering (of pas na een lange timeout). Sorry voor het topposten. Getypt vanop mijn telefoon. Rik Op 5-nov.-2016 21:11 schreef "Geert Stappers" <stapp...@stappers.nl>: > On Sat, Nov 05, 2016 at 08:13:35PM +0100, mj wrote: > > Hoi allemaal, > > > > Ik wil een directory exporten naar een andere machine, over nfs. Heb > > op de server in /etc/exports een export geconfigureerd: > > > > > /srv/datashare 192.168.2.5(ro,no_subtree_check) > > > > Daarna nfs-kernel-server gestart, en kan hem nu op de client met > > success mounten, zelfs met nfs4. Prima. > > > > Nu wil ik graag tcp wrappers gebruiken om de zaak wat verder dicht > > te timmeren. Dus, op de server in hosts.deny: > > > > >rpcbind : ALL > > >rpc.statd : ALL > > >rpc.idmapd : ALL > > >rpc.mountd : ALL > > > > En dan, op de client, zoals verwacht: > > > > >root@client:/srv# showmount -e server > > >clnt_create: RPC: Port mapper failure - Authentication error > > > > Dan, allow de specifieke client in hosts.allow op de server: > > > > > rpcbind : 192.168.2.5 > > > rpc.statd : 192.168.2.5 > > > rpc.idmapd : 192.168.2.5 > > > rpc.mountd : 192.168.2.5 > > > > En inderdaad, op de client: > > > > >root@client:/srv# showmount -e server > > >Export list for server: > > >/srv/datashare 192.168.2.5 > > > > ECHTER (en nu komt het..!) het mounten van deze nfs share op de > > client werkt stelselmatig wèl, ook ZONDER de uitzondering in > > hosts.allow op de server. > > > > Dus, wanneer ik géén uitzondering maak in hosts.allow, kan ik op > > client 192.168.2.5 TOCH de nfs export met succes mounten en de > > (actuele, real-time) inhoud bekijken. > > > > Dus showmount geeft inderdaad een fout, maar: > > > > > mount /srv/datashare > > > > werkt gewoon TOCH. Bovenstaande mount komt uit fstab, als: > > > > >server.company.com:/srv/datashare/srv/datashare/nfs4 > ro,intr,noexec 0 0 > > > > Ik geloof niet dat ik snap waarom het gewoon blijft werken. > > > > Iemand hier wel? Wat zie ik over het hoofd? Waarom wordt hosts.deny > > / hosts.allow genegeerd bij het daadwerkelijk mounten..?? > > Mijn inschatting is dat er de situatie is als bij server niet bereikbaar. > Dat kan voorkomen bij "Network File System". De client zal "gewoon" een > mount doen. > > En mijn inschatting is dat bij daadwerklijk van de remote disk gebruik > maken, > dat dan de tcpwrappers (NFS is overigens UDP) wel verschil maken. > > > > Groeten > Geert Stappers > -- > Leven en laten leven > >
Re: nfs / hosts.deny & allow
Hoi Geert, Ik geloof eigenlijk niet dat ik je antwoord helemaal begrijp, sorry. On 11/05/2016 09:11 PM, Geert Stappers wrote: Mijn inschatting is dat er de situatie is als bij server niet bereikbaar. Dat kan voorkomen bij "Network File System". De client zal "gewoon" een mount doen. Wat bedoel je met dat laatste? Als de server toegang zou moeten deny-en, dan kan de client natuurlijk proberen te mounten wat ie wil, maar dan kan de client gewoon niet bij de data..? En mijn inschatting is dat bij daadwerklijk van de remote disk gebruik maken, dat dan de tcpwrappers (NFS is overigens UDP) wel verschil maken. NFSv4 is volgens mij juist TCP. Maar ik KAN gebruik maken van de NFS export op de client. Read-only, zoals geconfigureerd, maar ik kan de export mounten, en inhoud van bestanden lezen. Maar wellicht mis ik de essentie van wat je probeert te zeggen? Groet, MJ
nfs / hosts.deny & alow
Hoi allemaal, Ik wil een directory exporten naar een andere machine, over nfs. Heb op de server in /etc/exports een export geconfigureerd: > /srv/datashare 192.168.2.5(ro,no_subtree_check) Daarna nfs-kernel-server gestart, en kan hem nu op de client met success mounten, zelfs met nfs4. Prima. Nu wil ik graag tcp wrappers gebruiken om de zaak wat verder dicht te timmeren. Dus, op de server in hosts.deny: rpcbind : ALL rpc.statd : ALL rpc.idmapd : ALL rpc.mountd : ALL En dan, op de client, zoals verwacht: root@client:/srv# showmount -e server clnt_create: RPC: Port mapper failure - Authentication error Dan, allow de specifieke client in hosts.allow op de server: > rpcbind : 192.168.2.5 > rpc.statd : 192.168.2.5 > rpc.idmapd : 192.168.2.5 > rpc.mountd : 192.168.2.5 En inderdaad, op de client: root@client:/srv# showmount -e server Export list for server: /srv/datashare 192.168.2.5 ECHTER (en nu komt het..!) het mounten van deze nfs share op de client werkt stelselmatig wèl, ook ZONDER de uitzondering in hosts.allow op de server. Dus, wanneer ik géén uitzondering maak in hosts.allow, kan ik op client 192.168.2.5 TOCH de nfs export met succes mounten en de (actuele, real-time) inhoud bekijken. Dus showmount geeft inderdaad een fout, maar: > mount /srv/datashare werkt gewoon TOCH. Bovenstaande mount komt uit fstab, als: server.company.com:/srv/datashare/srv/datashare/nfs4 ro,intr,noexec 0 0 Ik geloof niet dat ik snap waarom het gewoon blijft werken. Iemand hier wel? Wat zie ik over het hoofd? Waarom wordt hosts.deny / hosts.allow genegeerd bij het daadwerkelijk mounten..?? Groet en dank, MJ
Re: Sendmail compiled with tcpwrappers yet ignores /etc/hosts.deny ?
On Sun, 2015-11-22 at 23:44 +, jon wrote: > > root@mail:/usr/share/doc# ldd /usr/sbin/sendmail |grep 'libwrap' > libwrap.so.0 => /lib/i386-linux-gnu/libwrap.so.0 (0xb7525000) > root@mail:/usr/share/doc# cat /etc/debian_version > 8.2 > > I want to use sendmail with tcp wrappers but it does not seem to play, > it looks like it was compiled with support, can anyone help ? > > > Thanks, > Jon > > Anyone ? Maybe I was not very clear, this is the default sendmail for Debian installed via apt. The online docs claims it works with tcpwrappers yet it seems to ignore /etc/hosts.deny ? Thanks, Jon
Sendmail compiled with tcpwrappers yet ignores /etc/hosts.deny ?
root@mail:/usr/share/doc# ldd /usr/sbin/sendmail |grep 'libwrap' libwrap.so.0 => /lib/i386-linux-gnu/libwrap.so.0 (0xb7525000) root@mail:/usr/share/doc# cat /etc/debian_version 8.2 I want to use sendmail with tcp wrappers but it does not seem to play, it looks like it was compiled with support, can anyone help ? Thanks, Jon
Re: telnet y hosts.deny
El Wed, 02 Sep 2015 13:38:17 -0400, cosme escribió: > Como seria la forma correcta de denegar el telnet en Debian 7 Pues dependerá del sistema de filtrado/cortafuegos que uses. > Por ejemplo que cuando vaya hacer un telnet x.x.x.x 25 desde cual pc lo > deniegue A ver, si tienes un servicio escuchando en el puerto 25 (servidor de correo electrónico) no tiene sentido denegar las peticiones que le llegan, si no necesitas el servicio es mejor que lo detengas y no tengas nada escuchando en ese puerto. Por otra parte, hosts_access no permite definir puertos, sólo máquinas y servicios. ¿Qué es lo que quieres hacer y en qué escenario? Si no das más datos la pregunta queda un poco en el aire. Saludos, -- Camaleón
telnet y hosts.deny
Hola Como seria la forma correcta de denegar el telnet en Debian 7 Por ejemplo que cuando vaya hacer un telnet x.x.x.x 25 desde cual pc lo deniegue Salu2
Re: telnet y hosts.deny
On Wed, Sep 02, 2015 at 01:38:17PM -0400, co...@crearq.co.cu wrote: > Como seria la forma correcta de denegar el telnet en Debian 7 En Debian la forma correcta de denegar el telnet es *no* instalando telnetd. > Por ejemplo que cuando vaya hacer un telnet x.x.x.x 25 desde cual pc lo > deniegue ¡Pero el "telnet" *no* es eso! Si lo que quieres hacer es denegar las conexiones al puerto 25 lo que tienes que hacer es *no* instalar ningún MTA, o configurar el que tengas para que solamente admita correo local. Por ejemplo, si estás usando postfix, "dpkg-reconfigure postfix" y le dices "Sólo correo local".
Re: telnet y hosts.deny
El mié, 02-09-2015 a las 13:38 -0400, co...@crearq.co.cu escribió: > Hola > > Como seria la forma correcta de denegar el telnet en Debian 7 > > Por ejemplo que cuando vaya hacer un telnet x.x.x.x 25 desde cual pc > lo > deniegue > > Salu2 > > iptables -t filter -A -s ip-denegada -p tcp --dport -j REJECT o algo así. man iptables te va a dar la respuesta correcta -- (-.(-.(-.(-.(-.(-.-).-).-).-).-).-)
Re: telnet y hosts.deny
El 02/09/2015 a las 2:58, Santiago Vila escribió: On Wed, Sep 02, 2015 at 01:38:17PM -0400, co...@crearq.co.cu wrote: Como seria la forma correcta de denegar el telnet en Debian 7 En Debian la forma correcta de denegar el telnet es *no* instalando telnetd. Por ejemplo que cuando vaya hacer un telnet x.x.x.x 25 desde cual pc lo deniegue ¡Pero el "telnet" *no* es eso! Si lo que quieres hacer es denegar las conexiones al puerto 25 lo que tienes que hacer es *no* instalar ningún MTA, o configurar el que tengas para que solamente admita correo local. Por ejemplo, si estás usando postfix, "dpkg-reconfigure postfix" y le dices "Sólo correo local". Creo que iptables es quien te puede ayudar para eso... iptables -A INPUT -p tcp -d $MIIPLAN --dport 25 -j DROP por ejemplo algo asi
hosts.deny
Idag var jag med om något märkligt. Vid försök till inloggning med ssh fick jag hosts.deny modifierad. Tidsstämpeln stämmer med när jag höll på. Det var en del problem vid inloggningen och jag körde cygwin på en Win7-dator om det möjligen kan vara relevant. IP-numren som las till stämmer med de två vägar jag försökte komma åt servern Har någon hört talas om något dylikt. Inte jag. /Janne jan@sloth:~$ cat /etc/hosts.deny.bad # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example:ALL: some.host.name, .some.domain # ALL EXCEPT in.fingerd: other.host.name, .other.domain # # If you're going to protect the portmapper use the name portmap for the # daemon name. Remember that you can only use the keyword ALL and IP # addresses (NOT host or domain names) for the portmapper, as well as for # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) # for further information. # # The PARANOID wildcard matches any host whose name does not match its # address. # # You may wish to enable this to ensure any programs that don't # validate looked up hostnames still leave understandable logs. In past # versions of Debian this has been the default. # ALL: PARANOID sshd: 192.168.30.21 sshd: 81.170.208.93 jan@sloth:~$ -- To UNSUBSCRIBE, email to debian-user-swedish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150421165327.713416d5@igor
Re: hosts.deny
On 21 Apr 2015 16:53 +0200, from j...@lillahusetiskogen.se: Idag var jag med om något märkligt. Vid försök till inloggning med ssh fick jag hosts.deny modifierad. Tidsstämpeln stämmer med när jag höll på. Kör du möjligen fail2ban eller något liknande på servern ifråga? -- Michael Kjörling • https://michael.kjorling.se • mich...@kjorling.se OpenPGP B501AC6429EF4514 https://michael.kjorling.se/public-keys/pgp “People who think they know everything really annoy those of us who know we don’t.” (Bjarne Stroustrup) -- To UNSUBSCRIBE, email to debian-user-swedish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150421151936.gn16...@yeono.kjorling.se
Re: hosts.deny
On Tue, 21 Apr 2015 15:19:36 + Michael Kjörling mich...@kjorling.se wrote: On 21 Apr 2015 16:53 +0200, from j...@lillahusetiskogen.se: Idag var jag med om något märkligt. Vid försök till inloggning med ssh fick jag hosts.deny modifierad. Tidsstämpeln stämmer med när jag höll på. Kör du möjligen fail2ban eller något liknande på servern ifråga? Det vet jag allvarligt talat inte. Det är standardkonfigurationen för Debian 7.8. Jag ska undersöka. /Janne -- To UNSUBSCRIBE, email to debian-user-swedish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150421172317.5559f8d2@igor
Re: hosts.deny
On Tue, 21 Apr 2015 15:19:36 + Michael Kjörling mich...@kjorling.se wrote: On 21 Apr 2015 16:53 +0200, from j...@lillahusetiskogen.se: Idag var jag med om något märkligt. Vid försök till inloggning med ssh fick jag hosts.deny modifierad. Tidsstämpeln stämmer med när jag höll på. Kör du möjligen fail2ban eller något liknande på servern ifråga? Tack! Det var fail2ban, jag såg det i fail2ban.log. /Janne -- To UNSUBSCRIBE, email to debian-user-swedish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20150421172745.1d27e28b@igor
Re: hosts.deny : blacklister systématiquement
On Mon, Aug 11, 2014 at 05:09:00PM +0200, andre_deb...@numericable.fr wrote: Je me connecte à mon serveur externalisé sans problèmes, via ssh, avec certificats, en tant que root ou user. Systématiquement mon IP client est mis dans le fichier /etc/hosts.deny : sshd: mon_IP_client As-tu installé fail2ban sur ce serveur ? et malgré, je me connecte au serveur comme indiqué ci-dessus. Quel est le contenu du fichier /etc/hosts.allow ? -- Nicolas -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/20140812055932.gc2...@petole.demisel.net
Re: hosts.deny : blacklister systématiquement
Hello, Tu as des règles qui bypassent certaines autres. Quel est ton problème au final ? Tu arrives a te connecter tout en étant blacklisté ? Ta règle AllowUsers va bypasser le host.deny. Je ne vois pas comment tu peux avoir ton IP incrémentée à ton host.deny de façon automatique. Ca manque un peu d'infos ;) (contenu deny/allow/AllowUsers/etc/hosts) Le 12 août 2014 07:59, Nicolas KOWALSKI nicolas.kowal...@gmail.com a écrit : On Mon, Aug 11, 2014 at 05:09:00PM +0200, andre_deb...@numericable.fr wrote: Je me connecte à mon serveur externalisé sans problèmes, via ssh, avec certificats, en tant que root ou user. Systématiquement mon IP client est mis dans le fichier /etc/hosts.deny : sshd: mon_IP_client As-tu installé fail2ban sur ce serveur ? et malgré, je me connecte au serveur comme indiqué ci-dessus. Quel est le contenu du fichier /etc/hosts.allow ? -- Nicolas -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/20140812055932.gc2...@petole.demisel.net
Re: hosts.deny : blacklister systématiquement
On Tuesday 12 August 2014 07:59:32 Nicolas KOWALSKI wrote: On Mon, Aug 11, 2014 at 05:09:00PM +0200, andre_deb...@numericable.fr wrote: Je me connecte à mon serveur externalisé sans problèmes, via ssh, avec certificats, en tant que root ou user. Systématiquement mon IP client est mis dans le fichier /etc/hosts.deny : sshd: mon_IP_client As-tu installé fail2ban sur ce serveur ? : Oui et lancé. /etc/init.d# ./fail2ban restart * Restarting authentication failure monitor fail2ban Celà viendrait-il de fail2ban ? et malgré, je me connecte au serveur comme indiqué ci-dessus. Quel est le contenu du fichier /etc/hosts.allow ? : sshd: ALL ALL: LOCAL sftp: ALL On Tuesday 12 August 2014 09:26:21 Doe John wrote: Tu as des règles qui bypassent certaines autres. Quel est ton problème au final ? Tu arrives a te connecter tout en étant blacklisté ? : Exact. Ta règle AllowUsers va bypasser le host.deny. Je ne vois pas comment tu peux avoir ton IP incrémentée à ton host.deny de façon automatique. C'est pourtant le cas... Ca manque un peu d'infos ;) (contenu deny/allow/AllowUsers/etc/hosts) : /etc/hosts : 127.0.0.1 localhost localhost.localdomain IP_serveur nom_domaine IP_serveur pop.nom_domaine IP_serveur imap.nom_domaine /etc/hosts.deny sshd: IP longue liste... /etc/hosts.allow sshd: ALL ALL: LOCAL sftp: ALL /etc/ssh/sshd_config : AllowUsers users autorisés à se connecter J'ai ce fichier : /etc/fail2ban/action.d/hostsdeny.conf qui renvoie vers /etc/hosts.deny et /etc/init.d/denyhosts (start ou stop). André -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/201408121130.46355.andre_deb...@numericable.fr
Re: hosts.deny : blacklister systématiquement
Bonjour, Il y'a le paquet denyhosts qui modifie hosts.deny en évaluant les fichiers de logs Le 12 août 2014 09:26, Doe John frozzensh...@gmail.com a écrit : Hello, Tu as des règles qui bypassent certaines autres. Quel est ton problème au final ? Tu arrives a te connecter tout en étant blacklisté ? Ta règle AllowUsers va bypasser le host.deny. Je ne vois pas comment tu peux avoir ton IP incrémentée à ton host.deny de façon automatique. Ca manque un peu d'infos ;) (contenu deny/allow/AllowUsers/etc/hosts) Le 12 août 2014 07:59, Nicolas KOWALSKI nicolas.kowal...@gmail.com a écrit : On Mon, Aug 11, 2014 at 05:09:00PM +0200, andre_deb...@numericable.fr wrote: Je me connecte à mon serveur externalisé sans problèmes, via ssh, avec certificats, en tant que root ou user. Systématiquement mon IP client est mis dans le fichier /etc/hosts.deny : sshd: mon_IP_client As-tu installé fail2ban sur ce serveur ? et malgré, je me connecte au serveur comme indiqué ci-dessus. Quel est le contenu du fichier /etc/hosts.allow ? -- Nicolas -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/20140812055932.gc2...@petole.demisel.net
Re: hosts.deny : blacklister systématiquement
On Tue, Aug 12, 2014 at 11:30:46AM +0200, andre_deb...@numericable.fr wrote: On Tuesday 12 August 2014 07:59:32 Nicolas KOWALSKI wrote: Celà viendrait-il de fail2ban ? Oui, c'est son fonctionnement. et malgré, je me connecte au serveur comme indiqué ci-dessus. Quel est le contenu du fichier /etc/hosts.allow ? : sshd: ALL Donc toutes les connexions SSH sont autorisées, cf. l'ordre de vérification indiqué dans man 5 hosts_access. Tout fonctionne donc normalement avec ta configuration. -- Nicolas -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/20140812093909.gd2...@petole.demisel.net
Re: hosts.deny : blacklister systématiquement
On Tuesday 12 August 2014 11:39:09 Nicolas KOWALSKI wrote: On Tue, Aug 12, 2014 at 11:30:46AM +0200, andre_deb...@numericable.fr wrote: Celà viendrait-il de fail2ban ? Oui, c'est son fonctionnement. et malgré, je me connecte au serveur comme indiqué ci-dessus. Quel est le contenu du fichier /etc/hosts.allow ? : sshd: ALL Donc toutes les connexions SSH sont autorisées, cf. l'ordre de vérification indiqué dans man 5 hosts_access. Tout fonctionne donc normalement avec ta configuration. Pourquoi mon IP client est-il mis systématiquement dans /etc/hosts.deny ? Et le logwatch indique : - Denyhosts Begin new denied hosts: mon IP client André -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/201408121203.20310.andre_deb...@numericable.fr
Re: hosts.deny : blacklister systématiquement
On Tue, Aug 12, 2014 at 12:03:20PM +0200, andre_deb...@numericable.fr wrote: Pourquoi mon IP client est-il mis systématiquement dans /etc/hosts.deny ? Je retourne la question : pourquoi vouloir utiliser denyhosts/fail2ban si de toute façon tu autorises *toutes* les connexions SSH ? Pour le reste, utiliser fail2ban et denyhosts en même temps me paraît être une très mauvaise idée. Fais un choix, puis vérifie. -- Nicolas -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/20140812101738.ge2...@petole.demisel.net
Re: hosts.deny : blacklister systématiquement
Salut, Je suis ok avec Nicolas, utiliser du tcpwrapper + fail2ban + rules ssh config est useless. De plus pour diagnostiquer ton problème il faudrait effectuer tes tests au cas par cas. Tu as trop de conf qui rentrent en conflit Le 12 août 2014 12:17, Nicolas KOWALSKI nicolas.kowal...@gmail.com a écrit : On Tue, Aug 12, 2014 at 12:03:20PM +0200, andre_deb...@numericable.fr wrote: Pourquoi mon IP client est-il mis systématiquement dans /etc/hosts.deny ? Je retourne la question : pourquoi vouloir utiliser denyhosts/fail2ban si de toute façon tu autorises *toutes* les connexions SSH ? Pour le reste, utiliser fail2ban et denyhosts en même temps me paraît être une très mauvaise idée. Fais un choix, puis vérifie. -- Nicolas -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/20140812101738.ge2...@petole.demisel.net
Re: hosts.deny : blacklister systématiquement
Je suis d'accord d'utiliser soit l'un soit l'autre pour mieu gerer la chose. Pour le faite qu'il autorise toute les connexions ssh puis interdit au fur et a mesure, Le 12 août 2014 12:18, Nicolas KOWALSKI nicolas.kowal...@gmail.com a écrit : On Tue, Aug 12, 2014 at 12:03:20PM +0200, andre_deb...@numericable.fr wrote: Pourquoi mon IP client est-il mis systématiquement dans /etc/hosts.deny ? Je retourne la question : pourquoi vouloir utiliser denyhosts/fail2ban si de toute façon tu autorises *toutes* les connexions SSH ? Pour le reste, utiliser fail2ban et denyhosts en même temps me paraît être une très mauvaise idée. Fais un choix, puis vérifie. -- Nicolas -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/20140812101738.ge2...@petole.demisel.net
Re: hosts.deny : blacklister systématiquement
Je suis d'accord d'utiliser soit l'un soit l'autre pour mieu gerer la chose. Pour le faite qu'il autorise toute les connexions ssh puis les interdits au fur et a mesure des échecs de connexion, c'est peut être par ce qu'il n'est pas en mesure d'énumérer dès le départ toute les machines par lesquelles il veut/peut se connecté en ssh Le 12 août 2014 12:18, Nicolas KOWALSKI nicolas.kowal...@gmail.com a écrit : On Tue, Aug 12, 2014 at 12:03:20PM +0200, andre_deb...@numericable.fr wrote: Pourquoi mon IP client est-il mis systématiquement dans /etc/hosts.deny ? Je retourne la question : pourquoi vouloir utiliser denyhosts/fail2ban si de toute façon tu autorises *toutes* les connexions SSH ? Pour le reste, utiliser fail2ban et denyhosts en même temps me paraît être une très mauvaise idée. Fais un choix, puis vérifie. -- Nicolas -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/20140812101738.ge2...@petole.demisel.net
Re: hosts.deny : blacklister systématiquement
C'est pour cette raison qu'il faut un plan de diagnostic rigoureux sinon plus tu pédales moins vite et moins tu avance plus fort ;) Le 12 août 2014 12:35, Belaïd oblivion.ik...@gmail.com a écrit : Je suis d'accord d'utiliser soit l'un soit l'autre pour mieu gerer la chose. Pour le faite qu'il autorise toute les connexions ssh puis les interdits au fur et a mesure des échecs de connexion, c'est peut être par ce qu'il n'est pas en mesure d'énumérer dès le départ toute les machines par lesquelles il veut/peut se connecté en ssh Le 12 août 2014 12:18, Nicolas KOWALSKI nicolas.kowal...@gmail.com a écrit : On Tue, Aug 12, 2014 at 12:03:20PM +0200, andre_deb...@numericable.fr wrote: Pourquoi mon IP client est-il mis systématiquement dans /etc/hosts.deny ? Je retourne la question : pourquoi vouloir utiliser denyhosts/fail2ban si de toute façon tu autorises *toutes* les connexions SSH ? Pour le reste, utiliser fail2ban et denyhosts en même temps me paraît être une très mauvaise idée. Fais un choix, puis vérifie. -- Nicolas -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/20140812101738.ge2...@petole.demisel.net
Re: hosts.deny : blacklister systématiquement
On Tuesday 12 August 2014 14:03:48 Doe John wrote: C'est pour cette raison qu'il faut un plan de diagnostic rigoureux sinon plus tu pédales moins vite et moins tu avance plus fort ;) Je dirai plutôt : plus on veut pédaler avec ses jambes et ses mains et moins on avance plus fort. :-) André Pour le reste, utiliser fail2ban et denyhosts en même temps me paraît être une très mauvaise idée. Fais un choix, puis vérifie. Nicolas -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/20140812.52316.andre_deb...@numericable.fr
hosts.deny : blacklister systématiquement
Bonjour à tous, Je me connecte à mon serveur externalisé sans problèmes, via ssh, avec certificats, en tant que root ou user. Systématiquement mon IP client est mis dans le fichier /etc/hosts.deny : sshd: mon_IP_client et malgré, je me connecte au serveur comme indiqué ci-dessus. Comment est-ce possible et pourquoi suis-je blacklisté ? Merci. André -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/201408111709.00464.andre_deb...@numericable.fr
Re: hosts.deny : blacklister systématiquement
Salut ! Systématiquement mon IP client est mis dans le fichier /etc/hosts.deny : sshd: mon_IP_client - C'est à dire ? de façon automatique ? C'est impossible sauf si tu as un script qui se charge de ca. - As tu une directive AllowUsers dans ton sshd_config ? - Quelle est la sortie d'un ssh - ip_server ? - Si ton hostname ne peut pas etre verifié la blacklist sera bypassée vérifie ton /etc/hosts Le 08/11/2014 05:09 PM, andre_deb...@numericable.fr a écrit : Bonjour à tous, Je me connecte à mon serveur externalisé sans problèmes, via ssh, avec certificats, en tant que root ou user. Systématiquement mon IP client est mis dans le fichier /etc/hosts.deny : sshd: mon_IP_client et malgré, je me connecte au serveur comme indiqué ci-dessus. Comment est-ce possible et pourquoi suis-je blacklisté ? Merci. André -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/53e92f1a.9080...@gmail.com
Re: hosts.deny : blacklister systématiquement
On Monday 11 August 2014 23:01:14 Johnny B wrote: Systématiquement mon IP client est mis dans le fichier /etc/hosts.deny : sshd: mon_IP_client - C'est à dire ? de façon automatique ? C'est impossible sauf si tu as un script qui se charge de ca : Bonsoir, merci : aucune directive du blacklistage de l'IP client, sinon ou se trouve t-elle ? - As tu une directive AllowUsers dans ton sshd_config ? : Les users autorisés à se connecter en ssh. - Quelle est la sortie d'un ssh - ip_server ? : Connexion et demande de mot de passe du user en ligne. - Si ton hostname ne peut pas etre verifié la blacklist sera bypassée vérifie ton /etc/hosts : Fichier normal des corespondances IP nom domaine poste André Le 08/11/2014 05:09 PM, andre_deb...@numericable.fr a écrit : Je me connecte à mon serveur externalisé sans problèmes, via ssh, avec certificats, en tant que root ou user. Systématiquement mon IP client est mis dans le fichier /etc/hosts.deny : sshd: mon_IP_client et malgré, je me connecte au serveur comme indiqué ci-dessus. Comment est-ce possible et pourquoi suis-je blacklisté ? -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: https://lists.debian.org/201408120001.48768.andre_deb...@numericable.fr
Re: sobre hosts.deny
Un ejemplo: hosts.deny sshd: ALL webmin: ALL mysqld: ALL #ALL: ALL hosts.allow sshd: 10.9.234.13 webmin: 10.9.234.13 mysqld: 10.9.234.13, 10.9.234.65 Suerte Saludos. El día 16 de octubre de 2012 20:54, Gonzalo Rivero fishfromsa...@gmail.com escribió: El mar, 16-10-2012 a las 14:17 -0400, co...@esid.gecgr.co.cu escribió: Hola si quiero denegar el acceso mediante telnet de toda mi red a mi pc y solo permitir la mia y otra: o sea mi pc es 192.168.71.5 y la otra pc es la 192.168.71.6 y denegar todo lo otro no sería de esta forma: en /etc/hosts.allow poner in.telnetd: 192.168.71.5, 192.168.71.6 en /etc/hosts.deny poner in.telnetd: ALL telnet 192.168.71.5 21 telnet 192.168.71.5 25 No funciona, ya probé y todos pueden hacer telnet Que puede faltar??? Uso Debian Squeeze Saludos te recomiendo cambiar telnet por ssh, y que no tengan acceso con usuario/contraseña, sino que generás una clave para cada computadora a la que le vas a dar permiso -- (-.(-.(-.(-.(-.(-.-).-).-).-).-).-) -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1350413642.13709.3.ca...@eeepc.ucasal.ar -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ca+ylrtdkw17wnvu2hh599bna5ixxo2gzs1rnfio6b5s_ylz...@mail.gmail.com
Re: sobre hosts.deny
Hummm. hosts.deny ALL:ALL hosts.allow ALL: tu-ip. O las los por servicio sshd: tu ip Sent from my android device. One step ahead. -Original Message- From: Sergio Villalba svillal...@gmail.com To: debian-user-spanish@lists.debian.org Sent: Wed, 17 Oct 2012 3:03 Subject: Re: sobre hosts.deny Un ejemplo: hosts.deny sshd: ALL webmin: ALL mysqld: ALL #ALL: ALL hosts.allow sshd: 10.9.234.13 webmin: 10.9.234.13 mysqld: 10.9.234.13, 10.9.234.65 Suerte Saludos. El día 16 de octubre de 2012 20:54, Gonzalo Rivero fishfromsa...@gmail.com escribió: El mar, 16-10-2012 a las 14:17 -0400, co...@esid.gecgr.co.cu escribió: Hola si quiero denegar el acceso mediante telnet de toda mi red a mi pc y solo permitir la mia y otra: o sea mi pc es 192.168.71.5 y la otra pc es la 192.168.71.6 y denegar todo lo otro no sería de esta forma: en /etc/hosts.allow poner in.telnetd: 192.168.71.5, 192.168.71.6 en /etc/hosts.deny poner in.telnetd: ALL telnet 192.168.71.5 21 telnet 192.168.71.5 25 No funciona, ya probé y todos pueden hacer telnet Que puede faltar??? Uso Debian Squeeze Saludos te recomiendo cambiar telnet por ssh, y que no tengan acceso con usuario/contraseña, sino que generás una clave para cada computadora a la que le vas a dar permiso -- (-.(-.(-.(-.(-.(-.-).-).-).-).-).-) -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1350413642.13709.3.ca...@eeepc.ucasal.ar -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/ca+ylrtdkw17wnvu2hh599bna5ixxo2gzs1rnfio6b5s_ylz...@mail.gmail.com
sobre hosts.deny
Hola si quiero denegar el acceso mediante telnet de toda mi red a mi pc y solo permitir la mia y otra: o sea mi pc es 192.168.71.5 y la otra pc es la 192.168.71.6 y denegar todo lo otro no sería de esta forma: en /etc/hosts.allow poner in.telnetd: 192.168.71.5, 192.168.71.6 en /etc/hosts.deny poner in.telnetd: ALL telnet 192.168.71.5 21 telnet 192.168.71.5 25 No funciona, ya probé y todos pueden hacer telnet Que puede faltar??? Uso Debian Squeeze Saludos -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/38d74f04bf27abd919c36cb086603ee9.squirrel@192.168.13.16
Re: sobre hosts.deny
El mar, 16-10-2012 a las 14:17 -0400, co...@esid.gecgr.co.cu escribió: Hola si quiero denegar el acceso mediante telnet de toda mi red a mi pc y solo permitir la mia y otra: o sea mi pc es 192.168.71.5 y la otra pc es la 192.168.71.6 y denegar todo lo otro no sería de esta forma: en /etc/hosts.allow poner in.telnetd: 192.168.71.5, 192.168.71.6 en /etc/hosts.deny poner in.telnetd: ALL telnet 192.168.71.5 21 telnet 192.168.71.5 25 No funciona, ya probé y todos pueden hacer telnet Que puede faltar??? Uso Debian Squeeze Saludos te recomiendo cambiar telnet por ssh, y que no tengan acceso con usuario/contraseña, sino que generás una clave para cada computadora a la que le vas a dar permiso -- (-.(-.(-.(-.(-.(-.-).-).-).-).-).-) -- To UNSUBSCRIBE, email to debian-user-spanish-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1350413642.13709.3.ca...@eeepc.ucasal.ar
Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
On Tue, 10 Jul 2012 20:18:07 +0200, Zdenek Herman wrote: On 10/07/12 17:29, Camaleón wrote: (...) Ah, how curious... It seems to be documented here: 4.2.2. Connecting to the MySQL Server http://dev.mysql.com/doc/refman/5.6/en/connecting.html (...) Camaleón is correct. When you are logged into mysql, you can enter the status command and it will show how you are connected. Connect via -h localhost: (...) Connect via -h 127.0.0.1: (...) Connection:127.0.0.1 via TCP/IP ... TCP port:3306 ... Hope that clears it up a bit. It might be possible to disable the socket connection in the MySQL config, but I haven't looked into that. Ok - many thanks guys for reply This explain first part of problem - my fault sorry. I tried set in my hosts.allow mysqld: 127.0.0.1 \ : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a] /var/log/tcp_wrapper/%d.log ) This allow connect from localhost - its ok. But why when connect from remote machine or 127.0.0.1 nothing in log ? With sshd work same command great. I would rather use the IP of the machine where MySQL runs (192.168.1.1) instead the loopback device (127.0.0.1) and not only for hosts.allow/ deny but also for the running MySQL daemon if you want to be accessible from clients in your local network. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jtjv97$4fh$4...@dough.gmane.org
Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
I tried from same and from another host too (with -h parameters) In log I don't see any in log about connecting. Is the tcp wrapper check first and than check by mysql grants or reverse? _ # mysql -h localhost -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 288 Server version: 5.1.63-0+squeeze1 (Debian) Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql and in hosts.deny is ALL:ALL Zdenek Herman zdenek.her...@ille.cz Dne 10.7.2012 06:46, Kushal Kumaran napsal(a): On Mon, Jul 9, 2012 at 11:41 PM, Zdenek Herman zdenek.her...@ille.cz wrote: My hosts.deny # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example:ALL: some.host.name, .some.domain # ALL EXCEPT in.fingerd: other.host.name, .other.domain # # If you're going to protect the portmapper use the name portmap for the # daemon name. Remember that you can only use the keyword ALL and IP # addresses (NOT host or domain names) for the portmapper, as well as for # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) # for further information. # # The PARANOID wildcard matches any host whose name does not match its # address. # # You may wish to enable this to ensure any programs that don't # validate looked up hostnames still leave understandable logs. In past # versions of Debian this has been the default. # ALL: PARANOID ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h [%a] /var/log/tcp_wrapper/%d.log ) My hosts.allow # /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example:ALL: LOCAL @some_netgroup # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu # # If you're going to protect the portmapper use the name portmap for the # daemon name. Remember that you can only use the keyword ALL and IP # addresses (NOT host or domain names) for the portmapper, as well as for # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) # for further information. # sshd: 192.168.1.1 \ : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a] /var/log/tcp_wrapper/%d.log ) I tested with mysqld: ALL in hosts.deny too. What was the mysql client command line which failed? If running on the same host as the server, the mysql client will use the unix-domain socket in /var/run/mysqld/mysqld.sock for connecting to the server. To force it to use an AF_INET socket, pass -h 127.0.0.1 to the mysql client (-h localhost is not sufficient). I just tested this on my debian squeeze mysql setup. With -h 127.0.0.1 and mysqld: ALL in hosts.deny, connections are rejected. If you do not want to use mysql access control, you should disable the socket in the mysql server config, if that's possible. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ffc44c9.2090...@ille.cz
Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
On Mon, 09 Jul 2012 20:11:10 +0200, Zdenek Herman wrote: (please, reply at the bottom) Dne 9.7.2012 16:52, Camaleón napsal(a): On Sun, 08 Jul 2012 22:26:11 +0200, Zdenek Herman wrote: (...) When I set hosts.deny ALL: ALL and hosts.allow is empty. I can allow connect to MySQL from anywhere - settings in hosts.allow and hosts.deny are ignored. (...) I wonder if you aren't just missing the daemon to filter (mysqld) :-? cat /etc/hosts.deny My hosts.deny (...) ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h [%a] /var/log/tcp_wrapper/%d.log ) (...) My hosts.allow (...) sshd: 192.168.1.1 \ : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a] /var/log/tcp_wrapper/%d.log ) And you said this was working for the sshd service, right? I tested with mysqld: ALL in hosts.deny too. Well, that should prevent connections coming from the same host (localhost) unless you explicitely allow it from the hosts.allow, that has preference. I don't know why does not work for you. Take a look into this article that shows a few samples for using mysql with tcp wrappers: http://www.unixmen.com/securing-services-with-tcp-wrappers/ And also read the manual (man hosts_options), maybe we are omitting something obvious... Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jthi02$cnl$6...@dough.gmane.org
Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
On Mon, 09 Jul 2012 20:11:10 +0200, Zdenek Herman wrote: (please, reply at the bottom) Dne 9.7.2012 16:52, Camaleón napsal(a): On Sun, 08 Jul 2012 22:26:11 +0200, Zdenek Herman wrote: (...) When I set hosts.deny ALL: ALL and hosts.allow is empty. I can allow connect to MySQL from anywhere - settings in hosts.allow and hosts.deny are ignored. (...) I wonder if you aren't just missing the daemon to filter (mysqld) :-? cat /etc/hosts.deny My hosts.deny (...) ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h [%a] /var/log/tcp_wrapper/%d.log ) (...) My hosts.allow (...) sshd: 192.168.1.1 \ : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a] /var/log/tcp_wrapper/%d.log ) And you said this was working for the sshd service, right? I tested with mysqld: ALL in hosts.deny too. Well, that should prevent connections coming from the same host (localhost) unless you explicitely allow it from the hosts.allow, that has preference. I don't know why does not work for you. Take a look into this article that shows a few samples for using mysql with tcp wrappers: http://www.unixmen.com/securing-services-with-tcp-wrappers/ And also read the manual (man hosts_options), maybe we are omitting something obvious... Greetings, I found part of problem. If I use localhost can connect, if 127.0.0.1 all is ok. If I connect from remote first is checked client in mysql grant and after in tcp wrappers. Conslusion for me is that mysql doesn't support tcp wrappers correctly (first check by wrapper then authentization by service). - root@mon:~# mysql -h localhost -p Enter password: Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 699 Server version: 5.1.63-0+squeeze1 (Debian) Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql quit Bye - root@mon:~# mysql -h 127.0.0.1 -p Enter password: ERROR 2013 (HY000): Lost connection to MySQL server at 'reading initial communication packet', system error: 0 root@mon:~# - Thanks for help Zdenek -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ffc53c6.5070...@ille.cz
Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
On Tue, 10 Jul 2012 18:09:42 +0200, Zdenek Herman wrote: On Mon, 09 Jul 2012 20:11:10 +0200, Zdenek Herman wrote: (please, reply at the bottom) Dne 9.7.2012 16:52, Camaleón napsal(a): (...) I don't know why does not work for you. Take a look into this article that shows a few samples for using mysql with tcp wrappers: http://www.unixmen.com/securing-services-with-tcp-wrappers/ And also read the manual (man hosts_options), maybe we are omitting something obvious... Greetings, I found part of problem. If I use localhost can connect, if 127.0.0.1 all is ok. If I connect from remote first is checked client in mysql grant and after in tcp wrappers. Conslusion for me is that mysql doesn't support tcp wrappers correctly (first check by wrapper then authentization by service). (...) root@mon:~# mysql -h localhost -p (...) Ah, how curious... It seems to be documented here: 4.2.2. Connecting to the MySQL Server http://dev.mysql.com/doc/refman/5.6/en/connecting.html (...) On Unix, MySQL programs treat the host name localhost specially, in a way that is likely different from what you expect compared to other network-based programs. For connections to localhost, MySQL programs attempt to connect to the local server by using a Unix socket file. This occurs even if a --port or -P option is given to specify a port number. To ensure that the client makes a TCP/IP connection to the local server, use --host or -h to specify a host name value of 127.0.0.1, or the IP address or name of the local server. You can also specify the connection protocol explicitly, even for localhost, by using the --protocol=TCP option. For example: shell mysql --host=127.0.0.1 shell mysql --protocol=TCP (...) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jthl8c$cnl$9...@dough.gmane.org
Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
On 10/07/12 17:29, Camaleón wrote: On Tue, 10 Jul 2012 18:09:42 +0200, Zdenek Herman wrote: On Mon, 09 Jul 2012 20:11:10 +0200, Zdenek Herman wrote: (please, reply at the bottom) Dne 9.7.2012 16:52, Camaleón napsal(a): (...) I don't know why does not work for you. Take a look into this article that shows a few samples for using mysql with tcp wrappers: http://www.unixmen.com/securing-services-with-tcp-wrappers/ And also read the manual (man hosts_options), maybe we are omitting something obvious... Greetings, I found part of problem. If I use localhost can connect, if 127.0.0.1 all is ok. If I connect from remote first is checked client in mysql grant and after in tcp wrappers. Conslusion for me is that mysql doesn't support tcp wrappers correctly (first check by wrapper then authentization by service). (...) root@mon:~# mysql -h localhost -p (...) Ah, how curious... It seems to be documented here: 4.2.2. Connecting to the MySQL Server http://dev.mysql.com/doc/refman/5.6/en/connecting.html (...) On Unix, MySQL programs treat the host name localhost specially, in a way that is likely different from what you expect compared to other network-based programs. For connections to localhost, MySQL programs attempt to connect to the local server by using a Unix socket file. This occurs even if a --port or -P option is given to specify a port number. To ensure that the client makes a TCP/IP connection to the local server, use --host or -h to specify a host name value of 127.0.0.1, or the IP address or name of the local server. You can also specify the connection protocol explicitly, even for localhost, by using the --protocol=TCP option. For example: shell mysql --host=127.0.0.1 shell mysql --protocol=TCP (...) Camaleón is correct. When you are logged into mysql, you can enter the status command and it will show how you are connected. Connect via -h localhost: mysql status; -- mysql Ver 14.14 Distrib 5.5.24, for debian-linux-gnu (i686) using readline 6.2 ... Connection: Localhost via UNIX socket ... UNIX socket:/var/run/mysqld/mysqld.sock ... -- Connect via -h 127.0.0.1: mysql status; -- mysql Ver 14.14 Distrib 5.5.24, for debian-linux-gnu (i686) using readline 6.2 ... Connection: 127.0.0.1 via TCP/IP ... TCP port: 3306 ... -- Hope that clears it up a bit. It might be possible to disable the socket connection in the MySQL config, but I haven't looked into that. -- Dom -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ffc6945.1060...@rpdom.net
Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
On 10/07/12 17:29, Camaleón wrote: On Tue, 10 Jul 2012 18:09:42 +0200, Zdenek Herman wrote: On Mon, 09 Jul 2012 20:11:10 +0200, Zdenek Herman wrote: (please, reply at the bottom) Dne 9.7.2012 16:52, Camaleón napsal(a): (...) I don't know why does not work for you. Take a look into this article that shows a few samples for using mysql with tcp wrappers: http://www.unixmen.com/securing-services-with-tcp-wrappers/ And also read the manual (man hosts_options), maybe we are omitting something obvious... Greetings, I found part of problem. If I use localhost can connect, if 127.0.0.1 all is ok. If I connect from remote first is checked client in mysql grant and after in tcp wrappers. Conslusion for me is that mysql doesn't support tcp wrappers correctly (first check by wrapper then authentization by service). (...) root@mon:~# mysql -h localhost -p (...) Ah, how curious... It seems to be documented here: 4.2.2. Connecting to the MySQL Server http://dev.mysql.com/doc/refman/5.6/en/connecting.html (...) On Unix, MySQL programs treat the host name localhost specially, in a way that is likely different from what you expect compared to other network-based programs. For connections to localhost, MySQL programs attempt to connect to the local server by using a Unix socket file. This occurs even if a --port or -P option is given to specify a port number. To ensure that the client makes a TCP/IP connection to the local server, use --host or -h to specify a host name value of 127.0.0.1, or the IP address or name of the local server. You can also specify the connection protocol explicitly, even for localhost, by using the --protocol=TCP option. For example: shell mysql --host=127.0.0.1 shell mysql --protocol=TCP (...) Camaleón is correct. When you are logged into mysql, you can enter the status command and it will show how you are connected. Connect via -h localhost: mysql status; -- mysql Ver 14.14 Distrib 5.5.24, for debian-linux-gnu (i686) using readline 6.2 ... Connection:Localhost via UNIX socket ... UNIX socket:/var/run/mysqld/mysqld.sock ... -- Connect via -h 127.0.0.1: mysql status; -- mysql Ver 14.14 Distrib 5.5.24, for debian-linux-gnu (i686) using readline 6.2 ... Connection:127.0.0.1 via TCP/IP ... TCP port:3306 ... -- Hope that clears it up a bit. It might be possible to disable the socket connection in the MySQL config, but I haven't looked into that. Ok - many thanks guys for reply This explain first part of problem - my fault sorry. I tried set in my hosts.allow mysqld: 127.0.0.1 \ : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a] /var/log/tcp_wrapper/%d.log ) This allow connect from localhost - its ok. But why when connect from remote machine or 127.0.0.1 nothing in log ? With sshd work same command great. Thanks Zdenek -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ffc71df.2010...@ille.cz
Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
On Sun, 08 Jul 2012 22:26:11 +0200, Zdenek Herman wrote: (...) When I set hosts.deny ALL: ALL and hosts.allow is empty. I can allow connect to MySQL from anywhere - settings in hosts.allow and hosts.deny are ignored. (...) I wonder if you aren't just missing the daemon to filter (mysqld) :-? cat /etc/hosts.deny Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jter7u$sc9$1...@dough.gmane.org
Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
My hosts.deny # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example:ALL: some.host.name, .some.domain # ALL EXCEPT in.fingerd: other.host.name, .other.domain # # If you're going to protect the portmapper use the name portmap for the # daemon name. Remember that you can only use the keyword ALL and IP # addresses (NOT host or domain names) for the portmapper, as well as for # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) # for further information. # # The PARANOID wildcard matches any host whose name does not match its # address. # # You may wish to enable this to ensure any programs that don't # validate looked up hostnames still leave understandable logs. In past # versions of Debian this has been the default. # ALL: PARANOID ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h [%a] /var/log/tcp_wrapper/%d.log ) My hosts.allow # /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example:ALL: LOCAL @some_netgroup # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu # # If you're going to protect the portmapper use the name portmap for the # daemon name. Remember that you can only use the keyword ALL and IP # addresses (NOT host or domain names) for the portmapper, as well as for # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) # for further information. # sshd: 192.168.1.1 \ : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a] /var/log/tcp_wrapper/%d.log ) I tested with mysqld: ALL in hosts.deny too. Thanks for help Zdenek Herman zdenek.her...@ille.cz Dne 9.7.2012 16:52, Camaleón napsal(a): On Sun, 08 Jul 2012 22:26:11 +0200, Zdenek Herman wrote: (...) When I set hosts.deny ALL: ALL and hosts.allow is empty. I can allow connect to MySQL from anywhere - settings in hosts.allow and hosts.deny are ignored. (...) I wonder if you aren't just missing the daemon to filter (mysqld) :-? cat /etc/hosts.deny Greetings, -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ffb1ebe.70...@ille.cz
Re: Squeeze, MySQL and hosts.allow and hosts.deny ignored
On Mon, Jul 9, 2012 at 11:41 PM, Zdenek Herman zdenek.her...@ille.cz wrote: My hosts.deny # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example:ALL: some.host.name, .some.domain # ALL EXCEPT in.fingerd: other.host.name, .other.domain # # If you're going to protect the portmapper use the name portmap for the # daemon name. Remember that you can only use the keyword ALL and IP # addresses (NOT host or domain names) for the portmapper, as well as for # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) # for further information. # # The PARANOID wildcard matches any host whose name does not match its # address. # # You may wish to enable this to ensure any programs that don't # validate looked up hostnames still leave understandable logs. In past # versions of Debian this has been the default. # ALL: PARANOID ALL: ALL : spawn ( echo $(date '+%%d.%%m.%%y %%T') access DENIED from %u@%h [%a] /var/log/tcp_wrapper/%d.log ) My hosts.allow # /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5) and hosts_options(5). # # Example:ALL: LOCAL @some_netgroup # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu # # If you're going to protect the portmapper use the name portmap for the # daemon name. Remember that you can only use the keyword ALL and IP # addresses (NOT host or domain names) for the portmapper, as well as for # rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8) # for further information. # sshd: 192.168.1.1 \ : spawn ( echo $(date '+%%d.%%m.%%y %%T') access ALLOWED from %u@%h [%a] /var/log/tcp_wrapper/%d.log ) I tested with mysqld: ALL in hosts.deny too. What was the mysql client command line which failed? If running on the same host as the server, the mysql client will use the unix-domain socket in /var/run/mysqld/mysqld.sock for connecting to the server. To force it to use an AF_INET socket, pass -h 127.0.0.1 to the mysql client (-h localhost is not sufficient). I just tested this on my debian squeeze mysql setup. With -h 127.0.0.1 and mysqld: ALL in hosts.deny, connections are rejected. If you do not want to use mysql access control, you should disable the socket in the mysql server config, if that's possible. -- regards, kushal -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cah8gtdm3dzqtqzg_xor3xvfhr_4mwkfpgal1sa60aebblt-...@mail.gmail.com
Squeeze, MySQL and hosts.allow and hosts.deny ignored
Hello I have problem with MySQL and control access by TCP wrapper in Debian Squeeze. MySQL is compiled correctly with libwrap library: ldd /usr/sbin/mysqld | grep libwrap libwrap.so.0 = /lib/libwrap.so.0 (0x7f145d28d000) When I set hosts.deny ALL: ALL and hosts.allow is empty. I can allow connect to MySQL from anywhere - settings in hosts.allow and hosts.deny are ignored. Yes - I can solve by iptables or directly from MySQL grantes but wrappers have more futures (logging all connects) and quickly configuration. For example my SSHd works correctly with TCP wrapper. Please where can be problem ? Thanks -- Zdenek Herman zdenek.her...@ille.cz -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ff9ece3.2000...@ille.cz
How /etc/hosts.allow /etc/hosts.deny and smb.conf play along
hi list Can somebody explain why smbd and nmbd are not affected by the following strict ruleset in /etc/hosts* ? /etc/hosts 127.0.0.1 MYHOSTNAME localhost.localdomain localhost 127.0.1.1 MYHOSTNAME 192.168.2.10MYSERVER cat /etc/hosts.allow #ALL: localhost 127.0.1.1 192.168.2.0/24 ALL: localhost 127.0.1.1 192.168.2.0/32 /etc/hosts.deny ALL: ALL With this ruleset in place nmbd broadcasts still pull through and cifs mounts are still possible, whereas ssh/rsh access is no longer possible. To get rid of nmbd/smbd access I have to tweak smb.conf additionally: /etc/samba/smb.conf [global] bind interfaces only = Yes interfaces = 127.0.0.0/8, eth0 ;; hosts allow = 192.168.2.0/24, 127. hosts allow = 192.168.2.0/32, 127. hosts deny = ALL With this smb.conf tweaking it works fine, but why could smbd/nmbd run past /etc/hosts.allow and /etc/hosts.deny without those lines in smb.conf? To my limited CIDR understandig a /32 mask should restrict access to 192.168.2.0.0 and 192.168.2.1 - this should be fine for testing purposes. Once this denies all services I'd set it to /24 to have access to the whole subnet from 192.168.2.0-192.168.2.255 and 127.0.0.1 127.0.1.1 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/blu0-smtp149485f83cd3709473ea7d5d8...@phx.gbl
Re: How /etc/hosts.allow /etc/hosts.deny and smb.conf play along
2012/4/26 Tuxoholic tuxoho...@hotmail.de: hi list Can somebody explain why smbd and nmbd are not affected by the following strict ruleset in /etc/hosts* ? /etc/hosts 127.0.0.1 MYHOSTNAME localhost.localdomain localhost 127.0.1.1 MYHOSTNAME 192.168.2.10 MYSERVER cat /etc/hosts.allow #ALL: localhost 127.0.1.1 192.168.2.0/24 ALL: localhost 127.0.1.1 192.168.2.0/32 /etc/hosts.deny ALL: ALL With this ruleset in place nmbd broadcasts still pull through and cifs mounts are still possible, whereas ssh/rsh access is no longer possible. To get rid of nmbd/smbd access I have to tweak smb.conf additionally: /etc/samba/smb.conf [global] bind interfaces only = Yes interfaces = 127.0.0.0/8, eth0 ;; hosts allow = 192.168.2.0/24, 127. hosts allow = 192.168.2.0/32, 127. hosts deny = ALL With this smb.conf tweaking it works fine, but why could smbd/nmbd run past /etc/hosts.allow and /etc/hosts.deny without those lines in smb.conf? To my limited CIDR understandig a /32 mask should restrict access to 192.168.2.0.0 and 192.168.2.1 - this should be fine for testing purposes. Once this denies all services I'd set it to /24 to have access to the whole subnet from 192.168.2.0-192.168.2.255 and 127.0.0.1 127.0.1.1 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/blu0-smtp149485f83cd3709473ea7d5d8...@phx.gbl Hi, My two cents: I think the problem here is between tcpwrapper linux implementation and the the samba package. Are you running samba as a daemon or from then inetd? I think you are running it as a daemon and I believe (check on the internet) samba must be compiled in a tcpwrapper friendly way (I don't know if this is the default) Running samba from inetd must work OK as inetd is tcpwrapper friendly. If this doesn't help you you can try iptables (but your workaround is OK too) Best regards. -- Juan Sierra Pons j...@elsotanillo.net Linux User Registered: #257202 http://www.elsotanillo.net GPG key = 0xA110F4FE Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE -- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CABS=y9tfvznzhrho8vfqywpwtjtdfioqpmmzrm_+e1utxlu...@mail.gmail.com
Re: How /etc/hosts.allow /etc/hosts.deny and smb.conf play along
Juan is correct. However my two cents - don't rely on hosts.allow and hosts.deny for anything. Just use iptables rules to do this type of thing. Also, most don't consider samba to be a very secure service (last CVE was only a few weeks ago) so be very careful with this service. On Apr 26, 2012 5:37 AM, Juan Sierra Pons j...@elsotanillo.net wrote: 2012/4/26 Tuxoholic tuxoho...@hotmail.de: hi list Can somebody explain why smbd and nmbd are not affected by the following strict ruleset in /etc/hosts* ? /etc/hosts 127.0.0.1 MYHOSTNAME localhost.localdomain localhost 127.0.1.1 MYHOSTNAME 192.168.2.10MYSERVER cat /etc/hosts.allow #ALL: localhost 127.0.1.1 192.168.2.0/24 ALL: localhost 127.0.1.1 192.168.2.0/32 /etc/hosts.deny ALL: ALL With this ruleset in place nmbd broadcasts still pull through and cifs mounts are still possible, whereas ssh/rsh access is no longer possible. To get rid of nmbd/smbd access I have to tweak smb.conf additionally: /etc/samba/smb.conf [global] bind interfaces only = Yes interfaces = 127.0.0.0/8, eth0 ;; hosts allow = 192.168.2.0/24, 127. hosts allow = 192.168.2.0/32, 127. hosts deny = ALL With this smb.conf tweaking it works fine, but why could smbd/nmbd run past /etc/hosts.allow and /etc/hosts.deny without those lines in smb.conf? To my limited CIDR understandig a /32 mask should restrict access to 192.168.2.0.0 and 192.168.2.1 - this should be fine for testing purposes. Once this denies all services I'd set it to /24 to have access to the whole subnet from 192.168.2.0-192.168.2.255 and 127.0.0.1 127.0.1.1 -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/blu0-smtp149485f83cd3709473ea7d5d8...@phx.gbl Hi, My two cents: I think the problem here is between tcpwrapper linux implementation and the the samba package. Are you running samba as a daemon or from then inetd? I think you are running it as a daemon and I believe (check on the internet) samba must be compiled in a tcpwrapper friendly way (I don't know if this is the default) Running samba from inetd must work OK as inetd is tcpwrapper friendly. If this doesn't help you you can try iptables (but your workaround is OK too) Best regards. -- Juan Sierra Pons j...@elsotanillo.net Linux User Registered: #257202 http://www.elsotanillo.net GPG key = 0xA110F4FE Key Fingerprint = DF53 7415 0936 244E 9B00 6E66 E934 3406 A110 F4FE -- -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/cabsy9tfvznzhrho8vfqywpwtjtdfioqpmmzrm_+e1utxlu...@mail.gmail.com
Re: How /etc/hosts.allow /etc/hosts.deny and smb.conf play along
Hi Tuxoholic, [...] With this smb.conf tweaking it works fine, but why could smbd/nmbd run past /etc/hosts.allow and /etc/hosts.deny without those lines in smb.conf? Already answered by Juan Sierra Pons. To my limited CIDR understandig a /32 mask should restrict access to 192.168.2.0.0 and 192.168.2.1 - this should be fine for testing purposes. Not sure about that. You can check it with ipcalc (in the ipcalc package): $ ipcalc 192.168.2.0/32 Address: 192.168.2.0 1100.10101000.0010. Netmask: 255.255.255.255 = 32 ... Wildcard: 0.0.0.0 ... = Hostroute: 192.168.2.0 1100.10101000.0010. Hosts/Net: 1 Class C, Private Internet So it looks like you need a 31 bit netmask for that address range: $ ipcalc 192.168.2.0/31 Address: 192.168.2.0 1100.10101000.0010.000 0 Netmask: 255.255.255.254 = 31 ...111 0 Wildcard: 0.0.0.1 ...000 1 = Network: 192.168.2.0/31 1100.10101000.0010.000 0 HostMin: 192.168.2.0 1100.10101000.0010.000 0 HostMax: 192.168.2.1 1100.10101000.0010.000 1 Hosts/Net: 2 Class C, Private Internet, PtP Link RFC 3021 Once this denies all services I'd set it to /24 to have access to the whole subnet from 192.168.2.0-192.168.2.255 and 127.0.0.1 127.0.1.1 Well you don't seem to be allowed .0 and .255: $ ipcalc 192.168.2.0/24 Address: 192.168.2.0 1100.10101000.0010. Netmask: 255.255.255.0 = 24 ... Wildcard: 0.0.0.255... = Network: 192.168.2.0/24 1100.10101000.0010. HostMin: 192.168.2.1 1100.10101000.0010. 0001 HostMax: 192.168.2.2541100.10101000.0010. 1110 Broadcast: 192.168.2.2551100.10101000.0010. Hosts/Net: 254 Class C, Private Internet I hope this helps. -- Cheers, Clive -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120426113448.GA6767@rimmer.localdomain
Re: Re: How /etc/hosts.allow /etc/hosts.deny and smb.conf play along
Thanks for clearing this up Juan and Shawn. I noticed I could change smbd to run in inetd mode if I flip the switch in /etc/default/samba, but I don't known how this would improve things, eventually create new drawback in cifs performance ... so I'll keep it as it is with additional smb.conf entries + daemon mode. The server is behind a router/firewall, it should be safe as it is. On 26.04.2012 12:54, shawn wilson wrote: Juan is correct. However my two cents - don't rely on hosts.allow and hosts.deny for anything. Just use iptables rules to do this type of thing. Also, most don't consider samba to be a very secure service (last CVE was only a few weeks ago) so be very careful with this service. On Apr 26, 2012 5:37 AM, Juan Sierra Pons juan@elsotanillo.netwrote I think the problem here is between tcpwrapper linux implementation and the the samba package. Are you running samba as a daemon or from then inetd? I think you are running it as a daemon and I believe (check on the internet) samba must be compiled in a tcpwrapper friendly way (I don't know if this is the default) Running samba from inetd must work OK as inetd is tcpwrapper friendly. If this doesn't help you you can try iptables (but your workaround is OK too) -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/blu0-smtp43485cca6a02a0ab00e9db0d8...@phx.gbl
Re: Re: How /etc/hosts.allow /etc/hosts.deny and smb.conf play along
Hello Clive Thanks for pointing me to to ipcalc, I noticed smb.conf has a commented entry for 127.0.0.0/8 This would cover the whole local subnet: HostMin: 127.0.0.1 HostMax: 127.255.255.254 Does it make sense to cover more than 127.0.0.1 and 127.0.1.1 in /etc/hosts.allow ? I don't know of any service using any other than those two addresses. First one is localhost, the other one should be there for X-server compatibility. On 26.04.2012 13:34, Clive Standbridge wrote: Not sure about that. You can check it with ipcalc (in the ipcalc package): -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/blu0-smtp309396095e191daf6778aa5d8...@phx.gbl
Re: hosts.deny didn't block ip
On 15/12/11 20:56, perlj...@gmail.com wrote: After a manual entry in /etc/hosts.deny ip didn't blocked ALL: 151.12.xxx.xxx I wonder why? I use denyhosts for automatic entries Thank you in advance Nikos Check /etc/hosts.allow it has precedence over /etc/hosts.deny As Raf (?) suggested - remove the xxx from the entry. Wildcards (*) are supported by /etc/hosts.deny and tcp wrappers. You can use:- 151.12.*.* OR 151.12.???.??? OR 151.12. to achieve the same match Cheers -- Iceweasel/Firefox extensions for finding answers to Debian questions:- https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ef3e56e.8080...@gmail.com
Re: hosts.deny didn't block ip
On 23/12/11 13:20, Scott Ferguson wrote: On 15/12/11 20:56, perlj...@gmail.com wrote: After a manual entry in /etc/hosts.deny ip didn't blocked ALL: 151.12.xxx.xxx I wonder why? I use denyhosts for automatic entries Thank you in advance Nikos Check /etc/hosts.allow it has precedence over /etc/hosts.deny As Raf (?) suggested - remove the xxx from the entry. Wildcards (*) are supported by /etc/hosts.deny and tcp wrappers. You can use:- 151.12.*.* OR 151.12.???.??? OR 151.12. to achieve the same match Cheers almost forgot If it still doesn't work - check that you have a new line at the end of /etc/hosts.deny (same rule for /etc/hosts.allow) or the last entry is ignored. Cheers -- Iceweasel/Firefox extensions for finding answers to Debian questions:- https://addons.mozilla.org/en-US/firefox/collections/Scott_Ferguson/debian/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ef3e600.7000...@gmail.com
hosts.deny didn't block ip
After a manual entry in /etc/hosts.deny ip didn't blocked ALL: 151.12.xxx.xxx I wonder why? I use denyhosts for automatic entries Thank you in advance Nikos -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ee9c460.7000...@gmail.com
Re: hosts.deny didn't block ip
On Thu, Dec 15, 2011 at 09:56:48AM GMT, perlj...@gmail.com wrote: After a manual entry in /etc/hosts.deny ip didn't blocked ALL: 151.12.xxx.xxx I wonder why? What do you mean by didn't get blocked? Using what service/port? Does your service support tcp_wrappers? I use denyhosts for automatic entries I use it too and it works just fine. Regards, -- Raf -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111215114035.ga24...@linuxstuff.pl
Re: hosts.deny didn't block ip
On Thu, 15 Dec 2011 11:56:48 +0200 perlj...@gmail.com wrote: After a manual entry in /etc/hosts.deny ip didn't blocked ALL: 151.12.xxx.xxx I wonder why? Do a test without the x's, endind with just a dot ALL: 151.12. I use denyhosts for automatic entries Thank you in advance Nikos -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111215103927.4baf2e70@yeh1.parsec
Re: hosts.deny didn't block ip
On 12/15/2011 01:40 PM, Raf Czlonka wrote: On Thu, Dec 15, 2011 at 09:56:48AM GMT, perlj...@gmail.com wrote: After a manual entry in /etc/hosts.deny ip didn't blocked ALL: 151.12.xxx.xxx I wonder why? What do you mean by didn't get blocked? Using what service/port? Does your service support tcp_wrappers? I use denyhosts for automatic entries I use it too and it works just fine. Regards, mean blocked by the service. you are right.. the service doesn't support tcp_wrappers. Thank you -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ee9efb0.9050...@gmail.com
hosts.deny
Bonjour à tous, Le fichier /etc/hosts.deny de mon serveur se voit écrire automatiquement mon numéro IP. Du coup, je ne peux plus m'y logguer via SSH. Comment éviter ce phénomène (récent) ? Merci. -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: http://lists.debian.org/201106151815.26582.cor...@free.fr
Re: hosts.deny
Le mercredi 15 juin 2011 à 18:15 +0200, cor...@free.fr a écrit : Bonjour à tous, Le fichier /etc/hosts.deny de mon serveur se voit écrire automatiquement mon numéro IP. Du coup, je ne peux plus m'y logguer via SSH. Comment éviter ce phénomène (récent) ? Merci. tu fais tourner fail2ban ? -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: http://lists.debian.org/1308156934.3151.0.camel@njal
Re: utiliser correctement hosts.deny sur un NAS à base debian
Le 18/06/2010 15:26, fabrice régnier a écrit : 'lut, J'ai un NAS [zap] connecte sans problème... ???!!!??? et là je ne comprends plus...faut il redémarer apache ? y a t il une subtile option à faire passer à apache pour lui dire de lire les fichiers hosts.allow et deny ? De mémoire, je crois qu'Apache ne supporte pas un tcp wrapper du genre hosts.allow/hosts.deny. Peut-être que si tu lui rajoute une extension ? bon j'ai désactiver apache...et mis en place un ftp...au moins j'ai les bons droits maintenant! pour ce que ça intéresse et qui ne le savent déjà pas (en gros les novices comme moi :D ), le seul moyen que j'ai trouvé pour faire cohabiter 3 pc sous debian, 2 pc sous windows et 1 pc distant sous linux c'est de mettre en place un ftp accessible de partout (ça va gérer les droits correctement), du cifs en local pour windows (ça gère les droits à peu près) et du NFS en local pour la lecture rapide. Bye -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: http://lists.debian.org/hvhpde$31...@dough.gmane.org
utiliser correctement hosts.deny sur un NAS à base debian
Bonjour, J'ai un NAS avec une debian modifiée dessus (la debian n'est po modifiée par moi...). J'ai récupéré sur les forum correspondant au NAs un script qui parcourent le fichier auth.log et remplis /etc/hosts.deny en conséquence. le script ajoute ce type de ligne dans /etc/hosts.deny : ALL: 205.195.42.63 Je fais actuellement des tests pour voir si ça fonctionne...alors je mets l'ip de mon pc au boulot dans /etc/hosts.deny et tente de me connecter via le port 80 ou 443 sur l'apache qui tourne. et je me connecte sans problème... ???!!!??? et là je ne comprends plus...faut il redémarer apache ? y a t il une subtile option à faire passer à apache pour lui dire de lire les fichiers hosts.allow et deny ? Merci de votre aide, Guillaume -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: http://lists.debian.org/hvfgqo$l4...@dough.gmane.org
Re: utiliser correctement hosts.deny sur un NAS à base debian
'lut, J'ai un NAS [zap] connecte sans problème... ???!!!??? et là je ne comprends plus...faut il redémarer apache ? y a t il une subtile option à faire passer à apache pour lui dire de lire les fichiers hosts.allow et deny ? De mémoire, je crois qu'Apache ne supporte pas un tcp wrapper du genre hosts.allow/hosts.deny. Peut-être que si tu lui rajoute une extension ? a+ f. -- Lisez la FAQ de la liste avant de poser une question : http://wiki.debian.org/fr/FrenchLists Pour vous DESABONNER, envoyez un message avec comme objet unsubscribe vers debian-user-french-requ...@lists.debian.org En cas de soucis, contactez EN ANGLAIS listmas...@lists.debian.org Archive: http://lists.debian.org/4c1b740b$0$10920$426a3...@news.free.fr
Bloqueand sites utilizando os arquivos /etc/hosts.deny e /etc/hosts.allow
Pessoal, Instalei o xinetd, e configurei os arquivos: # /etc/hosts.allow ALL: .com EXCEPT orkut.com webmessenger.msn.com #/etc/hosts.deny ALL: PARANOID ALL: ALL Porem nao esta funcionando, quando tento fazer um lynx do locahost ele acessa os sites normalmente. obs : essas configuracoes foram feitas em uma estacao para que nao acesse os sites acima, Alguma sugestão ? Att, Faria Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! http://br.mail.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Bloqueand sites utilizando os arquivos /etc/hosts.deny e /etc/hosts.allow
Rodrigo, o /etc/hosts.allow /etc/hosts.denay, também conhecido como tcpwrapers, são configurações que dizem respeito as suas conexões de entrada à sua máquina/servidor e não de saída. Você consegue seu objetivo usando o firewall e squid. Veja mais em http://www.tldp.org/HOWTO/Security-HOWTO/network-security.html#AEN847 abraço Francisco On 2/22/08, Rodrigo Tavares [EMAIL PROTECTED] wrote: Pessoal, Instalei o xinetd, e configurei os arquivos: # /etc/hosts.allow ALL: .com EXCEPT orkut.com webmessenger.msn.com #/etc/hosts.deny ALL: PARANOID ALL: ALL Porem nao esta funcionando, quando tento fazer um lynx do locahost ele acessa os sites normalmente. obs : essas configuracoes foram feitas em uma estacao para que nao acesse os sites acima, Alguma sugestão ? Att, Faria Abra sua conta no Yahoo! Mail, o único sem limite de espaço para armazenamento! http://br.mail.yahoo.com/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
mysqld in hosts.allow / hosts.deny ?
mysqld in hosts.allow / hosts.deny ? === Now, Can i use tcpwrapper with mysql on debian ? If it can be used. Which config. that i correct ? ( If i want to only allow from my LAN ( 192.168.2.x netmask 255.255.255.0 ) 1. hosts.allow # mysqld: 192.168.2.0/255.255.255.0 hosts.deny # mysqld: ALL 2. hosts.allow # mysql: 192.168.2.0/255.255.255.0 hosts.deny # mysql: ALL Thank you very much for advance. Pratchaya -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: mysqld in hosts.allow / hosts.deny ?
On 09/06/2007 05:43 AM, Pratchaya Chatuphian wrote: Now, Can i use tcpwrapper with mysql on debian ? Yes (this is how I do a quick check on a binary w/o going to find compiled options): $ ldd /usr/sbin/mysqld | grep wrap libwrap.so.0 = /lib/libwrap.so.0 (0xb7ec7000) If it can be used. Which config. that i correct ? ( If i want to only allow from my LAN ( 192.168.2.x netmask 255.255.255.0 ) It is the *daemon* that you wish to wrap that is the first argument in hosts.[allow,deny] - in this case mysqld. Your network/netmask looks fine. 'man hosts.allow' 1. hosts.allow # mysqld: 192.168.2.0/255.255.255.0 hosts.deny # mysqld: ALL -- Kind Regards, Michael Shuler -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: /etc/hosts.deny how to use it?
Why not uncomment line 19 in /etc/hosts.deny? Then use /etc/hosts.allow specifically to allow certain ips. The /etc/hosts.allow is checked first and anything not found in it that's covered by /etc/hosts.deny is supposed to be blocked. Even so, I'd be looking at the system with last and lastb regularly; verify then trust. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: /etc/hosts.deny how to use it?
Chuck Payne [EMAIL PROTECTED]: I am being hit by some ips that I like to block. I like to know how can I use hosts.deny for the ALL statement Have you looked at the contents of hosts.deny? I find this in there: # Example:ALL: some.host.name, .some.domain -- Any technology distinguishable from magic is insufficiently advanced. (*)http://www.spots.ab.ca/~keeling Linux Counter #80292 - -Spammers! http://www.spots.ab.ca/~keeling/emails.html http://www.ietf.org/rfc/rfc1855.txt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: /etc/hosts.deny how to use it?
On Thursday 01 June 2006 11:59 pm, Chuck Payne wrote: Hi, I am being hit by some ips that I like to block. I like to know how can I use hosts.deny for the ALL statement After all the comments, aka lines that look like this: # This is a comment, after these put ALL: EXCEPT LOCAL -- Televangelists: The Pro Wrestlers of Religion -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
/etc/hosts.deny how to use it?
Hi, I am being hit by some ips that I like to block. I like to know how can I use hosts.deny for the ALL statement Thanks, Payne -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: /etc/hosts.deny how to use it?
Chuck Payne wrote: Hi, I am being hit by some ips that I like to block. I like to know how can I use hosts.deny for the ALL statement The hosts.deny file is only used by applications that have been compiled to work with tcpwrappers. If you want a surefire way of blocking IPs, then look at one of the firewall solutions (I prefer shorewall). Alternatively, you can look at a blacklisting daemon, which monitors for suspicious activity and then blacklists the offending IP for a specific length of time. I am not such a big fan of that approach, but it is used. You might also want to consider rate-limiting connections to certain ports (like I have a rate limit of 1/min for ssh connections to my machines, which slows them down enough that they lose interest after the first failed attempt). -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~roberto signature.asc Description: OpenPGP digital signature
RE: hosts.deny
can't you just do 100.100.100. Ken -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Matt Zagrabelny Sent: 29 March 2006 5:41pm To: debian-user@lists.debian.org Subject: Re: hosts.deny On Wed, 2006-03-29 at 09:05 -0600, Jack Hale wrote: I am trying to block a whole subnet. (example 100.100.100.0-100.100.100.255). in my /etc/hosts.deny file I have placed this as 100.100.100.0/100.100.100.255. Is this the correct way to do this? I am using Shorewall for the firewall. I am new to this. Sorry for the stupidity. Jack hosts (allow|deny) are more of a layer7 packet filter. that is, it is at the application level. firewalls filter at layers 2 and 3 of the OSI model. both methods work for restricting access to stuff, but they are different, and that is important to understand. -matt zagrabelny -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Configuración de hosts.allow y hosts.deny
Saludos.
Tengo un problema de lo más tonto: necesito configurar una máquina
para solo tengan acceso a ella mediante SSH desde determinado rango de
IPs; tengo entonces en el archivo hosts.allow la siguiente línea:
sshd: 10.20.1.0/255.255.255.0
y en el archivo hosts.deny:
sshd: ALL
Pero así me niega las solicitudes de conexión aunque hayan sido hechas
desde una de las IPs incluídas en hosts.allow; si elimino la línea en
hosts.deny me permite acceso desde todas las IPs. En muchos sitios web
y tutoriales aparece de esa forma, pero no doy con el error.
Les agradezco su ayuda.
--
David Rios R.
driosr{at}epm{dot}net{dot}co
signature.asc
Description: Digital signature
Re: Configuración de hosts.allow y hosts.deny
On Mon, 08 May 2006 07:44:41 -0500
David Rios R. [EMAIL PROTECTED] wrote:
Saludos.
Tengo un problema de lo más tonto: necesito configurar una máquina
para solo tengan acceso a ella mediante SSH desde determinado rango de
IPs; tengo entonces en el archivo hosts.allow la siguiente línea:
sshd: 10.20.1.0/255.255.255.0
y en el archivo hosts.deny:
sshd: ALL
Pero así me niega las solicitudes de conexión aunque hayan sido hechas
desde una de las IPs incluídas en hosts.allow; si elimino la línea en
hosts.deny me permite acceso desde todas las IPs. En muchos sitios web
y tutoriales aparece de esa forma, pero no doy con el error.
Les agradezco su ayuda.
--
David Rios R.
driosr{at}epm{dot}net{dot}co
Porque no hacés eso usando IPTables? Tengo algunas máquinas configuradas con
IPTables y están funcionando muy bien.
Saludos.
--
Miguel Da Silva.
Servicio de Informatica.
Facultad de Ciencias.
Re: Configuración de hosts.allow y hosts.deny
El Mon, May 08, 2006 at 12:14:55PM -0300, Miguel Da Silva escribió:
From: Miguel Da Silva [EMAIL PROTECTED]
To: debian-user-spanish@lists.debian.org
Subject: Re: Configuración de hosts.allow y hosts.deny
Date: Mon, 08 May 2006 12:14:55 -0300
Organization: Facultad de Ciencias
X-Mailer: Sylpheed version 2.2.4 (GTK+ 2.8.12; i386-pc-linux-gnu)
X-Spam-Status: No, score=-4.9 required=4.0 tests=AWL,LDOSUBSCRIBER,
UNWANTED_LANGUAGE_BODY autolearn=no version=3.0.3
On Mon, 08 May 2006 07:44:41 -0500
David Rios R. [EMAIL PROTECTED] wrote:
Saludos.
Tengo un problema de lo más tonto: necesito configurar una máquina
para solo tengan acceso a ella mediante SSH desde determinado rango de
IPs; tengo entonces en el archivo hosts.allow la siguiente línea:
sshd: 10.20.1.0/255.255.255.0
y en el archivo hosts.deny:
sshd: ALL
Pero así me niega las solicitudes de conexión aunque hayan sido hechas
desde una de las IPs incluídas en hosts.allow; si elimino la línea en
hosts.deny me permite acceso desde todas las IPs. En muchos sitios web
y tutoriales aparece de esa forma, pero no doy con el error.
Les agradezco su ayuda.
--
David Rios R.
driosr{at}epm{dot}net{dot}co
Porque no hacés eso usando IPTables? Tengo algunas máquinas configuradas con
IPTables y están funcionando muy bien.
Si, es otra posible solución. Gracias.
Saludos.
--
Miguel Da Silva.
Servicio de Informatica.
Facultad de Ciencias.
--
David Rios R.
driosr{at}epm{dot}net{dot}co
signature.asc
Description: Digital signature
hosts.deny
I am trying to block a whole subnet. (example 100.100.100.0-100.100.100.255). in my /etc/hosts.deny file I have placed this as 100.100.100.0/100.100.100.255. Is this the correct way to do this? I am using Shorewall for the firewall. I am new to this. Sorry for the stupidity. Jack -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hosts.deny
Jack Hale wrote: I am trying to block a whole subnet. (example 100.100.100.0-100.100.100.255). in my /etc/hosts.deny file I have placed this as 100.100.100.0/100.100.100.255. Is this the correct way to do this? I am using Shorewall for the firewall. I am new to this. Sorry for the stupidity. Check out man hosts.deny. Since you mention using a firewall, it probably doesn't do what you want. You likely will have to define appropriate rules in your firewall to drop or to reject all packets originating from and going to that particular subnet. GH -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hosts.deny
On Wed, 2006-03-29 at 09:05 -0600, Jack Hale wrote: I am trying to block a whole subnet. (example 100.100.100.0-100.100.100.255). in my /etc/hosts.deny file I have placed this as 100.100.100.0/100.100.100.255. Is this the correct way to do this? I am using Shorewall for the firewall. I am new to this. Sorry for the stupidity. Jack hosts (allow|deny) are more of a layer7 packet filter. that is, it is at the application level. firewalls filter at layers 2 and 3 of the OSI model. both methods work for restricting access to stuff, but they are different, and that is important to understand. -matt zagrabelny -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Freenx não conecta mais após configuração dos arquivos hosts.deny e hosts.allow
Boa tarde, como tem passado? Você pode usar o iptables para fazer isso, veja (se não me engano os códigos de cabeça) # iptables -A INPUT -s 192.168.1.1-192.168.1.50 -i eth0 -p tcp --dport 22 -j ACCEPT # iptables -A INPUT -i eth0 -j DROP (Você bloqueia a conexão que não pode passar, ou que não esta nas regras citadas) Obs: O importante e lembrar que as regras de firewall seguem uma seguencia lógica de forma ordenada, ou seja, segue as linhas de cima para baixo Cuidado com elas :D Em 26/10/05, Eder Plansky[EMAIL PROTECTED] escreveu: O Freenx usa o ssh sim e as máquinas que o usam estão liberadas no hosts.allow. Mas, como faço para bloquear todos exceto um range de IPs através do arquivo de configuração do ssh? Fabiano Pires escreveu: Não uso oFreeNx, mas a última linha de erro (ssh_exchange_identification: Connection closed by remote host) parece mostrar um erro de acesso negado no protocolo ssh. O FreeNx usa ssh? As máquinas que usam o FreeNx estão liberadas no hosts.allow? Tente fazer o seguinte: voltar o hosts.deny para o default e bloquear o ssh via iptables ou no próprio arquivo de configuraçãodo ssh. Teste e poste os resultados. Fabiano. Em 25/10/05, Eder Plansky[EMAIL PROTECTED] escreveu: olá Estou tentando bloquear o acesso via ssh a uma máquina exceto para um determinado range de IPS. Fiz o seguinte: em /etc/hosts.deny: sshd: ALL em /etc/hosts.allow: sshd: 10.0.0.,10.1.0. Isso funcionou, somente o range determinado acima consegue se conectar ao host via ssh. Porém o Freenx parou de funcionar, ele chega a autenticar mas depois dá um erro: NX 103 Welcome to: debian user: debian NX 105 listsession --user=debian --status=suspended,running --geometry=1024x768x24+render --type=unix-kde NX 127 Sessions list of user 'policial' for reconnect: Display Type Session ID Options Depth Screen Status Session Name --- - -- --- -- NX 148 Server capacity: not reached for user: debian NX 105 startsession --session=LINUX --type=unix-kde --cache=8M --images=32M --cookie=** --link=lan --kbtype=pc102/br --nodelay=1 --backingstore=never --geometry=1024x722 --media=0 --agent_server= --agent_user= agent_password=** --screeninfo=1024x722x24+render ssh_exchange_identification: Connection closed by remote host Killed by signal 15. Alguém sabe o que pode estar acontecendo?? O Freenx funciona corretamente sem essas configurações nos hosts.deny hosts.allow. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Abraços, Fabiano -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Freenx não conecta mais após conf iguração dos arquivos hosts.deny e hosts. allow
O Freenx usa o ssh sim e as máquinas que o usam estão liberadas no hosts.allow. Mas, como faço para bloquear todos exceto um range de IPs através do arquivo de configuração do ssh? Fabiano Pires escreveu: Não uso oFreeNx, mas a última linha de erro (ssh_exchange_identification: Connection closed by remote host) parece mostrar um erro de acesso negado no protocolo ssh. O FreeNx usa ssh? As máquinas que usam o FreeNx estão liberadas no hosts.allow? Tente fazer o seguinte: voltar o hosts.deny para o default e bloquear o ssh via iptables ou no próprio arquivo de configuraçãodo ssh. Teste e poste os resultados. Fabiano. Em 25/10/05, Eder Plansky[EMAIL PROTECTED] escreveu: olá Estou tentando bloquear o acesso via ssh a uma máquina exceto para um determinado range de IPS. Fiz o seguinte: em /etc/hosts.deny: sshd: ALL em /etc/hosts.allow: sshd: 10.0.0.,10.1.0. Isso funcionou, somente o range determinado acima consegue se conectar ao host via ssh. Porém o Freenx parou de funcionar, ele chega a autenticar mas depois dá um erro: NX 103 Welcome to: debian user: debian NX 105 listsession --user=debian --status=suspended,running --geometry=1024x768x24+render --type=unix-kde NX 127 Sessions list of user 'policial' for reconnect: Display Type Session ID Options Depth Screen Status Session Name --- - -- --- -- NX 148 Server capacity: not reached for user: debian NX 105 startsession --session=LINUX --type=unix-kde --cache=8M --images=32M --cookie=** --link=lan --kbtype=pc102/br --nodelay=1 --backingstore=never --geometry=1024x722 --media=0 --agent_server= --agent_user= agent_password=** --screeninfo=1024x722x24+render ssh_exchange_identification: Connection closed by remote host Killed by signal 15. Alguém sabe o que pode estar acontecendo?? O Freenx funciona corretamente sem essas configurações nos hosts.deny hosts.allow. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Abraços, Fabiano -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Freenx não conecta mais após configur ação dos arquivos hosts.deny e hosts.al low
olá Estou tentando bloquear o acesso via ssh a uma máquina exceto para um determinado range de IPS. Fiz o seguinte: em /etc/hosts.deny: sshd: ALL em /etc/hosts.allow: sshd: 10.0.0.,10.1.0. Isso funcionou, somente o range determinado acima consegue se conectar ao host via ssh. Porém o Freenx parou de funcionar, ele chega a autenticar mas depois dá um erro: NX 103 Welcome to: debian user: debian NX 105 listsession --user=debian --status=suspended,running --geometry=1024x768x24+render --type=unix-kde NX 127 Sessions list of user 'policial' for reconnect: Display Type Session ID Options Depth Screen Status Session Name --- - -- --- -- NX 148 Server capacity: not reached for user: debian NX 105 startsession --session=LINUX --type=unix-kde --cache=8M --images=32M --cookie=** --link=lan --kbtype=pc102/br --nodelay=1 --backingstore=never --geometry=1024x722 --media=0 --agent_server= --agent_user= agent_password=** --screeninfo=1024x722x24+render ssh_exchange_identification: Connection closed by remote host Killed by signal 15. Alguém sabe o que pode estar acontecendo?? O Freenx funciona corretamente sem essas configurações nos hosts.deny hosts.allow. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Freenx não conecta mais após configuração dos arquivos hosts.deny e hosts.allow
Não uso oFreeNx, mas a última linha de erro (ssh_exchange_identification: Connection closed by remote host) parece mostrar um erro de acesso negado no protocolo ssh. O FreeNx usa ssh? As máquinas que usam o FreeNx estão liberadas no hosts.allow? Tente fazer o seguinte: voltar o hosts.deny para o default e bloquear o ssh via iptables ou no próprio arquivo de configuraçãodo ssh. Teste e poste os resultados. Fabiano. Em 25/10/05, Eder Plansky[EMAIL PROTECTED] escreveu: olá Estou tentando bloquear o acesso via ssh a uma máquina exceto para um determinado range de IPS. Fiz o seguinte: em /etc/hosts.deny: sshd: ALL em /etc/hosts.allow: sshd: 10.0.0.,10.1.0. Isso funcionou, somente o range determinado acima consegue se conectar ao host via ssh. Porém o Freenx parou de funcionar, ele chega a autenticar mas depois dá um erro: NX 103 Welcome to: debian user: debian NX 105 listsession --user=debian --status=suspended,running --geometry=1024x768x24+render --type=unix-kde NX 127 Sessions list of user 'policial' for reconnect: Display Type Session ID Options Depth Screen Status Session Name --- - -- --- -- NX 148 Server capacity: not reached for user: debian NX 105 startsession --session=LINUX --type=unix-kde --cache=8M --images=32M --cookie=** --link=lan --kbtype=pc102/br --nodelay=1 --backingstore=never --geometry=1024x722 --media=0 --agent_server= --agent_user= agent_password=** --screeninfo=1024x722x24+render ssh_exchange_identification: Connection closed by remote host Killed by signal 15. Alguém sabe o que pode estar acontecendo?? O Freenx funciona corretamente sem essas configurações nos hosts.deny hosts.allow. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- Abraços, Fabiano
hosts.deny doesn't work for web services
Hi everyone :-) On one of my machines I'm running a zope server. This server should only be accessible from my LAN so I set: hosts.deny ALL: ALL The hosts.deny manual states: This denies all service to all hosts, unless they are permitted access by entries in the allow file. Ping and ssh connects are refused but the web services provided by zope are still accessible from the outside. Is this a bug or am I missing something here? Cheers, Nikolai -- 1984 is not a howto! Égalité (+ 1848) Fraternité (+ 1914) Liberté (+ 2001) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hosts.deny doesn't work for web services
Hello Nikolai Hlubek ([EMAIL PROTECTED]) wrote: On one of my machines I'm running a zope server. This server should only be accessible from my LAN so I set: hosts.deny ALL: ALL The hosts.deny manual states: This denies all service to all hosts, unless they are permitted access by entries in the allow file. Ping and ssh connects are refused but the web services provided by zope are still accessible from the outside. Is this a bug or am I missing something here? hosts_access only works for services that are started through tcpwrapper or are built against libwrap. Your web server probably isn't. If you use Apache, configure it to listen to the IP address of your LAN interface only. best regards Andreas Janssen -- Andreas Janssen [EMAIL PROTECTED] PGP-Key-ID: 0xDC801674 ICQ #17079270 Registered Linux User #267976 http://www.andreas-janssen.de/debian-tipps-sarge.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hosts.deny doesn't work for web services
Nikolai Hlubek napisał(a): On one of my machines I'm running a zope server. This server should only be accessible from my LAN so I set: hosts.deny ALL: ALL The hosts.deny manual states: This denies all service to all hosts, unless they are permitted access by entries in the allow file. Ping and ssh connects are refused but the web services provided by zope are still accessible from the outside. Is this a bug or am I missing something here? You are missing the fact that only services which use hosts.deny (those served by inetd or those using libwrap (IIRC)) will be affected. In your case, you'll probably need to search somewhere else. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hosts.deny doesn't work for web services
Nikolai Hlubek wrote: On one of my machines I'm running a zope server. This server should only be accessible from my LAN so I set: hosts.deny ALL: ALL ... Ping and ssh connects are refused but the web services provided by zope are still accessible from the outside. Is this a bug or am I missing something here? I know that Apache, because it doesn't use the tcpwrappers library, isn't affected by hosts.allow and hosts.deny. You have to configure the equivalent in Apache's own config files. I've never used zope but perhaps it works the same way. You could look through the docs for any mention of tcpwrappers? HTH, Adam -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hosts.deny doesn't work for web services
On Mon, 17 Oct 2005 16:32:34 +0200 Nikolai Hlubek [EMAIL PROTECTED] wrote: Hi everyone :-) On one of my machines I'm running a zope server. This server should only be accessible from my LAN so I set: hosts.deny ALL: ALL The hosts.deny manual states: This denies all service to all hosts, unless they are permitted access by entries in the allow file. Ping and ssh connects are refused but the web services provided by zope are still accessible from the outside. Is this a bug or am I missing something here? Cheers, Nikolai I'm pretty sure hosts.allow only works for a small set of services wrapped by the tcpd deamon. I think your gonna need iptables to block your web server. You might try shorewall if you dislike writing iptables scripts as much as I do. BTW: I don't think tcpd has anything do to with ping being blocked. Hopefully someone else on the list will correct me if I'm wrong. //andy -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hosts.allow y hosts.deny
yo lo hara con iptables, restringiendo puertos 21 y 22 a una sola direccion On Wed, 15 Jun 2005 14:11:51 -0300 Alejandro Kurchis [EMAIL PROTECTED] wrote: Hola: Ayer me sente frente a un server Fedora Linux y me dijeron como podia hacer para que permita que las conexiones SSH y FTP solo vengan de una IP externa dada, y el resto las deniegue. Yo pense en editar el archivo hosts.deny con las lineas: sshd : ALL ftpd : ALL y el hosts.equiv con estas otras lineas: sshd : 200.0.0.x ftpd : 200.0.0.x Pero aca van mis preguntas: 1) Para que este procedimiento ande se necesita que este corriendo el tcpwrappers (en las paginas de man hosts.allow y deny no lo dice) o no ??? 2) Se deben especificar los demonios por separado (sshd, ftpd, httpd) o estan todos englobados bajo tcpd ??? Muchas gracias como siempre y perdon si la respuesta esta en Google !! A.K. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- pgp4IHnUo9qJa.pgp Description: PGP signature
hosts.allow y hosts.deny
Hola: Ayer me sente frente a un server Fedora Linux y me dijeron como podia hacer para que permita que las conexiones SSH y FTP solo vengan de una IP externa dada, y el resto las deniegue. Yo pense en editar el archivo hosts.deny con las lineas: sshd : ALL ftpd : ALL y el hosts.equiv con estas otras lineas: sshd : 200.0.0.x ftpd : 200.0.0.x Pero aca van mis preguntas: 1) Para que este procedimiento ande se necesita que este corriendo el tcpwrappers (en las paginas de man hosts.allow y deny no lo dice) o no ??? 2) Se deben especificar los demonios por separado (sshd, ftpd, httpd) o estan todos englobados bajo tcpd ??? Muchas gracias como siempre y perdon si la respuesta esta en Google !! A.K. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hosts.allow y hosts.deny
On Wed, 15 Jun 2005, Alejandro Kurchis wrote: [ Preguntas sobre /etc/hosts.allow en Fedora ] Muchas gracias como siempre y perdon si la respuesta esta en Google !! La respuesta está en las tres primeras líneas del fichero /etc/hosts.allow en Debian: # /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5), hosts_options(5) # and /usr/doc/netbase/portmapper.txt.gz Así que la página de manual que necesitas es hosts_access(5). Si no te queda claro, ten la amabilidad de instalar Debian primero, porque esta es una lista de Debian.
Re: hosts.allow y hosts.deny
Normalmente en un /etc/hosts.deny se tiene una linea del estilo ALL:ALL esto niega cualquier servicio a cualquier ip. Te sugeriria que usaras esta linea, ya que es una manera mas segura de tener control de que servicio dar y a quien usandolo en conjunto con /etc/hosts.allow. Y para permitir un servicio a determinadas ip entonces usas el formato servicio:ip No siempre es necesario definir servicios por separado por ejemplo una linea: ALL:mi_ip_de_ejemplo Permitira todos los servicios a esa ip. NO es muy recomedable, lo ideal por cuestiones de seguridad es usar servicio:ip_o_rango de manera explicita. Para mas seguridad te recomiento usar un firewall (por ejemplo iptables) Saludos :) Marcela Alegria --- Alejandro Kurchis [EMAIL PROTECTED] escribió: Hola: Ayer me sente frente a un server Fedora Linux y me dijeron como podia hacer para que permita que las conexiones SSH y FTP solo vengan de una IP externa dada, y el resto las deniegue. Yo pense en editar el archivo hosts.deny con las lineas: sshd : ALL ftpd : ALL y el hosts.equiv con estas otras lineas: sshd : 200.0.0.x ftpd : 200.0.0.x Pero aca van mis preguntas: 1) Para que este procedimiento ande se necesita que este corriendo el tcpwrappers (en las paginas de man hosts.allow y deny no lo dice) o no ??? 2) Se deben especificar los demonios por separado (sshd, ftpd, httpd) o estan todos englobados bajo tcpd ??? Muchas gracias como siempre y perdon si la respuesta esta en Google !! A.K. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] ___ Do You Yahoo!? La mejor conexión a Internet y b 2GB/b extra a tu correo por $100 al mes. http://net.yahoo.com.mx -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hosts.deny
--- Marcos Vinicius Lazarini [EMAIL PROTECTED] escreveu: !!!Marquinhos!!! wrote: Pessoal, estou com uma duvida, estou configurando o meu hosts.deny, mas nao consigo logar com ssh. Tenho apenas esse linha no hosts.deny sshd: ALL EXCEPT [EMAIL PROTECTED] Porem quando tento executar o login no ssh a mensagem de retorno eh: ssh_exchange_identification: Connection closed by remote host Alguem sabe o por que? Se tiro do hosts.deny, o ssh funciona normalmente. Será que é pq seu IP não está completo? está faltando um octeto (só tem 3 conjuntos de números, falta 1), tipo 10.0.0.1 Outra saida seria restringir o usuário no /etc/ssh/sshd_config e o IP numa regra iptables. -- Marcos -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] ___ Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: RES: hosts.deny
--- Ivan Santos [EMAIL PROTECTED] escreveu: Caro, Você tem que colocar Sshd: ALL EXCEPT 10.0.1.numero de seu ip Se quiser colocar o nome primeiro, adicione o nome do seu host por completo !!! -Mensagem original- De: !!!Marquinhos!!! [mailto:[EMAIL PROTECTED] Enviada em: segunda-feira, 7 de fevereiro de 2005 14:11 Para: Debian-Pt Assunto: hosts.deny Pessoal, estou com uma duvida, estou configurando o meu hosts.deny, mas nao consigo logar com ssh. Tenho apenas esse linha no hosts.deny sshd: ALL EXCEPT [EMAIL PROTECTED] Porem quando tento executar o login no ssh a mensagem de retorno eh: ssh_exchange_identification: Connection closed by remote host Alguem sabe o por que? Se tiro do hosts.deny, o ssh funciona normalmente. ___ Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] ___ Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet rápida e grátis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: hosts.deny
!!!Marquinhos!!! wrote: Pessoal, estou com uma duvida, estou configurando o meu hosts.deny, mas nao consigo logar com ssh. Tenho apenas esse linha no hosts.deny sshd: ALL EXCEPT [EMAIL PROTECTED] Porem quando tento executar o login no ssh a mensagem de retorno eh: ssh_exchange_identification: Connection closed by remote host Alguem sabe o por que? Se tiro do hosts.deny, o ssh funciona normalmente. Será que é pq seu IP não está completo? está faltando um octeto (só tem 3 conjuntos de números, falta 1), tipo 10.0.0.1 Outra saida seria restringir o usuário no /etc/ssh/sshd_config e o IP numa regra iptables. -- Marcos -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Samba slowdown - hosts.deny responsible?
Hi Stephen, what's samba's version are you using ??? there is an issue about the latest samba's version that slowdown it. take a look ate the samba's site. On Sat, 2004-09-04 at 21:45, Stephen Tait wrote: I've just been migrating my other Linux boxes over to NFS, instead of samba, for mounting their remote drives from the Debian. Got it all working perfectly after I managed to lock myself out of SSH - d'oh! Thought the machine had died, and ruined my 130 day uptime. Oh well. But now I'm noticing that transfers from the windows box (lots of movie renders going up) are about half the speed they used to be, and am wondering if some of my entries in hosts.deny and .allow might be responsible. I followed the basics of the NFS Howto here http://nfs.sourceforge.net/nfs-howto/ and ended up with these: /etc/hosts.allow portmap: hostip1 hostip2 statd: hostip1 hostip2 moutnd: hostip1 hostip2 lockd: hostip1 hostip2 rquotad: hostip1 hostip2 /etc/hosts.deny portmap:ALL EXCEPT hostip1 , hostip2 , office lockd:ALL EXCEPT hostip1 , hostip2 , office mountd:ALL EXCEPT hostip1 , hostip2 , office rquotad:ALL EXCEPT hostip1 , hostip2 , office statd:ALL EXCEPT hostip1 , hostip2 , office ALL:ALL EXCEPT hostip1 , hostip2 , office Where hostipX corresponds to an IP address of one of my LAN boxes. I was also under the impression that hosts.allow was checked first, but nothing would work unless I used the EXCEPT clause in hosts.deny. Could this be the cause of my network performance problem? Do I need to add a clause for smbd, nmbd and all the other daemons I have running? I've tried googling for this, but I got hundreds of results about all manner of networking problems that didn't sound like wot I got. I'm fairly new to the Linux way of networking stuff (I cut my teeth on Linux with Samba, and always used the inbuilt hosts allow/deny options there), so I'm probably asking the wrong questions. Any help or educational flames much appreciated! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Samba slowdown - hosts.deny responsible?
I've just been migrating my other Linux boxes over to NFS, instead of samba, for mounting their remote drives from the Debian. Got it all working perfectly after I managed to lock myself out of SSH - d'oh! Thought the machine had died, and ruined my 130 day uptime. Oh well. But now I'm noticing that transfers from the windows box (lots of movie renders going up) are about half the speed they used to be, and am wondering if some of my entries in hosts.deny and .allow might be responsible. I followed the basics of the NFS Howto here http://nfs.sourceforge.net/nfs-howto/ and ended up with these: /etc/hosts.allow portmap: hostip1 hostip2 statd: hostip1 hostip2 moutnd: hostip1 hostip2 lockd: hostip1 hostip2 rquotad: hostip1 hostip2 /etc/hosts.deny portmap:ALL EXCEPT hostip1 , hostip2 , office lockd:ALL EXCEPT hostip1 , hostip2 , office mountd:ALL EXCEPT hostip1 , hostip2 , office rquotad:ALL EXCEPT hostip1 , hostip2 , office statd:ALL EXCEPT hostip1 , hostip2 , office ALL:ALL EXCEPT hostip1 , hostip2 , office Where hostipX corresponds to an IP address of one of my LAN boxes. I was also under the impression that hosts.allow was checked first, but nothing would work unless I used the EXCEPT clause in hosts.deny. Could this be the cause of my network performance problem? Do I need to add a clause for smbd, nmbd and all the other daemons I have running? I've tried googling for this, but I got hundreds of results about all manner of networking problems that didn't sound like wot I got. I'm fairly new to the Linux way of networking stuff (I cut my teeth on Linux with Samba, and always used the inbuilt hosts allow/deny options there), so I'm probably asking the wrong questions. Any help or educational flames much appreciated! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Exim per hosts.deny verbieten
Christian Schmidt [EMAIL PROTECTED] writes: Dann kannst Du exim via Konfiguration auf das Loopback-Interface binden, und schon kannst Du Dir eine Paktfilterregel sparen. Habe jetzt folgendes in der Config: | local_interfaces = 127.0.0.1 Trotzdem können sich Rechner aus dem lokalen Netz verbinden. [exim als daemon starten] Problem hierbei: Die Kiste ist nicht gerade mit Ressourcen gesegnet, daher sollten nicht unnötig viele Dienste ständig laufen, die überhaupt nicht gebraucht werden. Ein Dienst, der nichts zu tun hat, verbraucht IMO auch nur tolerierbar wenige Ressourcen. Das Ding ist schon mit MP3s gut ausgelastet. ;) -- Fenster muss man nur ab und zu putzen, damit wieder mehr Licht rein kommt. Sind sie kaputt, musst Du neue kaufen. Pinguine muss man pflegen - dafür können sie dann Kunststücke, die ein Fenster nie hinkriegt. Genug Heringe, und sie vermehren sich sogar :-)[Arndt Böhm in dcoulh] -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
Re: Exim per hosts.deny verbieten
Andreas Janssen [EMAIL PROTECTED] writes: Du kannst exim vielleicht auch aus der inetd.conf rausnehmen. Um Systemausgaben wie zum Beispiel von cron-jobs auszuliefern oder email von einem lokalen Benutzer zum anderen zu schicken brauchst Du den Eintrag nicht. Das funktioniert, danke. Nur zum Verständnis: Port 25 wird nicht benötigt. Aber ohne exim läuft trotzdem nichts, oder? -- Das Internet ist kein undurchschaubarer Datenozean, sondern eher ein riesiger Datenspeicher, in dem Compuserve sein Daten abspeichert und sehr wohl in der Lage ist, das zu kontrollieren. [Urteilsbegründung, Quelle: http://www.daufaq.de] -- Haeufig gestellte Fragen und Antworten (FAQ): http://www.de.debian.org/debian-user-german-FAQ/ Zum AUSTRAGEN schicken Sie eine Mail an [EMAIL PROTECTED] mit dem Subject unsubscribe. Probleme? Mail an [EMAIL PROTECTED] (engl)
