[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AW: [cobalt-users] dip.t-dialin.net IP Range

Subject: Re: AW: [cobalt-users] dip.t-dialin.net IP Range
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Mon Apr 30 23:00:18 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

"Wayne Sagar" <wsagar@xxxxxxxx> wrote:
> Question for the Guru's of the list... If we add ip's to the hosts.deny
> file.. does it deny them at the website page level?

It does not.  And it's easy enough to test.  Login to the shell using ssh,
then type 'env'.  Your IP address will be listed as
SSH_CLIENT=[IP_ADDRESS_HERE].  Open /etc/hosts.deny and add:

ALL: IP_ADDRESS_HERE

*DO NOT* close the SSH connection.  Host access control through hosts.deny
and hosts.allow only affects new connections, not currently open connections
so this is safe to do.  Try opening another SSH connection, accessing a POP
or IMAP mailbox and FTPing into the server and you should be denied access.
However, try accessing a webpage and you should be able to view it.  When
you are satisfied, remove the line from hosts.deny.

The hosts.deny file should have no effect on webserver access.  hosts.deny
and hosts.allow are used together to determine whether to grant access to a
host.  It only controls access to services listed in /etc/inetd.conf (the
services that aren't commented out).  Apache is not one of these services.
If you're using the 'ALL' wildcard in hosts.deny you're blocking all
services for the matched hosts.  You can specify individual hosts, partial
hosts, IP addresses, partial IP addresses and net/masks.  And you can
specify specific services.  Here are a few examples.

// Block IMAP access to the IP below and all hosts ending in irs.gov.
/etc/hosts.deny:
imapd: 123.123.123.123, .irs.gov

// Allow telnet access to everyone except the 1st IP below, IPs beginning
with the following string (222.222.222) and hosts ending in microsoft.com.
/etc/hosts.allow:
in.telnet.d: ALL EXCEPT 192.168.1.2, 222.222.222., .microsoft.com : ALLOW

> If all it does is deny them all other access.. what's the harm?

I have not tried this particular strategy yet, but I came across a document
on Apache URL rewriting (powerful stuff, I use it and recommend everyone get
familiar with it) that uses the hosts.deny file to block access to Apache.
Take a look at http://www.engelschall.com/pw/apache/rewriteguide/ and scroll
down to the "Host Deny" section which is about 85% of the way down.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

Follow-Ups:
- Re: AW: [cobalt-users] dip.t-dialin.net IP Range
  - From: Gerald Waugh

References:
- Re: AW: [cobalt-users] dip.t-dialin.net IP Range
  - From: Wayne Sagar

Prev by Date: [cobalt-users] dielectric constant
Next by Date: Re: [cobalt-users] phpMyAdmin
Previous by thread: Re: AW: [cobalt-users] dip.t-dialin.net IP Range
Next by thread: Re: AW: [cobalt-users] dip.t-dialin.net IP Range

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index