On 07/28/2021 10:01 AM, Leon Fauster via CentOS wrote:
> On 28.07.21 14:44, Jonathan Billings wrote:
>> On Jul 27, 2021, at 16:43, H <agents@xxxxxxxxxxxxxx> wrote:
>>>
>>> |Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts.
>>>
>>> This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed?
>>>
>>> Is it necessary to run:
>>>
>>> iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP
>>>
>>> to drop incoming connection attempts from that subnet?
>>
>> Upstream openssh dropped support for tcp wrappers (hosts.deny) a while ago but RHEL had patched support back in for a while, but I believe it isn’t supported anymore.
>>
>> For what it’s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient.
>>
>>
>
> TCP wrappers (hosts.allow/deny) are deprecated now.
>
> Its still supported in EL7 (sshd example)
>
> ldd /usr/sbin/sshd |grep wrap
> libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fcc483ee000)
>
> but not in EL8 anymore. EL8 is based on F28/29 ->
> https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
>
> For the question above (for EL7):
> only services that are compiled against libwrap uses hosts.deny
> everything else will be reachable (if iptables does not drop it).
>
> For EL8, as depicted in the above URI:
> systemd provide a similar functionality ...
>
> --
> Leon
>
>
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
Got it, will utilize iptables. I guess my previous experience was with C6.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
