hosts.allow

Gene Collins collins at gene3.ait.iastate.edu
Tue Jan 15 14:30:39 EST 2002


Hello all.  Hosts.allow and hosts.deny can contain lists of hosts or the
word ALL in upper case to be associated with a particular service.  If you
deny all access in hosts.deny, and then allow specific access in
hosts.allow, the hosts.allow file will over ride the hosts.deny file. 
For example, suppose you want to allow ssh access to ip address
192.168.1.1 and 192.168.1.2 and wanted to block everyone else.  you
could put the following in your hosts.deny file:

sshd: ALL

All ssh access is now blocked.  You can then open access for the two
addresses you want with the following line in your hosts.allow file:

sshd: 192.168.1.1 192.168.1.2

Only these two addresses would now have ssh access.  If you have the
line:

ALL: ALL

in your hosts.deny file, then the line:

sshd: ALL

in your hosts.allow file will open up all ssh access, while leaving
other services like telnet, finger and ftp closed.  When working with
hosts.allow and osts.deny files, it's best to be specific about which
services you are granting access to.  renaming your host.deny file to
something else will throw your system wide open, which is not what you
want.  In theory, if the hosts.deny file is empty or does not exist, and
you have entries in your hosts.allow file, only those addresses for the
specified services should get access.  I would not count on it, however.
 Better to specifically deny all access, and then open up only what you
intend.

Gene Collins

>Hi!
>
>  Try man tcpd or man hosts_access. Sshd will use /etc/hosts_*  files
>only if   tcpwrapper support is included when compiling. In that case
>hosts_allow line is something like
>sshd : all (or sshd2 : all, try both).
>
>  Normally sshd holds it's own access control in sshd_config file
>somewhere under /etc.
>
>  btw: make sure you use  the latest version of ssh,  earlier versions
>at least 1.2.31 have severe security  problem.
>
>
> Gregory Nowak 05.01.02:
>
>>I've tried typing "man hosts.allow", but no luck, so I have to ask.
>>As Janina mentioned in reply to one of my posts, I'm currently blocking al=
>l connections with
>>"ALL: all".
>>However, I want to let ssh in from any ip address. How do I do this?
>>I've tried "ssh: all", but no luck.
>>Greg
>>
>>
>>_______________________________________________
>>Speakup mailing list
>>Speakup at braille.uwo.ca
>>http://speech.braille.uwo.ca/mailman/listinfo/speakup
>>
>
>
>Esitt=E4m=E4ni mielipiteet ovat  omiani eiv=E4tk=E4 v=E4ltt=E4m=E4tt=E4  ed=
>usta
>ty=F6nantajani tai internet-palveluntarjoajani virallista kantaa.
>--=20
>Mr. Ari Moisio, Niittykatu 7, 41160 Tikkakoski, +358-40-5055239
>ari.moisio at iki.fi http://www.iki.fi/arimo PGP-keyID: 0x3FAF0F05
>
>
>
>_______________________________________________
>Speakup mailing list
>Speakup at braille.uwo.ca
>http://speech.braille.uwo.ca/mailman/listinfo/speakup




More information about the Speakup mailing list