4.14. Prohibiting and Permitting Hosts
 | ||
| | ||
| | ||
4.14. Prohibiting and Permitting Hosts
You may find working with ipchains and iptables (see Sections 4.11 and 4.12 ) difficult because of the need to know the necessary ports, but this is the most reliable method of providing your server with real security. For simple security goals (for example, temporary protection) there is an easier method: using the /etc/hosts.allow and /etc/hosts.deny files. The former contains a list of hosts allowed access to the system; the latter lists those denied this access.
When a connection attempt to the server is made, the files are checked as follows :
-
If the requesting computer is in neither file, access is permitted by default.
-
If the computer's address is on the list in the hosts.allow file, it is granted access and the hosts.deny file is not checked.
-
If the computer's address is on the list in the hosts.deny file, it is denied access.
The convenience of using these files is that services, to which access has to be limited, can be specified in them for specific hosts. This is done by making an entry in the following format in the file:
service: host
The service parameter specifies the name of the service, to which access has to be restricted. It can also list several services delimited by commas. The host parameter lists addresses delimited by commas (allowed for the /etc/hosts.allow file and prohibited for the /etc/hosts.deny file). Instead of addresses, the ALL keyword can be specified, which allows any address or service.
Consider an example configuring these files. For starters, close access to all services by all computers. This is done by adding this entry to the /etc/hosts.deny file: ALL: ALL. The resulting file will look as follows:
# # hosts.deny This file describes the names of the hosts # not allowed to use the local INET # services, as decided by the # /usr/sbin/tcpd server. # # The portmap line is redundant, but it is left to remind # you that the new secure portmap uses hosts.deny and # hosts.allow. In particular, you should know that NFS # uses portmap! ALL: ALL
Now specify the following permissions:
-
The computer with the address 192.168.1.1 can connect to any services.
-
Only computers with the addresses 192.168.1.2 and 192.168.1.3 can have access to the FTP service. The corresponding file follows:
# # hosts.allow This file describes the names of the hosts # allowed to use the local INET services, # as decided by the /usr/sbin/tcpd server. # ALL: 192.168.1.1 ftpd: 192.168.1.2, 192.168.1.3
If you need to allow the entire network to access a service, this can be done as follows:
ftpd: 192.168.1.
This entry allows all computers in the 192.168.1. x network to access the ftpd service. The x character in the last octet means any number.
As you can see, it is much easier to use the /etc/host.allow and /etc/hosts.deny files than to specify rule chains: You do not have to create rules for incoming and outgoing packets here. But the filtration capabilities of these files are too limited and far fewer than those of any firewall.
I recommend using the /etc/hosts.allow and /etc/host.deny files to address temporary security concerns. For example, a vulnerable service can be easily disabled by making a corresponding entry in the /etc/hosts.deny file. If you notice an attack from some IP address, you can prohibit all connections from that address for a few hours with an appropriate entry in the same /etc/hosts.deny file.
You may ask why this can't be done using the firewall rule chains. This is because should you delete or add a wrong rule, the server operation may be disrupted or its security may be lowered . This is why I do not recommend creating temporary firewall rules.
