Re: hosts.deny vs iptables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



jdow wrote:
From: "Bruno Wolff III" <bruno@xxxxxxxx>
 CodeHeads <codeheads@xxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all,
I searched the archives and google and did not find what i was looking for.

This is my setup:
Web Server with virtual hosts; FC4; IPTables and SELinux Running

My questions is which is better, IPTables or hosts.deny???

You want to use iptables. There may be some benefit to using hosts.deny/allow in that you can do dns look ups at the time of connection rather than when the rules are set up. While you don't want to depend on DNS for access, it
is reasonable to use it do deny access in most situations.

I read some where, cannot remember, that hosts.deny does not read httpd
requests??

For apache, you can configure allowed and denied hosts in httpd.conf and you
don't need hosts.deny/allow.


I am mostly concerned in blocking IP ranges with either.

For this case it is probably best to build these restrictions into your
iptables rules.

Please, may I be obnoxious and introduce Belt and Suspenders to Mr.
Elastic Band, who is expected to work with them?

In depth defense is worth while. It also allows for interesting
fine tuning potentials.

{^_-}


There is a significant difference between hosts.deny and iptables.
Iptables is a firewall, therefore it is the first line of defense between your computer and the outside world. If you want to make sure something or someone doesnt get into your computer, use Iptables.

Hosts.deny is another layer of protection but it only works with TCP wrapped applications. Some examples of TCPwrapped apps are sshd, xinetd, and sendmail... you can tell if an application uses TCP wrappers by the command
strings -f /usr/sbin/sshd | grep hosts_access
Because, apache does not use TCP wrappers, hosts.deny would be ineffective for http requests.

HTH,
Ed

----
Ed Kim, RHCE
ed.kim AT rhatbox.com

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux