Sharing hosts.deny

James Gray james at gray.net.au
Mon Oct 25 11:05:17 UTC 2010


On 25/10/2010, at 12:41 PM, Michael wrote:

> On 10/22/2010 01:16 AM, Tapas Mishra wrote:
>> I wanted to know if there is any place where people have shared these
>> IPs which needs to be blocked I feel most of the time the entries must
>> be common though not always.So if hosts.deny file is shared some where
>> then give a link.(I do use auth.log to note IPs to block)
>> 
>> 
> 
> I have a bunch of entries in my hosts file with the 127.0.0.1 line
> added.  I have always seen the hosts.deny and hosts.allow files  but
> never know how to use them.  When I google hosts.deny it says something
> about blocking a range of IP addresses.  Is it safe to assume that using
> hosts.deny is more effective/better than just adding entries to the
> hosts file?

The /etc/hosts.{allow,deny} are part of tcp wrappers (ie, inetd/xinetd) and have very little to do with host resolution (which is what /etc/hosts is for).  Normally, when I need to block an IP address I throw it at iptables (the firewall) which is the correct place for it in a lot of (read "most") situations.

However, if Tapas Mishra (the OP) is trying to use tcp wrappers to limit access to certain services, then sharing /etc/hosts.{allow,deny} via NFS etc, then symlink /etc/hosts{allow,deny} to /path/to/NFS/hosts.{allow,deny} should work.  Keep in mind the inetd/xinetd will probably need a SIGHUP (at least) to pick up any changes in these files - I can't say for certain, I don't use inetd/xinetd for anything these days, and can't remember its nuances.  HUPing the inetd/xinetd on each host is rather onerous and will probably lead to service interuptions.  YMMV

Cheers,

James



More information about the ubuntu-server mailing list