[lug] host.allow host.deny help

D. Stimits stimits at idcomm.com
Tue Oct 9 14:14:05 MDT 2001 

Greg Horne wrote:
> 
> So my host.allow would look like this?
> ALL: ALL

You could actually leave this blank. Don't add a hosts.allow entry
unless it is a known need. After all, you don't need to force it to
allow unless something is causing a deny. E.G., you have a good user at
10.1.2.3, and someone from the dark side of the force at 10.1.2.4, and a
deny of ALL:10.1.2.4/255.255.255.0. In this case (a /24 deny), the
10.1.2.3 would fall into that address range and get blacklisted...so
you'd want an allow rule specifically for 10.1.2.4/255.255.255.255 (a
/32 allow).

> 
> and my host.deny like this?
> ALL: IP, IP, IP, IP

More like multiple lines, I don't know if single line format would work.
Note that I am using a /24 mask in my sample, but if you know an exact
address, you could use a /32, which translates to 255.255.255.255. I
deny /24's or more because many of the attackers have dynamic ip within
that range, or else their automated attack software will be hitting more
of their local domain and others will be joining from the same /24. So
more like:
ALL: a.b.c.d/255.255.255.0
ALL: b.c.d.e/255.255.255.0

I know, it is a sucky description. Think of adding an allow entry only
for specific people that are blocked out and shouldn't be. In the deny
rules, think of blocking a /24 range because of dynamic ip from
attackers, and the general ranks of fallen machines on that same
network. In the case that you know an attacker is static, just use a
/32, or mask of 255.255.255.255. With dynamic ip's you can't just block
one address.

It was also mentioned that you should use ipchains and not just this. I
have a huge list of blacklisted ip ranges in both my hosts.deny and
ipchains files, and nothing in the hosts.allow. Several of the korean
and other asian troublemaker sites have made me resort to /16's (mask
255.255.0.0) for blocking...in a few cases, even /11's.

D. Stimits, stimits at idcomm.com

> 
> Thanks for your help,
> Greg
> 
> >From: "D. Stimits" <stimits at idcomm.com>
> >Reply-To: lug at lug.boulder.co.us
> >To: lug at lug.boulder.co.us
> >Subject: Re: [lug] host.allow host.deny help
> >Date: Mon, 08 Oct 2001 19:00:54 -0600
> >
> >Greg Horne wrote:
> > >
> > > Maybe I have not explained what I am trying to do well enough.  Let me
> >try
> > > again.  I want to allow everybody in the world to access my server.  The
> > > only people that should be blocked are those people that I specify.
> > >
> > > Like:
> > > host.allow
> > > ALL: ALL
> > >
> > > host.deny
> > > evil person #1
> > > evil person #2
> >
> >ALL: evil.person.com
> >ALL: microsoft.com
> >(yeah, just having fun there, but you did mention "evil")
> >
> >"ALL" means all xinetd (or inetd) run daemons, like ftp and telnet.
> >
> >D. Stimits, stimits at idcomm.com
> >
> > >
> > > How do I accomplish that?
> > >
> > > Greg
> > >
> > > >From: dan radom <dradom at redback.com>
> > > >Reply-To: lug at lug.boulder.co.us
> > > >To: lug at lug.boulder.co.us
> > > >Subject: Re: [lug] host.allow host.deny help
> > > >Date: Mon, 8 Oct 2001 17:26:59 -0600
> > > >
> > > >ALL : xxx.xxx.xxx.xxx (single host)
> > > >ALL : xxx.xxx.xxx.xxx/255.255.255.0 (entire class c)
> > > >in.ftpd : xxx.xxx.xxx.xxx ftp only
> > > >
> > > >what i do is ALL : ALL in hosts.deny and allow specific access fromt he
> > > >allow file.
> > > >
> > > >* Greg Horne (jeerygh at hotmail.com) wrote:
> > > > > Well in addition to those IP's are people that try to gain ftp and
> > > >telnet
> > > > > access, so how would I go about blacklisting them?
> > > > >
> > > > > Greg
> > > >_______________________________________________
> > > >Web Page:  http://lug.boulder.co.us
> > > >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > >
> > > _________________________________________________________________
> > > Get your FREE download of MSN Explorer at
> >http://explorer.msn.com/intl.asp
> > >
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >_______________________________________________
> >Web Page:  http://lug.boulder.co.us
> >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list