You are not logged in.
- Topics: Active | Unanswered
#1 2011-07-18 17:11:16
- Mr. Alex
- Member
- Registered: 2010-08-26
- Posts: 623
Question about hosts.allow/hosts.deny
Hello!
I have
ALL: ALLin /etc/hosts.deny
and some services in /etc/hosts.allow excluding httpd. However, I can get access to my sites which are hosted by Apache (localy). I don't have httpd in my /etc/hosts.allow at all. So why does Apache give me access to my sites? Thinking it through, it should be denied by /etc/hosts.deny...
Offline
#2 2011-07-18 17:23:27
- oliver
- Member
- Registered: 2007-12-12
- Posts: 448
Re: Question about hosts.allow/hosts.deny
Not sure if you have a config error somewhere, but /etc/hosts.allow and /etc/hosts.deny is being deprecated
http://www.archlinux.org/news/dropping- … s-support/
2011-07-16 - Dan McGee
tcp_wrappers support is being dropped from all packages and the package removed from [core]. This is due to upstream not having released a new version since April 1997. Additionally, newer daemons and applications are inconsistent in their support for libwrap, leading to confusion as to whether an application supports the library.
If you currently use /etc/hosts.allow or /etc/hosts.deny for security or logging purposes, you will need to adjust accordingly and use another tool such as iptables, or other firewall helper programs.
Additionally, the denyhosts package will be dropped as it depends on tcp_wrappers to enforce the banned hosts list. A useful alternative is fail2ban.
Offline
#3 2011-07-18 17:37:16
- Mr. Alex
- Member
- Registered: 2010-08-26
- Posts: 623
Re: Question about hosts.allow/hosts.deny
Thanks, this explains the situation.
Will these files (hosts.{allow,deny}) be deleted from Arch in near future? Just curious.
Offline
#4 2011-07-18 17:51:48
- Army
- Member
- Registered: 2007-12-07
- Posts: 1,784
Re: Question about hosts.allow/hosts.deny
Well, they belong to the package tcp_wrappers, which still is in the repo, but I guess it will be deleted soon. I already removed it. Now we all have to learn how iptables work. Take a look into the wiki, there are good starting guides.
Offline
#5 2011-07-18 18:15:31
- toofishes
- Developer
- From: Chicago, IL
- Registered: 2006-06-06
- Posts: 602
- Website
Re: Question about hosts.allow/hosts.deny
httpd has never been built with tcp_wrappers support, so your config in the files had no effect whatsoever for Apache. Another reason why we're dumping tcp_wrappers- it is hard to know whether a piece of software is even built with support for it.
Offline
#6 2011-07-18 18:27:22
- Mektub
- Member
- From: Lisbon /Portugal
- Registered: 2008-01-02
- Posts: 647
Re: Question about hosts.allow/hosts.deny
Well, they belong to the package tcp_wrappers, which still is in the repo, but I guess it will be deleted soon. I already removed it. Now we all have to learn how iptables work. Take a look into the wiki, there are good starting guides.
Army,
pacman -R tcp_wrappers
checking dependencies...
error: failed to prepare transaction (could not satisfy dependencies)
:: esound: requires tcp_wrappers
:: inetutils: requires tcp_wrappers
:: libmysqlclient: requires tcp_wrappers
:: nfs-utils: requires tcp_wrappers
:: openssh: requires tcp_wrappers
:: rrdtool: requires tcp_wrappers
:: syslog-ng: requires tcp_wrappers
:: xinetd: requires tcp_wrappersdid you force the removal of tcp_wrappers ?
Mektub
Follow me on twitter: https://twitter.com/johnbina
Offline
#7 2011-07-18 20:53:04
- bluepumpkin
- Member
- Registered: 2009-08-28
- Posts: 58
Re: Question about hosts.allow/hosts.deny
Mektub,
Perhaps your system is out of date? Nothing on my system depends on tcp_wrappers, and I have esound, inetutils, openssh, and syslog-ng installed.
Offline
#8 2011-07-18 21:18:18
- student975
- Member
- From: Russian Federation
- Registered: 2011-03-05
- Posts: 613
Re: Question about hosts.allow/hosts.deny
I also have with up to date Arch:
$ sudo pacman -R tcp_wrappers
checking dependencies...
error: failed to prepare transaction (could not satisfy dependencies)
:: esound: requires tcp_wrappers
:: inetutils: requires tcp_wrappers
:: libmysqlclient: requires tcp_wrappers
:: openssh: requires tcp_wrappers
:: syslog-ng: requires tcp_wrappers"I exist" is the best myth I know..
Offline
#9 2011-07-18 21:19:22
- karol
- Archivist
- Registered: 2009-05-06
- Posts: 25,440
Re: Question about hosts.allow/hosts.deny
Mektub,
Perhaps your system is out of date? Nothing on my system depends on tcp_wrappers, and I have esound, inetutils, openssh, and syslog-ng installed.
Offline
#10 2011-07-18 21:24:53
- Mektub
- Member
- From: Lisbon /Portugal
- Registered: 2008-01-02
- Posts: 647
Re: Question about hosts.allow/hosts.deny
Mektub,
Perhaps your system is out of date? Nothing on my system depends on tcp_wrappers, and I have esound, inetutils, openssh, and syslog-ng installed.
Just checked, and all my packages are the latest stable (x86-64) version.
esound 0.2.41-1
inetutils 1.8-2
openssh 5.8p2-8
syslog-ng 3.2.4-2I even checked with the mirror list status on the ARCH homepage and put the freshest one on top of the mirrorlist file.
But I also noticed that all these files have an upgraded version on testing.
Perhaps you have "testing" enabled.
Anyhow, no hurry, I can wait.
Mektub
Follow me on twitter: https://twitter.com/johnbina
Offline
#11 2011-07-18 21:47:58
- bluepumpkin
- Member
- Registered: 2009-08-28
- Posts: 58
Re: Question about hosts.allow/hosts.deny
D'oh, I am running [testing]. Ignore me.
Offline