You are not logged in.
- Topics: Active | Unanswered
#1 2005-01-08 06:51:44
- cactus
- Taco Eater
- From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
- Registered: 2004-05-25
- Posts: 4,622
- Website
Installation doc FAQ clarification.
http://www.archlinux.org/docs/en/guide/ … guide.html
I can't ssh into my machine!
Edit your /etc/hosts.deny file. The default configuration will reject all incoming connections.
Shouldn't people just add
sshd:ALLto /etc/hosts.allow ?
Allow rules supercede deny rules, so ssh would be allowed. Then all the other connections are still by default denied.
I think that would be better.
Comments?
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
#2 2005-01-08 15:19:52
- scottro
- Member
- From: NYC
- Registered: 2002-10-11
- Posts: 466
- Website
Re: Installation doc FAQ clarification.
I agree There should be a few examples, that one, or, for example, allowing it from your network, such as
ALL: EXCEPT 192.168.1.0/255.255.255.0
I find that that Arch is one of the few distributions still using that instead of iptables, so I constantly forget the syntax.
Offline
#3 2005-01-08 20:35:32
- oscar
- Member
- From: Kiruna, Sweden
- Registered: 2004-08-13
- Posts: 457
Re: Installation doc FAQ clarification.
I think this sounds like a good idea - but a stupid one, at the same time.
Surely, they have sshd access after a default install - but what if they are hosting a webpage on the computer, and haven't even noticed the hosts.deny-file, and can't make the httpd work properly?
A short message after installing ssh that you should check out /etc/hosts.deny before getting any help would suffice, IMHO 
To err is human... to really foul up requires the root password.
Offline
#4 2005-01-08 20:47:09
- cactus
- Taco Eater
- From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
- Registered: 2004-05-25
- Posts: 4,622
- Website
Re: Installation doc FAQ clarification.
httpd doesn't listen to hosts.allow or deny. Only programs that use tcp_wrappers care about what is in those files.
my hosts.deny
ALL: ALL: DENYmy hosts.allow
sshd:ALLI run web, mail, ssh, and more on that box. I, of course, use a firewall to control what I let in, and out. I don't know exactly which programs actually use tcp_wrappers, but off the top of my head I am pretty sure that nfs and sshd use it.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline
#5 2005-01-08 22:10:17
- oscar
- Member
- From: Kiruna, Sweden
- Registered: 2004-08-13
- Posts: 457
Re: Installation doc FAQ clarification.
httpd doesn't listen to hosts.allow or deny. Only programs that use tcp_wrappers care about what is in those files.
my hosts.deny
ALL: ALL: DENYmy hosts.allow
sshd:ALLI run web, mail, ssh, and more on that box. I, of course, use a firewall to control what I let in, and out. I don't know exactly which programs actually use tcp_wrappers, but off the top of my head I am pretty sure that nfs and sshd use it.
Ah - in that case, if sounds like a great idea! 
nfs isn't installed nor enabled per default, so it shouldn't pose a threat either
To err is human... to really foul up requires the root password.
Offline
#6 2005-01-09 03:33:11
- cactus
- Taco Eater
- From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
- Registered: 2004-05-25
- Posts: 4,622
- Website
Re: Installation doc FAQ clarification.
oh, and portmap usually.
"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍
Offline