/etc/hosts.allow /etc/hosts.deny confusion

[kbmaniac]

Hi All,

I an trying to get a lan nfs server configured but am stumped by /etc/hosts.allow /etc/hosts.deny, I have ...

/etc/hosts.allow
rpcbind : 192.168.0.

/etc/hosts.deny
ALL: ALL

When I try and link via NFS I get
Jul 29 11:53:14 dave-desktop rpc.mountd[1308]: connect from 192.168.0.7 denied: request from unauthorized host

If I remove /etc/hosts.deny it works, so I am thinkink 192.168.0. is not matching 192.168.0.7 and its dropping to the global deny ?

Can anyone shed any light ?

Cheers

Dave

[PatH57]

Hi Dave,

your deny should be empty

ALL: PARANOID

mode or just have an ip of a machine you don't want to give access

and your allow should have the ip addresses of the machines allowed access in your case 192.168.0.7 (if it is a fixed ip)

if the ip is not in allowed it won't be able to access anyway so no need to have a specific entry in deny except if they have the same ip but a different subnet witch on a home lan is very rare.

[kbmaniac]

Thanks for replying

I was looking at http://jamalahmed.wordpress.com/2010/03 ... cure-unix/

Which seems to say if no rule matches in allow, or deny they allow it, I want to allow access to all machines on my lan 192.168.0.x and block but block any other services,

Cheers

Dave

[PatH57]

machines trying from the outside would have to pass through your router (already difficult to hack this)

http://static.closedsrc.org/articles/dn ... allow.html

in your case local would be enough so only local units can access (192.168.x.x)

[eanfrid]

Hi,
Is your /etc/hosts.allow correctly formatted ?

Code: Select all

grep -e warn /var/log/auth.log

A common mistake is the missing last newline

Which seems to say if no rule matches in allow, or deny they allow it

Yes. If there is no matching deny rule, all non matching will skip to next and then be allowed. Hence to deny all incoming connections by default, you need the single line "ALL: ALL" in /etc/hosts.deny.

[kbmaniac]

Hi All,

Thanks for replying, well have had some fun, am using the NFS server to pick up clonezilla images and no matter what I do I cannot get it to link if ALL:ALL is in hosts.deny, tried all sorts in hosts.allow but appears that whatever I try it just failed, yep checked for a couple of newlines after the config (nasty gotcha!)

Then rather than keep booting clonezilla and trying it I tried manualy mounting the NFS server from my laptop, worked a treat, even if I had ALL:ALL in hosts.deny and zip in hosts.allow which by my reconing should have blocked everything. In fact as a manual mount I could not block it ... at this point I considered what you guys had said, it is on a secure LAN behind a nat router - that is good enough.

Its all very odd ... been tinkering with Linux for a long time but have to confess am confused by this one

Thanks again

Dave

[PatH57]

Hi Dave,

I think you confused us also:
the deny all:all means nobody no machine nada can access the shares, how did you expect clonezilla to do so if you denied everybody to do so?

Now you mounted locally (thank god you didn't play with hosts settings there) and it works as it should

[kbmaniac]

Sorry am terrible at explaining myself

When I was trying to get clonezilla to link I had ALL:ALL in hosts.deny but rpchost:192.168.0. in hosts.allow ... did not work

Trouble was I had to keep booting clonezilla every time I wanted to see if it worked, took a long time, so I hatched the plan to try mounting manually from my laprop on the LAN, experimenting with that I found that no matter what I put in allow / deny including zip in allow and ALL:ALL in deny I could not block the NFS mounting.

Now heading for the bar

Dave

[PatH57]

ALL:ALL in hosts.deny but rpchost:192.168.0. in hosts.allow ... did not work

normal deny overrides allow that's why I told you not to put anything in deny see what I mean

[kbmaniac]

Doh !!! ... when I get to the bar will now order a double !!!

Cheers

Dave

[eanfrid]

Sorry but this was good:

/etc/hosts.allow
rpcbind : 192.168.0.

/etc/hosts.deny
ALL: ALL

where does your "rpchost" daemon name come from ?

[PatH57]

eanfrid

I stay corrected, thanks for the explanation

ACCESS CONTROL FILES
The access control software consults two files. The search stops at the first match:

*
Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file.
*
Otherwise, access will be denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file.
*
Otherwise, access will be granted.

[kbmaniac]

dave-desktop dave # cat /etc/hosts.allow
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#

Was using it to try and lock down the portmapper and thus any other services ...

Cheers

Dave

[eanfrid]

We all know this from the beginning. What I tell you is that rpcbind is the correct daemon name and that rpchost is not

rpchost:192.168.0. in hosts.allow ... did not work

[kbmaniac]

OK so going to find a small room, softly close the door, and screem for a little while ... will feel much better afterwards

Many Thanks

Dave