RE: Hosts.all/Hosts.deny vs. a firewall?]
Andrew,
I also have proftpd running but it was _not_ called from inet.conf. I added the line like you suggested. I also confirmed I have tcp wrappers installed. After that I nmap'd myself and I see a several listings that are not in the inet.conf..where can I turn these off?
111/tcp open Sunrpc
113/tcp open auth <--- need that one?
515/tcp open printer
6000/tcp open X11
Additionally, I noticed that smtp is not called like ftp is with the /usr/sbin/tcpd first, it's just called /usr/sbin/exim....does this mean that hosts.deny would not protect that port? (getting a little confused here)
Bill
----- Forwarded message from Pollywog <pollywog@shadypond.com> -----
Envelope-to: jensenb@localhost
Date: Sun, 27 Aug 2000 01:58:25 +0000 (UTC)
From: Pollywog <pollywog@shadypond.com>
Subject: RE: Hosts.all/Hosts.deny vs. a firewall?
In-reply-to: <20000826204727.A16612@charter.net>
To: William Jensen <jensenb@charter.net>
Reply-to: Pollywog <pollywog@shadypond.com>
Organization: The Pond
X-Mailer: XFMail 1.4.6 on Linux
X-Priority: 3 (Normal)
On 27-Aug-2000 William Jensen wrote:
> So far I have the following setup:
>
> hosts.deny:
>
> ALL:ALL
>
> hosts.allow:
>
> ALL: my_work.domain
>
> My intention is to prevent everyone from the 'outside' from reaching my box.
> I do realize that anyone in my_work.domain would also be able to get at it.
>
> It is my understanding that this will prevent anyone not in my_work.domain
> from getting to my box with telnet, ftp, etc. Is this correct? Is this
> secure? If this is indeed correct could someone tell me why I would
> need/want a firewall and/or what benefit it would provide me over what I
> already have setup? More specifically how does a firewall differ from using
> the hosts.allow/hosts.deny files as I described above.
/etc/hosts.deny will only prevent access to FTP, telnetd, etc if you are using
TCP Wrappers:
First make sure you have tcpd installed; it is TCP Wrappers.
Make sure your ftpd is called from /etc/inetd.conf something like this:
ftp stream tcp nowait root /usr/sbin/tcpd
/usr/sbin/proftpd
That should all be on one line in /etc/inetd.conf. I am using proftpd but if
you are using some other ftp daemon, such as in.telnetd, then put "in.telnetd"
where I have "proftpd".
Any services that do not run from inetd must be protected by a firewall or
turned off.
BTW if you are using apt-get, you can install tcpd with 'apt-get install tcpd'
--
Andrew
----- End forwarded message -----
Reply to: