Re: Sharing hosts.deny
On Mon, Oct 25, 2010 at 5:21 PM, James Gray wrote: > > OK - so theres a little gem :) DONT try to filer services on a guest at the > hypervisor layer! The hypervisor (VMware) >couldn't care less about the > traffic destined for a guest, its firewall is only concerned about traffic > destined for the >hypervisor. Filter the guests' traffic on the GUEST, and > only the guest. Ok > If you have a virtual switch you might want to do some fancy VLAN tagging > voodoo to do pseudo-hypervisor filtering, but >that's probably heading into > the "why bother" end of the discussion. Just filter the traffic for the > guest on the guest's >firewall and all will be well with the world :) Yes I logged on to guest machine and did same what you are saying in fact the reason I started this discussion was same thing you mentioned I saw all network activity on guest stopping no communication with any thing what so ever. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
On 25/10/2010, at 10:28 PM, Tapas Mishra wrote: > On Mon, Oct 25, 2010 at 4:42 PM, Ahmed Kamal > wrote: >> Don't know what the general consensus is, but I've almost never really >> used hosts.deny in real production. iptables just does everything I >> need. OP might want to consider this >> > Yes I do want to use IPTABLES but I noticed using IPTABLES to deny > services on Virtual Machines which run on Vmware causes the VMs to > disconnect from internet.Not sure what port Vmware needs to be open so > that the VM (Virtual Machine) can be accessed from outside. > I use IPTABLES on host and guest both. OK - so theres a little gem :) DONT try to filer services on a guest at the hypervisor layer! The hypervisor (VMware) couldn't care less about the traffic destined for a guest, its firewall is only concerned about traffic destined for the hypervisor. Filter the guests' traffic on the GUEST, and only the guest. If you have a virtual switch you might want to do some fancy VLAN tagging voodoo to do pseudo-hypervisor filtering, but that's probably heading into the "why bother" end of the discussion. Just filter the traffic for the guest on the guest's firewall and all will be well with the world :) Cheers, James -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
On Mon, Oct 25, 2010 at 4:42 PM, Ahmed Kamal wrote: > Don't know what the general consensus is, but I've almost never really > used hosts.deny in real production. iptables just does everything I > need. OP might want to consider this > Yes I do want to use IPTABLES but I noticed using IPTABLES to deny services on Virtual Machines which run on Vmware causes the VMs to disconnect from internet.Not sure what port Vmware needs to be open so that the VM (Virtual Machine) can be accessed from outside. I use IPTABLES on host and guest both. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
On 10/25/2010 01:05 PM, James Gray wrote: > On 25/10/2010, at 12:41 PM, Michael wrote: > >> On 10/22/2010 01:16 AM, Tapas Mishra wrote: >>> I wanted to know if there is any place where people have shared these >>> IPs which needs to be blocked I feel most of the time the entries must >>> be common though not always.So if hosts.deny file is shared some where >>> then give a link.(I do use auth.log to note IPs to block) >>> >>> >> I have a bunch of entries in my hosts file with the 127.0.0.1 line >> added. I have always seen the hosts.deny and hosts.allow files but >> never know how to use them. When I google hosts.deny it says something >> about blocking a range of IP addresses. Is it safe to assume that using >> hosts.deny is more effective/better than just adding entries to the >> hosts file? > The /etc/hosts.{allow,deny} are part of tcp wrappers (ie, inetd/xinetd) and > have very little to do with host resolution (which is what /etc/hosts is > for). Normally, when I need to block an IP address I throw it at iptables > (the firewall) which is the correct place for it in a lot of (read "most") > situations. > Don't know what the general consensus is, but I've almost never really used hosts.deny in real production. iptables just does everything I need. OP might want to consider this -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
On 25/10/2010, at 12:41 PM, Michael wrote: > On 10/22/2010 01:16 AM, Tapas Mishra wrote: >> I wanted to know if there is any place where people have shared these >> IPs which needs to be blocked I feel most of the time the entries must >> be common though not always.So if hosts.deny file is shared some where >> then give a link.(I do use auth.log to note IPs to block) >> >> > > I have a bunch of entries in my hosts file with the 127.0.0.1 line > added. I have always seen the hosts.deny and hosts.allow files but > never know how to use them. When I google hosts.deny it says something > about blocking a range of IP addresses. Is it safe to assume that using > hosts.deny is more effective/better than just adding entries to the > hosts file? The /etc/hosts.{allow,deny} are part of tcp wrappers (ie, inetd/xinetd) and have very little to do with host resolution (which is what /etc/hosts is for). Normally, when I need to block an IP address I throw it at iptables (the firewall) which is the correct place for it in a lot of (read "most") situations. However, if Tapas Mishra (the OP) is trying to use tcp wrappers to limit access to certain services, then sharing /etc/hosts.{allow,deny} via NFS etc, then symlink /etc/hosts{allow,deny} to /path/to/NFS/hosts.{allow,deny} should work. Keep in mind the inetd/xinetd will probably need a SIGHUP (at least) to pick up any changes in these files - I can't say for certain, I don't use inetd/xinetd for anything these days, and can't remember its nuances. HUPing the inetd/xinetd on each host is rather onerous and will probably lead to service interuptions. YMMV Cheers, James -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
On Mon, Oct 25, 2010 at 7:11 AM, Michael wrote: > > I have a bunch of entries in my hosts file with the 127.0.0.1 line > added. I have always seen the hosts.deny and hosts.allow files but > never know how to use them. When I google hosts.deny it says something > about blocking a range of IP addresses. Is it safe to assume that using > hosts.deny is more effective/better than just adding entries to the > hosts file? > hosts.deny and hosts are different files for different purposes. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
Deny hosts can be configured to get hosts from a central server that other users contribute to. That can include hosts your other machines contribute, if you enable uploading of your deny hosts entries. Check out the man pages on the deny hosts configuration...or actually, I think just need to read the config file it self, it's self documenting. As for a way to have machines on your network share their deny hosts with one another, I'd be surprised if there wasn't a tool to do that already, but It's not something I've ever come across. If anyone else knows of a tool that does something like that though, I'd be very interested! I though there was something I saw at one point that had snort monitor network traffic, and then snort could tell machines to block ip's based on stuff it saw...I swear I saw stuff like that out there, but can't think of anything off the top of my head. Hope that helps, Doug On Fri, Oct 22, 2010 at 12:26 PM, Tapas Mishra wrote: > On Fri, Oct 22, 2010 at 7:52 PM, Douglas Stanley > wrote: >> check out denyhosts it's in the Ubuntu repositories. They have a service to >> pull down hosts.deny entries from others. >> > Yes you mean to say to pull from local machine or from some source on > internet. > denyhosts is installed on my machine and I see in WORK_DIR/hosts > some entries.Your spamhaus link is useful. > > -- > ubuntu-server mailing list > ubuntu-server@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/ubuntu-server > More info: https://wiki.ubuntu.com/ServerTeam > -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
On Fri, Oct 22, 2010 at 7:52 PM, Douglas Stanley wrote: > check out denyhosts it's in the Ubuntu repositories. They have a service to > pull down hosts.deny entries from others. > Yes you mean to say to pull from local machine or from some source on internet. denyhosts is installed on my machine and I see in WORK_DIR/hosts some entries.Your spamhaus link is useful. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
On 22 October 2010 07:16, Tapas Mishra wrote: > I wanted to know if there is any place where people have shared these > IPs which needs to be blocked I feel most of the time the entries must > be common though not always.So if hosts.deny file is shared some where > then give a link.(I do use auth.log to note IPs to block) Google for IP block list. Spamhaus is very useful for blocking chopped pork shoulder meat with ham meat added, salt, water... http://www.spamhaus.org/sbl/ http://www.iblocklist.com/lists.php and so on. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
check out denyhosts it's in the Ubuntu repositories. They have a service to pull down hosts.deny entries from others. Hope that helps. Doug On Oct 22, 2010 2:17 AM, "Tapas Mishra" wrote: I wanted to know if there is any place where people have shared these IPs which needs to be blocked I feel most of the time the entries must be common though not always.So if hosts.deny file is shared some where then give a link.(I do use auth.log to note IPs to block) -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Sharing hosts.deny
I wanted to know if there is any place where people have shared these IPs which needs to be blocked I feel most of the time the entries must be common though not always.So if hosts.deny file is shared some where then give a link.(I do use auth.log to note IPs to block) -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam