You are not logged in.

#1 2005-01-08 06:51:44

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Installation doc FAQ clarification.

http://www.archlinux.org/docs/en/guide/ … guide.html

I can't ssh into my machine!

Edit your /etc/hosts.deny file. The default configuration will reject all incoming connections.

Shouldn't people just add

sshd:ALL

to /etc/hosts.allow ?
Allow rules supercede deny rules, so ssh would be allowed. Then all the other connections are still by default denied.
I think that would be better.

Comments?


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#2 2005-01-08 15:19:52

scottro
Member
From: NYC
Registered: 2002-10-11
Posts: 466
Website

Re: Installation doc FAQ clarification.

I agree   There should be a few examples, that one, or, for example, allowing it from your network, such as

ALL:  EXCEPT 192.168.1.0/255.255.255.0

I find that that Arch is one of the few distributions still using that instead of iptables, so I constantly forget the syntax.

Offline

#3 2005-01-08 20:35:32

oscar
Member
From: Kiruna, Sweden
Registered: 2004-08-13
Posts: 457

Re: Installation doc FAQ clarification.

I think this sounds like a good idea - but a stupid one, at the same time.
Surely, they have sshd access after a default install - but what if they are hosting a webpage on the computer, and haven't even noticed the hosts.deny-file, and can't make the httpd work properly?

A short message after installing ssh that you should check out /etc/hosts.deny before getting any help would suffice, IMHO smile


To err is human... to really foul up requires the root password.

Offline

#4 2005-01-08 20:47:09

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Installation doc FAQ clarification.

httpd doesn't listen to hosts.allow or deny. Only programs that use tcp_wrappers care about what is in those files.

my hosts.deny

ALL: ALL: DENY

my hosts.allow

sshd:ALL

I run web, mail, ssh, and more on that box. I, of course, use a firewall to control what I let in, and out. I don't know exactly which programs actually use tcp_wrappers, but off the top of my head I am pretty sure that nfs and sshd use it.


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#5 2005-01-08 22:10:17

oscar
Member
From: Kiruna, Sweden
Registered: 2004-08-13
Posts: 457

Re: Installation doc FAQ clarification.

cactus wrote:

httpd doesn't listen to hosts.allow or deny. Only programs that use tcp_wrappers care about what is in those files.

my hosts.deny

ALL: ALL: DENY

my hosts.allow

sshd:ALL

I run web, mail, ssh, and more on that box. I, of course, use a firewall to control what I let in, and out. I don't know exactly which programs actually use tcp_wrappers, but off the top of my head I am pretty sure that nfs and sshd use it.

Ah - in that case, if sounds like a great idea! big_smile
nfs isn't installed nor enabled per default, so it shouldn't pose a threat either smile


To err is human... to really foul up requires the root password.

Offline

#6 2005-01-09 03:33:11

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: Installation doc FAQ clarification.

oh, and portmap usually.
wink


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

Board footer

Powered by FluxBB