PDA

Click to See Complete Forum and Search --> : Are my hosts.allow and hosts.deny correct ?

Donovan
11-09-2000, 11:04 PM
Ok I don't want to mess with does files so please confirm its correct before I load them !

These files are for a web server.
I want to be the only person able to get in the server to administer it from my 2 ISPs, but i still want all the web visitors able to visit the site trough their browsers !


hosts.deny:

ALL: ALL DENY

hosts.allow:

ALL: xxx.xxx.*.*
ALL: yyy.yyy.*.*
(should I also put here the local host IP to let the server administer itself ?)

(xxx and yyy being my ISP's IPs that I connect from).

Does it sounds good ? Will it still let me administer the server, but deny it to anyone trying to administer it from another ISP than mine ? Will it still let web visitors surf my site, and use the forums, forms....?

Thanks,
Donov

[This message has been edited by Donovan (edited 09 November 2000).]
winnotgoneyet
11-10-2000, 12:59 AM
Checkout the latest MaximumLimux Magazine, it has an article re this!!
larryliberty
11-10-2000, 07:50 AM
I forgot to mention that if you have Apache, it normally runs as a standalone, so access is determined by the httpd.conf file and not by hosts.allow and hosts.deny. The default for your webserver is to allow everyone access.

You also should get SSH. If you use Telnet to connect to your machine remotely, anyone who's in your traceroute path can setup a sniffer and get your passwords.
Donovan
11-10-2000, 07:56 AM
Thanks.
But i don't get what do exacly allow / disalow those files ?!

Do they just allow who will be able to get in from the outside ? Will a hosts.deny ALL: ALL will prevent the server itself to work ? Or will it just prevent foreign people to try to get in ?

Can I safely deny all, but only allow my ip ?

Thanks Donov
posterboy
11-10-2000, 08:35 AM
/etc/hosts.allow and .deny only affect those services that you start from inetd. These are things like telnet, ftp, etc. Apache CAN be started from inetd, but rarely is, as there is a pretty good overhead in the machine having to crank it up from ground zero on each request from the outside. Yes, you can do deny all then in the allow, let one IP into the machine. Doing this will have no affect on your stand-alone Apache, it will be open to the public, anyway. It's believed widely that SSH allows "public" ftp and telnet access in a secure manner. Nobody ever really knows, until after a disaster.
Ray


------------------
ray@raymondjones.net
HTTP://www.raymondjones.net
larryliberty
11-10-2000, 08:42 AM
O'Reilly's Apache book is really good. One of the things it does is have you create your httpd.conf file from scratch. That way, you know exactly what's in it and why, and how it works.