HomeНовости › Protect your server using hosts.allow and hosts.deny.

Protect your server using hosts.allow and hosts.deny.

Professionals responsible for the safety nets used by the various tools to help them protect their networks and servers from malicious intrusions. They write great length chain filter iptables firewall and install the latest ..

You may also use them in their work and also write a long chain of rules, forgetting that help provide extra security can two files present on your system — /etc/hosts.allow and /etc/hosts.deny.

Once the TCP-packets have been transferred to a computer with Linux, among other actions, the process two files — /etc/hosts.allow and /etc/hosts.deny. These two files work as well as the standard firewall. Originally daemon tcpd handles packets passing through the contents of the file hosts.allow, and then through file hosts.deny.

Remember this, because if you make a mess of things in their contents, you may lose access to your server (if you configure them remotely). If the daemon does not find anything relevant in hosts.allow, it goes to the processing of the file hosts.deny.

The syntax of these files is very simple:

Service: IP-address or hostname

For example, if we want to block all smtp-packets coming to our server from mail.test.com, we need to put in hosts.deny file the following line:

smtp: mail.test.com

We can also choose to replace the host name and its IP-address (the best physical, thus avoiding the problems of security in DNS-server):

smtp: 192.168.2.10

With success, you can use and an excellent opportunity to use the mark «.» In the address bar to indicate the network. For example, if we want to allow access to our server on http from the entire network 192.168.2.0/24, we should write in the hosts.allow as follows:

http:192.168.2.

We can also use this sign if we want to allow access to any service of all the computers of our domain, pointing to hosts.allow as follows:

http:.test.com

Then all computers domain test.ru will have access to the web service on our server.

Well, the easiest way (which is typically used by beginners and administrators) — specify:

mysqld: ALL

This record is made available for all your service mysql. I hope you have guessed what file do I put this line?

Certainly in the /etc/hosts.deny! But in /etc/hosts.allow to make a record type:

mysqld: LOCAL

And then your mysql is available for local applications!

Please note — the contents of the files /etc/hosts.allow and /etc/hosts.deny depends on your needs to protect your server. Try, if needed opening or closing access to services for one reason or the other. But do not forget that the writing after the «:» the words «ALL» (in the file /etc/hosts.allow) does not give you guarantees of security of your server!

Good luck!

Leave a Comment