|Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts. This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed? Is it necessary to run: ?iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP to drop incoming connection attempts from that subnet? Thank you! |
On Tue, 2021-07-27 at 16:43 -0400, H wrote:> > Running CentOS 7. I was under the impression - seemingly mistaken - > > that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* > > would ban all attempts from that network segment to connect to the > > server, ie before fail2ban would (eventually) ban connection > > attempts. > > This, however, does not seem correct and I could use a pointer to > correct my misunderstanding. How is hosts.deny used and what have I > missed?hosts.deny is only used by specific programs that use TCP wrappers. It is not a general "deny this host access". Also note that fail2ban operates on individual hosts, not subnets.> > Is it necessary to run: > > ?iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP > > to drop incoming connection attempts from that subnet? >If you use iptables yes, probably. Firewalld has a specific drop zone that you can use: firewall-cmd --zone=drop --add-source=aaa.bbb.ccc.0/24 (with suitable --permanent flag if you want it permanent). P.
On Tue, 27 Jul 2021 at 16:43, H <agents at meddatainc.com> wrote:> > |Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts. > > This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed? > > Is it necessary to run: > > iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP >yes. iptables is one of the first things which will see the packets coming to the server as it is implemented in kernel space. hosts.deny only comes in for specific services which are compiled to use it. [Internet] <-> [iptables] <-> [systemd if used] <-> [xinetd w/tcp-wrappers] In the above example, a packet coming from the internet gets interpreted and dealt with multiple tools and hosts.deny is only used in the last section where xinetd and similar programs compiled with tcp-wrappers look at hosts.deny file.> to drop incoming connection attempts from that subnet? > > Thank you! > | > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos-- Stephen J Smoogen. I've seen things you people wouldn't believe. Flame wars in sci.astro.orion. I have seen SPAM filters overload because of Godwin's Law. All those moments will be lost in time... like posts on BBS... time to reboot.
On Jul 27, 2021, at 16:43, H <agents at meddatainc.com> wrote:> > ?|Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts. > > This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed? > > Is it necessary to run: > > iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP > > to drop incoming connection attempts from that subnet?Upstream openssh dropped support for tcp wrappers (hosts.deny) a while ago but RHEL had patched support back in for a while, but I believe it isn?t supported anymore. For what it?s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient. -- Jonathan Billings
On 07/28/2021 05:12 AM, Stephen John Smoogen wrote:> On Tue, 27 Jul 2021 at 16:43, H <agents at meddatainc.com> wrote: >> |Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts. >> >> This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed? >> >> Is it necessary to run: >> >> iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP >> > yes. iptables is one of the first things which will see the packets > coming to the server as it is implemented in kernel space. hosts.deny > only comes in for specific services which are compiled to use it. > > [Internet] <-> [iptables] <-> [systemd if used] <-> [xinetd w/tcp-wrappers] > > In the above example, a packet coming from the internet gets > interpreted and dealt with multiple tools and hosts.deny is only used > in the last section where xinetd and similar programs compiled with > tcp-wrappers look at hosts.deny file. > > >> to drop incoming connection attempts from that subnet? >> >> Thank you! >> | >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos > >Thank you, I will utilize iptables (I am running C7).
On 07/28/2021 08:44 AM, Jonathan Billings wrote:> On Jul 27, 2021, at 16:43, H <agents at meddatainc.com> wrote: >> ?|Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts. >> >> This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed? >> >> Is it necessary to run: >> >> iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP >> >> to drop incoming connection attempts from that subnet? > Upstream openssh dropped support for tcp wrappers (hosts.deny) a while ago but RHEL had patched support back in for a while, but I believe it isn?t supported anymore. > > For what it?s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient. > > -- > Jonathan Billings > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosNoted, thank you.
On 07/27/2021 05:17 PM, Pete Biggs wrote:> On Tue, 2021-07-27 at 16:43 -0400, H wrote: >>> Running CentOS 7. I was under the impression - seemingly mistaken - >>> that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* >>> would ban all attempts from that network segment to connect to the >>> server, ie before fail2ban would (eventually) ban connection >>> attempts. >> This, however, does not seem correct and I could use a pointer to >> correct my misunderstanding. How is hosts.deny used and what have I >> missed? > hosts.deny is only used by specific programs that use TCP wrappers. It > is not a general "deny this host access". > > Also note that fail2ban operates on individual hosts, not subnets. > >> Is it necessary to run: >> >> ?iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP >> >> to drop incoming connection attempts from that subnet? >> > If you use iptables yes, probably. Firewalld has a specific drop zone > that you can use: > > firewall-cmd --zone=drop --add-source=aaa.bbb.ccc.0/24 > > (with suitable --permanent flag if you want it permanent). > > P. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosNoted, I am using iptables.