/etc/hosts.allow /etc/hosts.deny confusion
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
/etc/hosts.allow /etc/hosts.deny confusion
Hi All,
I an trying to get a lan nfs server configured but am stumped by /etc/hosts.allow /etc/hosts.deny, I have ...
/etc/hosts.allow
rpcbind : 192.168.0.
/etc/hosts.deny
ALL: ALL
When I try and link via NFS I get
Jul 29 11:53:14 dave-desktop rpc.mountd[1308]: connect from 192.168.0.7 denied: request from unauthorized host
If I remove /etc/hosts.deny it works, so I am thinkink 192.168.0. is not matching 192.168.0.7 and its dropping to the global deny ?
Can anyone shed any light ?
Cheers
Dave
I an trying to get a lan nfs server configured but am stumped by /etc/hosts.allow /etc/hosts.deny, I have ...
/etc/hosts.allow
rpcbind : 192.168.0.
/etc/hosts.deny
ALL: ALL
When I try and link via NFS I get
Jul 29 11:53:14 dave-desktop rpc.mountd[1308]: connect from 192.168.0.7 denied: request from unauthorized host
If I remove /etc/hosts.deny it works, so I am thinkink 192.168.0. is not matching 192.168.0.7 and its dropping to the global deny ?
Can anyone shed any light ?
Cheers
Dave
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: /etc/hosts.allow /etc/hosts.deny confusion
Hi Dave,
your deny should be empty
and your allow should have the ip addresses of the machines allowed access in your case 192.168.0.7 (if it is a fixed ip)
if the ip is not in allowed it won't be able to access anyway so no need to have a specific entry in deny except if they have the same ip but a different subnet witch on a home lan is very rare.
your deny should be empty
mode or just have an ip of a machine you don't want to give accessALL: PARANOID
and your allow should have the ip addresses of the machines allowed access in your case 192.168.0.7 (if it is a fixed ip)
if the ip is not in allowed it won't be able to access anyway so no need to have a specific entry in deny except if they have the same ip but a different subnet witch on a home lan is very rare.
Re: /etc/hosts.allow /etc/hosts.deny confusion
Thanks for replying
I was looking at http://jamalahmed.wordpress.com/2010/03 ... cure-unix/
Which seems to say if no rule matches in allow, or deny they allow it, I want to allow access to all machines on my lan 192.168.0.x and block but block any other services,
Cheers
Dave
I was looking at http://jamalahmed.wordpress.com/2010/03 ... cure-unix/
Which seems to say if no rule matches in allow, or deny they allow it, I want to allow access to all machines on my lan 192.168.0.x and block but block any other services,
Cheers
Dave
Re: /etc/hosts.allow /etc/hosts.deny confusion
machines trying from the outside would have to pass through your router (already difficult to hack this)
http://static.closedsrc.org/articles/dn ... allow.html
in your case local would be enough so only local units can access (192.168.x.x)
http://static.closedsrc.org/articles/dn ... allow.html
in your case local would be enough so only local units can access (192.168.x.x)
Re: /etc/hosts.allow /etc/hosts.deny confusion
Hi,
Is your /etc/hosts.allow correctly formatted ?A common mistake is the missing last newline
Is your /etc/hosts.allow correctly formatted ?
Code: Select all
grep -e warn /var/log/auth.log
Yes. If there is no matching deny rule, all non matching will skip to next and then be allowed. Hence to deny all incoming connections by default, you need the single line "ALL: ALL" in /etc/hosts.deny.Which seems to say if no rule matches in allow, or deny they allow it
Re: /etc/hosts.allow /etc/hosts.deny confusion
Hi All,
Thanks for replying, well have had some fun, am using the NFS server to pick up clonezilla images and no matter what I do I cannot get it to link if ALL:ALL is in hosts.deny, tried all sorts in hosts.allow but appears that whatever I try it just failed, yep checked for a couple of newlines after the config (nasty gotcha!)
Then rather than keep booting clonezilla and trying it I tried manualy mounting the NFS server from my laptop, worked a treat, even if I had ALL:ALL in hosts.deny and zip in hosts.allow which by my reconing should have blocked everything. In fact as a manual mount I could not block it ... at this point I considered what you guys had said, it is on a secure LAN behind a nat router - that is good enough.
Its all very odd ... been tinkering with Linux for a long time but have to confess am confused by this one
Thanks again
Dave
Thanks for replying, well have had some fun, am using the NFS server to pick up clonezilla images and no matter what I do I cannot get it to link if ALL:ALL is in hosts.deny, tried all sorts in hosts.allow but appears that whatever I try it just failed, yep checked for a couple of newlines after the config (nasty gotcha!)
Then rather than keep booting clonezilla and trying it I tried manualy mounting the NFS server from my laptop, worked a treat, even if I had ALL:ALL in hosts.deny and zip in hosts.allow which by my reconing should have blocked everything. In fact as a manual mount I could not block it ... at this point I considered what you guys had said, it is on a secure LAN behind a nat router - that is good enough.
Its all very odd ... been tinkering with Linux for a long time but have to confess am confused by this one
Thanks again
Dave
Re: /etc/hosts.allow /etc/hosts.deny confusion
Hi Dave,
I think you confused us also:
the deny all:all means nobody no machine nada can access the shares, how did you expect clonezilla to do so if you denied everybody to do so?
Now you mounted locally (thank god you didn't play with hosts settings there) and it works as it should
I think you confused us also:
the deny all:all means nobody no machine nada can access the shares, how did you expect clonezilla to do so if you denied everybody to do so?
Now you mounted locally (thank god you didn't play with hosts settings there) and it works as it should
Re: /etc/hosts.allow /etc/hosts.deny confusion
Sorry am terrible at explaining myself
When I was trying to get clonezilla to link I had ALL:ALL in hosts.deny but rpchost:192.168.0. in hosts.allow ... did not work
Trouble was I had to keep booting clonezilla every time I wanted to see if it worked, took a long time, so I hatched the plan to try mounting manually from my laprop on the LAN, experimenting with that I found that no matter what I put in allow / deny including zip in allow and ALL:ALL in deny I could not block the NFS mounting.
Now heading for the bar
Dave
When I was trying to get clonezilla to link I had ALL:ALL in hosts.deny but rpchost:192.168.0. in hosts.allow ... did not work
Trouble was I had to keep booting clonezilla every time I wanted to see if it worked, took a long time, so I hatched the plan to try mounting manually from my laprop on the LAN, experimenting with that I found that no matter what I put in allow / deny including zip in allow and ALL:ALL in deny I could not block the NFS mounting.
Now heading for the bar
Dave
Re: /etc/hosts.allow /etc/hosts.deny confusion
ALL:ALL in hosts.deny but rpchost:192.168.0. in hosts.allow ... did not work
normal deny overrides allow that's why I told you not to put anything in deny see what I mean
Re: /etc/hosts.allow /etc/hosts.deny confusion
Doh !!! ... when I get to the bar will now order a double !!!
Cheers
Dave
Cheers
Dave
Re: /etc/hosts.allow /etc/hosts.deny confusion
Sorry but this was good:
where does your "rpchost" daemon name come from ?kbmaniac wrote: /etc/hosts.allow
rpcbind : 192.168.0.
/etc/hosts.deny
ALL: ALL
Re: /etc/hosts.allow /etc/hosts.deny confusion
eanfrid
I stay corrected, thanks for the explanation
I stay corrected, thanks for the explanation
ACCESS CONTROL FILES
The access control software consults two files. The search stops at the first match:
*
Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file.
*
Otherwise, access will be denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file.
*
Otherwise, access will be granted.
Re: /etc/hosts.allow /etc/hosts.deny confusion
dave-desktop dave # cat /etc/hosts.allow
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
Was using it to try and lock down the portmapper and thus any other services ...
Cheers
Dave
# /etc/hosts.allow: list of hosts that are allowed to access the system.
# See the manual pages hosts_access(5) and hosts_options(5).
#
# Example: ALL: LOCAL @some_netgroup
# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "rpcbind" for the
# daemon name. See rpcbind(8) and rpc.mountd(8) for further information.
#
Was using it to try and lock down the portmapper and thus any other services ...
Cheers
Dave
Re: /etc/hosts.allow /etc/hosts.deny confusion
We all know this from the beginning. What I tell you is that rpcbind is the correct daemon name and that rpchost is not
kbmaniac wrote:rpchost:192.168.0. in hosts.allow ... did not work
Re: /etc/hosts.allow /etc/hosts.deny confusion
OK so going to find a small room, softly close the door, and screem for a little while ... will feel much better afterwards
Many Thanks
Dave
Many Thanks
Dave