Posts Tagged ‘vsftp’

How to filter an IP, and IP range or domain to access to access service with /etc/hosts.allow /etc/hosts.deny , filtering Network range to sshd tcp port 22 through sshd service

Tuesday, June 4th, 2024

how-to-allow-and-deny-services-without-firewall-on-linux-logo-picture-tux

If you want to filter a range of IPs to be able to or unable to access a TCP port service because someone is trying to brute force you from the network or just because you don't want a connected LAN IPs to have access to your server for whatever security reasons. The simplest way you can do IP and IP range restrictions to allow or disable access towards a Linux server via defining allow or prohibition rules in  /etc/hosts.allow and /etc/hosts.deny.

This files are there and useful since the beginning of UNIX OS-es and has been widely used on Linux in the past and rarely known by people nowadays.

 

The hosts.allow and hosts.deny files could be used on a Linux system to deny connection attempts from one or more IP addresses, hostnames, or domains. 
/etc/hosts.allow and /etc/hosts.deny are just a plain text configuration file with a rather simple syntax, that can be used for decades to allow or filter IPs without applying a special firewall rules like iptables locally.
It can work with any TCP wrapped service on your system. The hosts.deny file is used in conjunction with hosts.allow to determine whether a connection attempt gets accepted or denied.

In this small tutorial, you will see an example of the hosts.allow file and how to use it to allow or deny connections to IPs or networks, as well as how a simple prohibition to access SSH service only via specific IP network can be done.

For full understanding of hosts.allow / hosts.deny file, check the manuals man hosts.allow , man hosts.deny, man hosts_options, man hosts_options.

root@pcfreak:~# apropos hosts|grep -iE '^hosts.*'
hosts.equiv (5)      – list of hosts and users that are granted "trusted" r command access to your system
hosts (5)            – static table lookup for hostnames
hosts.allow (5)      – format of host access control files
hosts.deny (5)       – format of host access control files
hosts_access (5)     – format of host access control files
hosts_options (5)    – host access control language extensions

General hosts.allow / hosts.deny syntax

The /etc/hosts.allow and /etc/hosts.deny understood syntax form is: 

service : host/network

Each value is separated by a colon :

You can also supply an option, but this is not as common. We will cover some other niche choices below. More options can be added if necessary, with each one separated by another colon.

service : host/network [:

The following line would allow all traffic to the sshd service. ALL is used as a wildcard.

sshd : ALL

Few examples to allow access to SSH Daemon from IPv4 and IPv6
This line would allow connections from all hosts on the 10.11 network. Connections from all other hosts can then be denied by the hosts.deny file. This type of configuration would work as intended since the allow line precedes our corresponding deny line in the other file, thus will be triggered first.

sshd : 10.11


Accept connections from a particular IPv4 and IPv6 address
 

sshd : 10.10.136.241
sshd : [2a02:2143:88f1:5c00:9991:9daa:b580:aee2]

 

Rather than using IPs, you can also specify hostnames to accept or deny connections from.

sshd : some.host

 

Accept connections from all hosts using the main domain .pc-freak.net domain name.

sshd : .pc-freak.net

You can also use a wildcard for both the service and the host/network field. This will accept all connections to any service. This would make all other rules (including those in hosts.deny) irrelevant, as all connections will be accepted by this rule before they have a chance to be denied.

ALL : ALL

The EXCEPT operator can be used to create an exception in an otherwise all allowing rule. 
For example, this rule would allow all connections from the .pc-freak.net domain name, except for one sub-domain org.pc-freak.net

sshd : .pc-freak.net EXCEPT org.pc-freak.net


Allow connectivity towards SSH TCP port 22 for all IP / hosts except for certain IPs and domains
 

To control connectivity towards sshd service via allow hosts  /etc/hosts.allow for all except a bad.host and a certain IP range:

 

sshd : ALL : allow
sshd : bad.host : deny
sshd : 85.5.1. : deny (1)

 

Disable access to all remote services to the network

Lets say if you're running the Linux as  desktop station and you want to disable access to any local services running on TCP ports

If you want to be paranoid and disable all remote access to server to any IP network, you can do it with:

# echo "ALL: ALL" >/etc/hosts.deny


Completely allow access to a certain running TCP port service on server
 

To allow completely access to a service
 

service_name : ALL : allow

Allow access for a a range of IPs subnet

You can also specifcy the IP netmask range to allow, like this:

ALL : 192.168.0.0/255.255.254.0

 

Allow access to all server network services for a domain except for a certain domain
 

Enable access to ALL running server services listening on TCP port except for domain

ALL : .example.com EXCEPT skiddie-attacker.example-domain.com


Allow access to al services except to a service for a local port range via hosts.allow

Here is example onw how to use hosts.allow file to allow connections all running server services except access to VSFTP, coming from Local LAN IPs with netmask /24 (e.g. from the 192.168.0.x.):

ALL EXCEPT vsftpd : 192.168.0

 


Filtering IPs and IP Ranges from within /usr/sbin/sshd openssh service via /etc/ssh/sshd_config (allow and disable access to concrete IPs trying to brute force you)
 


Lets say however, you don't want to do the filtering of openssh connections via hosts.allow / hosts.deny but rather on a SSH Service level, this can be done with the following /etc/ssh/sshd_config configuration.

# vim /etc/ssh/sshd_config

Match Address *,!192.168.1.0/24
    ForceCommand /bin/false

For more on the use of Match Address check documentation with man 5 sshd_config


To re-load the opensshd config

# systemctl restart sshd

 

Of course manually filtering villains is a tedious task and ultimately to save yourself time and inconvenience to regullary look up within /var/log/security or /var/log/messages (depending on the Linux distribution) and the configuration for SSHD to login imposters you would prefer to use fail2ban (if you're not familiar with fail2ban check out my previous article on how to easily Stop ssh bruteforce authentication attempt Attacks with fail2ban or if you want to use the Linux native way check out the article how to prevent SSH and FTP bruteforce attacks with IPtables.

No Title

Tuesday, February 26th, 2008

Today I helped my cousing to fix his internet connection on a laptop.
The laptop was running Vista. A real nightmare, this OS is really heavy and even messier than Windows XP.
What else I’m trying to cope with life. Life is tough. What I can say….

Also I started a vsftp server on a FreeBSD box it took me some time because of configuration issues.

Right now I’mtrying to run a snort server still unsuccessfully for some reason the snort daemon does not start.

In the college everything is going in the old manner, except we have started studying Marketing II and another subject I forgot the name it is supposed to be something like statistics. The day was quiet with a bit of work.

END—–