Sharing hosts.deny
James Gray
james at gray.net.au
Mon Oct 25 11:05:17 UTC 2010
On 25/10/2010, at 12:41 PM, Michael wrote:
> On 10/22/2010 01:16 AM, Tapas Mishra wrote:
>> I wanted to know if there is any place where people have shared these
>> IPs which needs to be blocked I feel most of the time the entries must
>> be common though not always.So if hosts.deny file is shared some where
>> then give a link.(I do use auth.log to note IPs to block)
>>
>>
>
> I have a bunch of entries in my hosts file with the 127.0.0.1 line
> added. I have always seen the hosts.deny and hosts.allow files but
> never know how to use them. When I google hosts.deny it says something
> about blocking a range of IP addresses. Is it safe to assume that using
> hosts.deny is more effective/better than just adding entries to the
> hosts file?
The /etc/hosts.{allow,deny} are part of tcp wrappers (ie, inetd/xinetd) and have very little to do with host resolution (which is what /etc/hosts is for). Normally, when I need to block an IP address I throw it at iptables (the firewall) which is the correct place for it in a lot of (read "most") situations.
However, if Tapas Mishra (the OP) is trying to use tcp wrappers to limit access to certain services, then sharing /etc/hosts.{allow,deny} via NFS etc, then symlink /etc/hosts{allow,deny} to /path/to/NFS/hosts.{allow,deny} should work. Keep in mind the inetd/xinetd will probably need a SIGHUP (at least) to pick up any changes in these files - I can't say for certain, I don't use inetd/xinetd for anything these days, and can't remember its nuances. HUPing the inetd/xinetd on each host is rather onerous and will probably lead to service interuptions. YMMV
Cheers,
James
More information about the ubuntu-server
mailing list