Re: Sharing hosts.deny
On 25/10/2010, at 12:41 PM, Michael wrote:
On 10/22/2010 01:16 AM, Tapas Mishra wrote:
I wanted to know if there is any place where people have shared these
IPs which needs to be blocked I feel most of the time the entries must
be common though not always.So if hosts.deny file is shared some where
then give a link.(I do use auth.log to note IPs to block)
I have a bunch of entries in my hosts file with the 127.0.0.1 line
added. I have always seen the hosts.deny and hosts.allow files but
never know how to use them. When I google hosts.deny it says something
about blocking a range of IP addresses. Is it safe to assume that using
hosts.deny is more effective/better than just adding entries to the
hosts file?
The /etc/hosts.{allow,deny} are part of tcp wrappers (ie, inetd/xinetd) and
have very little to do with host resolution (which is what /etc/hosts is for).
Normally, when I need to block an IP address I throw it at iptables (the
firewall) which is the correct place for it in a lot of (read most)
situations.
However, if Tapas Mishra (the OP) is trying to use tcp wrappers to limit access
to certain services, then sharing /etc/hosts.{allow,deny} via NFS etc, then
symlink /etc/hosts{allow,deny} to /path/to/NFS/hosts.{allow,deny} should work.
Keep in mind the inetd/xinetd will probably need a SIGHUP (at least) to pick up
any changes in these files - I can't say for certain, I don't use inetd/xinetd
for anything these days, and can't remember its nuances. HUPing the
inetd/xinetd on each host is rather onerous and will probably lead to service
interuptions. YMMV
Cheers,
James
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
On 10/25/2010 01:05 PM, James Gray wrote:
On 25/10/2010, at 12:41 PM, Michael wrote:
On 10/22/2010 01:16 AM, Tapas Mishra wrote:
I wanted to know if there is any place where people have shared these
IPs which needs to be blocked I feel most of the time the entries must
be common though not always.So if hosts.deny file is shared some where
then give a link.(I do use auth.log to note IPs to block)
I have a bunch of entries in my hosts file with the 127.0.0.1 line
added. I have always seen the hosts.deny and hosts.allow files but
never know how to use them. When I google hosts.deny it says something
about blocking a range of IP addresses. Is it safe to assume that using
hosts.deny is more effective/better than just adding entries to the
hosts file?
The /etc/hosts.{allow,deny} are part of tcp wrappers (ie, inetd/xinetd) and
have very little to do with host resolution (which is what /etc/hosts is
for). Normally, when I need to block an IP address I throw it at iptables
(the firewall) which is the correct place for it in a lot of (read most)
situations.
Don't know what the general consensus is, but I've almost never really
used hosts.deny in real production. iptables just does everything I
need. OP might want to consider this
--
ubuntu-server mailing list
ubuntu-server@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server
More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
On Mon, Oct 25, 2010 at 4:42 PM, Ahmed Kamal ahmed.ka...@canonical.com wrote: Don't know what the general consensus is, but I've almost never really used hosts.deny in real production. iptables just does everything I need. OP might want to consider this Yes I do want to use IPTABLES but I noticed using IPTABLES to deny services on Virtual Machines which run on Vmware causes the VMs to disconnect from internet.Not sure what port Vmware needs to be open so that the VM (Virtual Machine) can be accessed from outside. I use IPTABLES on host and guest both. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
On 25/10/2010, at 10:28 PM, Tapas Mishra wrote: On Mon, Oct 25, 2010 at 4:42 PM, Ahmed Kamal ahmed.ka...@canonical.com wrote: Don't know what the general consensus is, but I've almost never really used hosts.deny in real production. iptables just does everything I need. OP might want to consider this Yes I do want to use IPTABLES but I noticed using IPTABLES to deny services on Virtual Machines which run on Vmware causes the VMs to disconnect from internet.Not sure what port Vmware needs to be open so that the VM (Virtual Machine) can be accessed from outside. I use IPTABLES on host and guest both. OK - so theres a little gem :) DONT try to filer services on a guest at the hypervisor layer! The hypervisor (VMware) couldn't care less about the traffic destined for a guest, its firewall is only concerned about traffic destined for the hypervisor. Filter the guests' traffic on the GUEST, and only the guest. If you have a virtual switch you might want to do some fancy VLAN tagging voodoo to do pseudo-hypervisor filtering, but that's probably heading into the why bother end of the discussion. Just filter the traffic for the guest on the guest's firewall and all will be well with the world :) Cheers, James -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
On Mon, Oct 25, 2010 at 5:21 PM, James Gray ja...@gray.net.au wrote: OK - so theres a little gem :) DONT try to filer services on a guest at the hypervisor layer! The hypervisor (VMware) couldn't care less about the traffic destined for a guest, its firewall is only concerned about traffic destined for the hypervisor. Filter the guests' traffic on the GUEST, and only the guest. Ok If you have a virtual switch you might want to do some fancy VLAN tagging voodoo to do pseudo-hypervisor filtering, but that's probably heading into the why bother end of the discussion. Just filter the traffic for the guest on the guest's firewall and all will be well with the world :) Yes I logged on to guest machine and did same what you are saying in fact the reason I started this discussion was same thing you mentioned I saw all network activity on guest stopping no communication with any thing what so ever. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
On Mon, Oct 25, 2010 at 7:11 AM, Michael mmorse...@gmail.com wrote: I have a bunch of entries in my hosts file with the 127.0.0.1 line added. I have always seen the hosts.deny and hosts.allow files but never know how to use them. When I google hosts.deny it says something about blocking a range of IP addresses. Is it safe to assume that using hosts.deny is more effective/better than just adding entries to the hosts file? hosts.deny and hosts are different files for different purposes. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
check out denyhosts it's in the Ubuntu repositories. They have a service to pull down hosts.deny entries from others. Hope that helps. Doug On Oct 22, 2010 2:17 AM, Tapas Mishra mightydre...@gmail.com wrote: I wanted to know if there is any place where people have shared these IPs which needs to be blocked I feel most of the time the entries must be common though not always.So if hosts.deny file is shared some where then give a link.(I do use auth.log to note IPs to block) -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
Re: Sharing hosts.deny
Deny hosts can be configured to get hosts from a central server that other users contribute to. That can include hosts your other machines contribute, if you enable uploading of your deny hosts entries. Check out the man pages on the deny hosts configuration...or actually, I think just need to read the config file it self, it's self documenting. As for a way to have machines on your network share their deny hosts with one another, I'd be surprised if there wasn't a tool to do that already, but It's not something I've ever come across. If anyone else knows of a tool that does something like that though, I'd be very interested! I though there was something I saw at one point that had snort monitor network traffic, and then snort could tell machines to block ip's based on stuff it saw...I swear I saw stuff like that out there, but can't think of anything off the top of my head. Hope that helps, Doug On Fri, Oct 22, 2010 at 12:26 PM, Tapas Mishra mightydre...@gmail.com wrote: On Fri, Oct 22, 2010 at 7:52 PM, Douglas Stanley douglas.m.stan...@gmail.com wrote: check out denyhosts it's in the Ubuntu repositories. They have a service to pull down hosts.deny entries from others. Yes you mean to say to pull from local machine or from some source on internet. denyhosts is installed on my machine and I see in WORK_DIR/hosts some entries.Your spamhaus link is useful. -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam -- Please avoid sending me Word or PowerPoint attachments. See http://www.gnu.org/philosophy/no-word-attachments.html -- ubuntu-server mailing list ubuntu-server@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-server More info: https://wiki.ubuntu.com/ServerTeam
