[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.

Welcome to the Slackware Documentation Project

Ceci est une ancienne révision du document !


hosts.allow, hosts.deny

Ces deux fichiers dans /etc sont le lieu commun pour stocker les règles qui permettront d'autoriser des hôtes à se connecter à des services sur votre machine.

Alors qu'un pare-feu peut être considéré comme cachant une porte, ces fichiers contrôlent qui est autorisé à ouvrir la porte.

Utilisé en combinaison, ces deux fichiers peuvent être utilisés pour créer soit:

  • une ouverture par défaut avec des exclusions (liste d'interdiction)
  • une fermeture par défaut avec des exclusions (liste d'invités)

Par défaut Slackware est livré avec ces deux fichiers vide, cela signifie que la porte est déverrouillée et que personne n'est interdit.

Ce document vous aidera à changer cet état par défaut par une configuration plus sécurisée.

Contenu

  1. Faites en sorte d'avoir une clé avec vous
  2. Vérouiller la porte
  3. Ecrire la liste des hôtes invités
    1. Ajouter un deuxième hôte
    2. Ajouter plusieurs hôtes
    3. Ajouter d'autres services
    4. Parlez vous!
  4. Notes
  5. Voir aussi

Making sure you have a key yourself

If you are connecting to the machine by ssh you will want to make sure that subsequent connections are allowed. If the machine you are sitting in front of is 192.168.0.10, edit /etc/hosts.allow and add

sshd:	192.168.0.10

If you are using dns you may also refer to your machine by name, eg

sshd:	wibble.mynet.invalid

Locking the door

This is simply done by editing /etc/hosts.deny and adding the line

All:	All

Connections which are in use will still be usable, only new connections via ssh from 192.168.0.10 will be allowed.

Writing the guest list

Adding a second host

We have already allowed connections only to the sshd server from 192.168.0.10, if we want to allow a second host to connect, it is as simple as

sshd:	192.168.0.10 192.168.0.11

or

sshd:	wibble.mynet.invalid wobble.mynet.invalid

You may have just a space between them or add a comma for clarity.

Adding lots of hosts

It is possible to allow blocks of addresses to connect by either shortening the address or using a netmask.

sshd:	192.168.0.
sshd:	192.168.0.0/255.255.255.0

Both have the same effect.

You can allow all within a domain name to connect, eg.

sshd:	.mynet.invalid

Adding other services

In the main, the name of the service you are connecting TO eg sshd, in.telnetd, vstfpd, proftpd should be placed in hosts.allow, but as with all things there are exceptions… NFS, with NFS we are making rules for what services we are allowing connections FROM.

If for example the machine we are locking down is an nfs server, and you want to mount it on 192.168.0.10 we would put in /etc/hosts.allow

portmap:	192.168.0.10
mountd:		192.168.0.10

Likewise, similarly back to front, if you want it to mount an nfs export we would put in the address of the nfsd we want to mount

portmap:	192.168.0.10
nfsd:		192.168.0.10

Talking to yourself

Sometimes it's not a bad idea, for example the rndc process for reloading bind might be on the same machine running named, in this case we want to allow connections from the same machine we are on.

rndc:	127.0.0.1

Again, note it is the name of the proccess we want to talk to, not the name of the listening process.

Notes

This does not cover all the variations in grammar of these two files nor will it secure all services that open ports but should hopefully give you a taste of what can be done.

See also

man (5) hosts_access

Sources

 fr:howtos:security:inetd ()