On Jul 27, 2021, at 16:43, H <agents at meddatainc.com> wrote:> > ?|Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts. > > This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed? > > Is it necessary to run: > > iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP > > to drop incoming connection attempts from that subnet?Upstream openssh dropped support for tcp wrappers (hosts.deny) a while ago but RHEL had patched support back in for a while, but I believe it isn?t supported anymore. For what it?s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient. -- Jonathan Billings
On Jul 28, 2021, at 08:44, Jonathan Billings <billings at negate.org> wrote:> > For what it?s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient.That?s in CentOS 7 though. CentOS 8 firewalld uses nft instead of the older netfilter (iptables/ipset) code. -- Jonathan Billings
On 28.07.21 14:44, Jonathan Billings wrote:> On Jul 27, 2021, at 16:43, H <agents at meddatainc.com> wrote: >> >> ?|Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts. >> >> This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed? >> >> Is it necessary to run: >> >> iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP >> >> to drop incoming connection attempts from that subnet? > > Upstream openssh dropped support for tcp wrappers (hosts.deny) a while ago but RHEL had patched support back in for a while, but I believe it isn?t supported anymore. > > For what it?s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient. > >TCP wrappers (hosts.allow/deny) are deprecated now. Its still supported in EL7 (sshd example) ldd /usr/sbin/sshd |grep wrap libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fcc483ee000) but not in EL8 anymore. EL8 is based on F28/29 -> https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers For the question above (for EL7): only services that are compiled against libwrap uses hosts.deny everything else will be reachable (if iptables does not drop it). For EL8, as depicted in the above URI: systemd provide a similar functionality ... -- Leon
On 07/28/2021 10:01 AM, Leon Fauster via CentOS wrote:> On 28.07.21 14:44, Jonathan Billings wrote: >> On Jul 27, 2021, at 16:43, H <agents at meddatainc.com> wrote: >>> >>> ?|Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts. >>> >>> This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed? >>> >>> Is it necessary to run: >>> >>> ? iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP >>> >>> to drop incoming connection attempts from that subnet? >> >> Upstream openssh dropped support for tcp wrappers (hosts.deny) a while ago but RHEL had patched support back in for a while, but I believe it isn?t supported anymore. >> >> For what it?s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient. >> >> > > TCP wrappers (hosts.allow/deny) are deprecated now. > > Its still supported in EL7 (sshd example) > > ldd /usr/sbin/sshd |grep wrap > ????libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fcc483ee000) > > but not in EL8 anymore. EL8 is based on F28/29 -> > ? https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers > > For the question above (for EL7): > only services that are compiled against libwrap uses hosts.deny > everything else will be reachable (if iptables does not drop it). > > For EL8, as depicted in the above URI: > systemd provide a similar functionality ... > > -- > Leon > > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centosGot it, will utilize iptables. I guess my previous experience was with C6.