[lug] host.allow host.deny help

Greg Horne jeerygh at hotmail.com
Tue Oct 9 16:00:30 MDT 2001


Thanks for the very informative reply!  That answers all of my questions up 
to this point.  IPChains was mentioned, where is a good site that you have 
used with information on setting up a machine to use ipchains to block IP 
addresses?

Thanks again,
Greg Horne

>From: "D. Stimits" <stimits at idcomm.com>
>Reply-To: lug at lug.boulder.co.us
>To: lug at lug.boulder.co.us
>Subject: Re: [lug] host.allow host.deny help
>Date: Tue, 09 Oct 2001 14:14:05 -0600
>
>Greg Horne wrote:
> >
> > So my host.allow would look like this?
> > ALL: ALL
>
>You could actually leave this blank. Don't add a hosts.allow entry
>unless it is a known need. After all, you don't need to force it to
>allow unless something is causing a deny. E.G., you have a good user at
>10.1.2.3, and someone from the dark side of the force at 10.1.2.4, and a
>deny of ALL:10.1.2.4/255.255.255.0. In this case (a /24 deny), the
>10.1.2.3 would fall into that address range and get blacklisted...so
>you'd want an allow rule specifically for 10.1.2.4/255.255.255.255 (a
>/32 allow).
>
> >
> > and my host.deny like this?
> > ALL: IP, IP, IP, IP
>
>More like multiple lines, I don't know if single line format would work.
>Note that I am using a /24 mask in my sample, but if you know an exact
>address, you could use a /32, which translates to 255.255.255.255. I
>deny /24's or more because many of the attackers have dynamic ip within
>that range, or else their automated attack software will be hitting more
>of their local domain and others will be joining from the same /24. So
>more like:
>ALL: a.b.c.d/255.255.255.0
>ALL: b.c.d.e/255.255.255.0
>
>I know, it is a sucky description. Think of adding an allow entry only
>for specific people that are blocked out and shouldn't be. In the deny
>rules, think of blocking a /24 range because of dynamic ip from
>attackers, and the general ranks of fallen machines on that same
>network. In the case that you know an attacker is static, just use a
>/32, or mask of 255.255.255.255. With dynamic ip's you can't just block
>one address.
>
>It was also mentioned that you should use ipchains and not just this. I
>have a huge list of blacklisted ip ranges in both my hosts.deny and
>ipchains files, and nothing in the hosts.allow. Several of the korean
>and other asian troublemaker sites have made me resort to /16's (mask
>255.255.0.0) for blocking...in a few cases, even /11's.
>
>D. Stimits, stimits at idcomm.com
>
> >
> > Thanks for your help,
> > Greg
> >
> > >From: "D. Stimits" <stimits at idcomm.com>
> > >Reply-To: lug at lug.boulder.co.us
> > >To: lug at lug.boulder.co.us
> > >Subject: Re: [lug] host.allow host.deny help
> > >Date: Mon, 08 Oct 2001 19:00:54 -0600
> > >
> > >Greg Horne wrote:
> > > >
> > > > Maybe I have not explained what I am trying to do well enough.  Let 
>me
> > >try
> > > > again.  I want to allow everybody in the world to access my server.  
>The
> > > > only people that should be blocked are those people that I specify.
> > > >
> > > > Like:
> > > > host.allow
> > > > ALL: ALL
> > > >
> > > > host.deny
> > > > evil person #1
> > > > evil person #2
> > >
> > >ALL: evil.person.com
> > >ALL: microsoft.com
> > >(yeah, just having fun there, but you did mention "evil")
> > >
> > >"ALL" means all xinetd (or inetd) run daemons, like ftp and telnet.
> > >
> > >D. Stimits, stimits at idcomm.com
> > >
> > > >
> > > > How do I accomplish that?
> > > >
> > > > Greg
> > > >
> > > > >From: dan radom <dradom at redback.com>
> > > > >Reply-To: lug at lug.boulder.co.us
> > > > >To: lug at lug.boulder.co.us
> > > > >Subject: Re: [lug] host.allow host.deny help
> > > > >Date: Mon, 8 Oct 2001 17:26:59 -0600
> > > > >
> > > > >ALL : xxx.xxx.xxx.xxx (single host)
> > > > >ALL : xxx.xxx.xxx.xxx/255.255.255.0 (entire class c)
> > > > >in.ftpd : xxx.xxx.xxx.xxx ftp only
> > > > >
> > > > >what i do is ALL : ALL in hosts.deny and allow specific access 
>fromt he
> > > > >allow file.
> > > > >
> > > > >* Greg Horne (jeerygh at hotmail.com) wrote:
> > > > > > Well in addition to those IP's are people that try to gain ftp 
>and
> > > > >telnet
> > > > > > access, so how would I go about blacklisting them?
> > > > > >
> > > > > > Greg
> > > > >_______________________________________________
> > > > >Web Page:  http://lug.boulder.co.us
> > > > >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > >
> > > > _________________________________________________________________
> > > > Get your FREE download of MSN Explorer at
> > >http://explorer.msn.com/intl.asp
> > > >
> > > > _______________________________________________
> > > > Web Page:  http://lug.boulder.co.us
> > > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > >_______________________________________________
> > >Web Page:  http://lug.boulder.co.us
> > >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> >
> > _________________________________________________________________
> > Get your FREE download of MSN Explorer at 
>http://explorer.msn.com/intl.asp
> >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>_______________________________________________
>Web Page:  http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp




More information about the LUG mailing list