On Tuesday 24 April 2001 04:39, Mark Weaver wrote:
> Charles,
>
> It does deny access to anyone to your machine provided that their
> machine's ip address is entered into the hosts.deny file. OR, if you have
> a line in there such as:
>
> ALL:ALL
>
> That single line denies access to all services on your machine.
Oops, sorry, no it doesn't.
The hosts.allow and hosts.deny files are part of the tcpwrappers system
(/usr/sbin/tcpd). This control access to services on your system that are
run by the inetd superserver (or the new xinetd superserver) that are enabled
to use tcpwrappers.
Some other server daemons that can be run stand-alone (ie. not by the
inetd/xinetd superservers) are now also using the hosts.allow/deny files.
For example, sshd does. And you indicate that portsentry is manipulating
those files for other reasons.
But they are not specific port sentry files.
Many other servers are completely indifferent to the hosts.allow/deny
files: named (i.e. DNS), sendmail, httpd (i.e. Apache), nfs to name but a
few. If these servers are running on your system, your statement induces a
dangerously false sense of security.
ALL:ALL in /etc/hosts.deny specifically applies *only* to servers being run
by the inetd/xinetd superserver and any stand-alone servers that have been
coded & configured to use them.
Cheers,
Rob
