filtering access via hosts.allow

I am trying to prevent access from half the world's idiots through
hosts.allow using:

sendmail: ALL
sshd: 192.168.1., 68.155. : allow
httpd: .us, .com, .net, .gov, .org, .nz, .nl, .mx, .lu, .gb, .de, .ca,
..bs, .at, .au : allow
vsftpd: 192.168.1., 68.155. : allow

I was led to believe I could filter requests by countries via this
format of TLDs from some FAQ I read. I am still getting pounded
through ssh and http by sources in Asia. My hosts.deny was
alternatively empty and ALL: ALL.

I know I have other issues from sources that I am allowing access, but
I feel I can deal with that on a piecemeal basis. What is the correct
format for this filter (and hosts.deny).

thanks
ed

On 4 Jan 2006 07:08:56 -0800, (E-Mail Removed) wrote:
> I am trying to prevent access from half the world's idiots through
> hosts.allow using:
>
> sendmail: ALL
> sshd: 192.168.1., 68.155. : allow
> httpd: .us, .com, .net, .gov, .org, .nz, .nl, .mx, .lu, .gb, .de, .ca,

Hmmm, .net, looking at my ip I get
$ host 24.1.202.185
domain name pointer c-24-1-202-185.hsd1.tx.comcast.net

Looks like that would let anyone from comcast.net or covad.net


> .bs, .at, .au : allow
> vsftpd: 192.168.1., 68.155. : allow

Instead of the 192.168.1. I use LOCAL and anyone on my local lan .home.invalid
ALL: LOCAL,.home.invalid

As for your : allow; by defintion, anyone in hosts.allow is allowed.

> I was led to believe I could filter requests by countries via this
> format of TLDs from some FAQ I read. I am still getting pounded
> through ssh and http by sources in Asia.

You will get pounded regardless of what is in your allow/deny.
Your hosts.allow/deny will be used when someone tries to connedt to a
wrapped service.

Put up a firewall, and poke holes in it for what you want.
I am running Mandriva Linux and use webmin to manage the config rules.
You can use blacklist to manage ip ranges, ports, protocol...


> My hosts.deny was
> alternatively empty and ALL: ALL.

hosts.deny needs the
ALL: ALL <=== followed by a carriage return

>You will get pounded regardless of what is in your allow/deny.
>Your hosts.allow/deny will be used when someone tries to connedt to a
>wrapped service.

These rules should not allow an attempt to login correct?

Entry from /var/log/secure:
sshd[24121]: Failed password for invalid user mwe from 222.233.123.198
port 45256 ssh2
sshd[24121]: Invalid user mwe from 222.233.123.198

On 4 Jan 2006 08:17:28 -0800, (E-Mail Removed) wrote:
>>You will get pounded regardless of what is in your allow/deny.
>>Your hosts.allow/deny will be used when someone tries to connedt to a
>>wrapped service.
>
> These rules should not allow an attempt to login correct?

No idea, my firewall stops attempts from connecting.
Is the tpcd service/daemon running?

> Entry from /var/log/secure:

My logs only has entries from my lan box.

(E-Mail Removed) wrote:
>>You will get pounded regardless of what is in your allow/deny.
>>Your hosts.allow/deny will be used when someone tries to connedt to a
>>wrapped service.

> These rules should not allow an attempt to login correct?

They cannot prevent the attempt but do prevent the login. You'll need
a firewall to prevent the attempt.

> Entry from /var/log/secure:
> sshd[24121]: Failed password for invalid user mwe from 222.233.123.198
> port 45256 ssh2
> sshd[24121]: Invalid user mwe from 222.233.123.198

--
Clifford Kite Email: "echo xvgr_yvahk-(E-Mail Removed)|rot13"

In comp.os.linux.networking (E-Mail Removed):
>>You will get pounded regardless of what is in your allow/deny.
>>Your hosts.allow/deny will be used when someone tries to connedt to a
>>wrapped service.
^^^^^^^

> These rules should not allow an attempt to login correct?

> Entry from /var/log/secure:
> sshd[24121]: Failed password for invalid user mwe from 222.233.123.198
> port 45256 ssh2

Is your sshd compiled to support tcp_wrapper at all?

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 62: need to wrap system in aluminum foil to
fix problem

On 01/04/06 16:08, (E-Mail Removed) wrote:
> I am trying to prevent access from half the world's idiots through
> hosts.allow using:
>
> sendmail: ALL
> sshd: 192.168.1., 68.155. : allow
> httpd: .us, .com, .net, .gov, .org, .nz, .nl, .mx, .lu, .gb, .de, .ca,
> .bs, .at, .au : allow
> vsftpd: 192.168.1., 68.155. : allow
>
> I was led to believe I could filter requests by countries via this
> format of TLDs from some FAQ I read. I am still getting pounded
> through ssh and http by sources in Asia. My hosts.deny was
> alternatively empty and ALL: ALL.
>
> I know I have other issues from sources that I am allowing access, but
> I feel I can deal with that on a piecemeal basis. What is the correct
> format for this filter (and hosts.deny).
>
> thanks
> ed
>

Maybe your httpd and sshd daemons do not use "Tcp Wrappers".

AFAIK they are standalone daemons and do not get wakened via inetd.

Ciao
Giovanni
--
A computer is like an air conditioner,
it stops working when you open Windows.
Registered Linux user #337974 <http://counter.li.org/>

In comp.os.linux.networking Giovanni <(E-Mail Removed)>:
> On 01/04/06 16:08, (E-Mail Removed) wrote:
>> I am trying to prevent access from half the world's idiots through
>> hosts.allow using:
>>
>> sendmail: ALL
>> sshd: 192.168.1., 68.155. : allow
>> httpd: .us, .com, .net, .gov, .org, .nz, .nl, .mx, .lu, .gb, .de, .ca,
>> .bs, .at, .au : allow
>> vsftpd: 192.168.1., 68.155. : allow
[..]

> Maybe your httpd and sshd daemons do not use "Tcp Wrappers".

> AFAIK they are standalone daemons and do not get wakened via inetd.

Sshd can use tcp_wrapper if compiled to do so, no matter if
started from (x)inetd or not, though many distro default sshd
aren't compiled to do so.

Httpd certainly doesn't.

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 119: evil hackers from Serbia.

On 01/05/06 15:50, Michael Heiming wrote:
> In comp.os.linux.networking Giovanni <(E-Mail Removed)>:
>
>>On 01/04/06 16:08, (E-Mail Removed) wrote:
>>
>>>I am trying to prevent access from half the world's idiots through
>>>hosts.allow using:
>>>
>>>sendmail: ALL
>>>sshd: 192.168.1., 68.155. : allow
>>>httpd: .us, .com, .net, .gov, .org, .nz, .nl, .mx, .lu, .gb, .de, .ca,
>>>.bs, .at, .au : allow
>>>vsftpd: 192.168.1., 68.155. : allow
>
> [..]
>
>
>>Maybe your httpd and sshd daemons do not use "Tcp Wrappers".
>
>
>>AFAIK they are standalone daemons and do not get wakened via inetd.
>
>
> Sshd can use tcp_wrapper if compiled to do so, no matter if
> started from (x)inetd or not, though many distro default sshd
> aren't compiled to do so.
>
> Httpd certainly doesn't.
>

You can start apache from your inetd daemon, as long as you set
ServerType inetd

I can't say anything about performances ;-)

Ciao
Giovanni
--
A computer is like an air conditioner,
it stops working when you open Windows.
Registered Linux user #337974 <http://counter.li.org/>

In comp.os.linux.networking Giovanni <(E-Mail Removed)>:
> On 01/05/06 15:50, Michael Heiming wrote:
>> In comp.os.linux.networking Giovanni <(E-Mail Removed)>:
>>
>>>On 01/04/06 16:08, (E-Mail Removed) wrote:
>>>
>>>>I am trying to prevent access from half the world's idiots through
>>>>hosts.allow using:
[..]

>>>Maybe your httpd and sshd daemons do not use "Tcp Wrappers".
>>
>>
>>>AFAIK they are standalone daemons and do not get wakened via inetd.
>>
>>
>> Sshd can use tcp_wrapper if compiled to do so, no matter if
>> started from (x)inetd or not, though many distro default sshd
>> aren't compiled to do so.
>>
>> Httpd certainly doesn't.
>>

> You can start apache from your inetd daemon, as long as you set
> ServerType inetd

> I can't say anything about performances ;-)

For the record, it is possible though you need to reconfigure it
and I'm not aware of anyone serious doing so, since apache has
built in access control that easily allows this. Running https
defeats this unless someone is brainless not to use a passphrase
on the servers cert.

Dunno about anyone serious doing this, so it escaped from my
mind. ;-)

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 28: CPU radiator broken