|Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts.
This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed?
Is it necessary to run:
iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP
to drop incoming connection attempts from that subnet?
Thank you! |
On Tue, 2021-07-27 at 16:43 -0400, H wrote:
Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts.
This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed?
hosts.deny is only used by specific programs that use TCP wrappers. It is not a general "deny this host access".
Also note that fail2ban operates on individual hosts, not subnets.
Is it necessary to run:
iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP
to drop incoming connection attempts from that subnet?
If you use iptables yes, probably. Firewalld has a specific drop zone that you can use:
firewall-cmd --zone=drop --add-source=aaa.bbb.ccc.0/24
(with suitable --permanent flag if you want it permanent).
P.
On Tue, 27 Jul 2021 at 17:17, Pete Biggs pete@biggs.org.uk wrote:
On Tue, 2021-07-27 at 16:43 -0400, H wrote:
Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts.
This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed?
hosts.deny is only used by specific programs that use TCP wrappers. It is not a general "deny this host access".
Also note that fail2ban operates on individual hosts, not subnets.
[I should have waited and read all my email before responding. Peter covered parts I did not.]
On 07/27/2021 05:17 PM, Pete Biggs wrote:
On Tue, 2021-07-27 at 16:43 -0400, H wrote:
Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts.
This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed?
hosts.deny is only used by specific programs that use TCP wrappers. It is not a general "deny this host access".
Also note that fail2ban operates on individual hosts, not subnets.
Is it necessary to run:
iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP
to drop incoming connection attempts from that subnet?
If you use iptables yes, probably. Firewalld has a specific drop zone that you can use:
firewall-cmd --zone=drop --add-source=aaa.bbb.ccc.0/24
(with suitable --permanent flag if you want it permanent).
P.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Noted, I am using iptables.
On Tue, 27 Jul 2021 at 16:43, H agents@meddatainc.com wrote:
|Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts.
This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed?
Is it necessary to run:
iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP
yes. iptables is one of the first things which will see the packets coming to the server as it is implemented in kernel space. hosts.deny only comes in for specific services which are compiled to use it.
[Internet] <-> [iptables] <-> [systemd if used] <-> [xinetd w/tcp-wrappers]
In the above example, a packet coming from the internet gets interpreted and dealt with multiple tools and hosts.deny is only used in the last section where xinetd and similar programs compiled with tcp-wrappers look at hosts.deny file.
to drop incoming connection attempts from that subnet?
Thank you! | _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 07/28/2021 05:12 AM, Stephen John Smoogen wrote:
On Tue, 27 Jul 2021 at 16:43, H agents@meddatainc.com wrote:
|Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts.
This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed?
Is it necessary to run:
iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP
yes. iptables is one of the first things which will see the packets coming to the server as it is implemented in kernel space. hosts.deny only comes in for specific services which are compiled to use it.
[Internet] <-> [iptables] <-> [systemd if used] <-> [xinetd w/tcp-wrappers]
In the above example, a packet coming from the internet gets interpreted and dealt with multiple tools and hosts.deny is only used in the last section where xinetd and similar programs compiled with tcp-wrappers look at hosts.deny file.
to drop incoming connection attempts from that subnet?
Thank you! | _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Thank you, I will utilize iptables (I am running C7).
On Jul 27, 2021, at 16:43, H agents@meddatainc.com wrote:
|Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts.
This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed?
Is it necessary to run:
iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP
to drop incoming connection attempts from that subnet?
Upstream openssh dropped support for tcp wrappers (hosts.deny) a while ago but RHEL had patched support back in for a while, but I believe it isn’t supported anymore.
For what it’s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient.
-- Jonathan Billings
On Jul 28, 2021, at 08:44, Jonathan Billings billings@negate.org wrote:
For what it’s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient.
That’s in CentOS 7 though. CentOS 8 firewalld uses nft instead of the older netfilter (iptables/ipset) code.
-- Jonathan Billings
Anyone using or working with VzLinux, seems to be an upstream distro of CentOS/RHEL and no vendors involved.... Would love to hear experiences..... thanks! :-)
On Wed, 2021-07-28 at 08:49 -0400, Jonathan Billings wrote:
On Jul 28, 2021, at 08:44, Jonathan Billings billings@negate.org wrote:
For what it’s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient. That’s in CentOS 7 though. CentOS 8 firewalld uses nft instead of the older netfilter (iptables/ipset) code. --Jonathan Billings_______________________________________________CentOS mailing listCentOS@centos.orghttps://lists.centos.org/mailman/listinfo/centos
On Wed, Jul 28, 2021 at 7:56 AM mario juliano grande-balletta < mario.balletta@gmail.com> wrote:
Anyone using or working with VzLinux, seems to be an upstream distro of CentOS/RHEL and no vendors involved.... Would love to hear experiences..... thanks! :-)
No vendors? It's the product of a single vendor, the long running Linux hypervisor platform creator Virtuozzo. They made it to run on their OpenVZ hypervisor platform.
https://www.virtuozzo.com/product-updates/virtuozzo-vzlinux-8-4-now-availabl...
Thanks John! Appreciate it..... a co-worker uploaded an appliance into customer vCenter and it was VzLinux, never saw it or heard of it before, didn't have time to research, just thought I would ask the group here for a quick answer, thanks!
On Wed, 2021-07-28 at 09:16 -0500, Jon Pruente wrote:
On Wed, Jul 28, 2021 at 7:56 AM mario juliano grande-balletta < mario.balletta@gmail.com> wrote: Anyone using or working with VzLinux, seems to be an upstream distro ofCentOS/RHEL and no vendors involved....Would love to hear experiences.....thanks!:-)
No vendors? It's the product of a single vendor, the long running Linuxhypervisor platform creator Virtuozzo. They made it to run on their OpenVZhypervisor platform.
https://www.virtuozzo.com/product-updates/virtuozzo-vzlinux-8-4-now-availabl...
mailing listCentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On Wed, Jul 28, 2021 at 09:16:48AM -0500, Jon Pruente wrote:
No vendors? It's the product of a single vendor, the long running Linux hypervisor platform creator Virtuozzo. They made it to run on their OpenVZ hypervisor platform.
https://www.virtuozzo.com/product-updates/virtuozzo-vzlinux-8-4-now-availabl...
And it does appear to be downstream from RHEL, another rebuild like Alma, Rocky, Springdale, etc.
On Wed, Jul 28, 2021 at 08:56:29AM -0400, mario juliano grande-balletta wrote:
Anyone using or working with VzLinux, seems to be an upstream distro of CentOS/RHEL and no vendors involved.... Would love to hear experiences..... thanks!
Please start a new thread rather than replying to an existing thread, thanks!
For what its worth, I'm not sure what you mean in your subject about Microsoft involvement/contamination. What does that have to do with anything?
For what it’s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient.
That’s in CentOS 7 though.
CentOS 8 firewalld uses nft instead of the older netfilter (iptables/ipset) code.
Is that an improvement? I'm still running Centos7 so I'm not familiar with it.
On 7/28/2021 1:57 PM, Scott Techlist wrote:
Is that an improvement? I'm still running Centos7 so I'm not familiar with it.
https://ungleich.ch/en-us/cms/blog/2018/08/18/iptables-vs-nftables/
On 28.07.21 14:44, Jonathan Billings wrote:
On Jul 27, 2021, at 16:43, H agents@meddatainc.com wrote:
|Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts.
This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed?
Is it necessary to run:
iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP
to drop incoming connection attempts from that subnet?
Upstream openssh dropped support for tcp wrappers (hosts.deny) a while ago but RHEL had patched support back in for a while, but I believe it isn’t supported anymore.
For what it’s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient.
TCP wrappers (hosts.allow/deny) are deprecated now.
Its still supported in EL7 (sshd example)
ldd /usr/sbin/sshd |grep wrap libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fcc483ee000)
but not in EL8 anymore. EL8 is based on F28/29 -> https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
For the question above (for EL7): only services that are compiled against libwrap uses hosts.deny everything else will be reachable (if iptables does not drop it).
For EL8, as depicted in the above URI: systemd provide a similar functionality ...
-- Leon
On 07/28/2021 10:01 AM, Leon Fauster via CentOS wrote:
On 28.07.21 14:44, Jonathan Billings wrote:
On Jul 27, 2021, at 16:43, H agents@meddatainc.com wrote:
|Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts.
This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed?
Is it necessary to run:
iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP
to drop incoming connection attempts from that subnet?
Upstream openssh dropped support for tcp wrappers (hosts.deny) a while ago but RHEL had patched support back in for a while, but I believe it isn’t supported anymore.
For what it’s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient.
TCP wrappers (hosts.allow/deny) are deprecated now.
Its still supported in EL7 (sshd example)
ldd /usr/sbin/sshd |grep wrap libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fcc483ee000)
but not in EL8 anymore. EL8 is based on F28/29 -> https://fedoraproject.org/wiki/Changes/Deprecate_TCP_wrappers
For the question above (for EL7): only services that are compiled against libwrap uses hosts.deny everything else will be reachable (if iptables does not drop it).
For EL8, as depicted in the above URI: systemd provide a similar functionality ...
-- Leon
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Got it, will utilize iptables. I guess my previous experience was with C6.
On 07/28/2021 08:44 AM, Jonathan Billings wrote:
On Jul 27, 2021, at 16:43, H agents@meddatainc.com wrote:
|Running CentOS 7. I was under the impression - seemingly mistaken - that by adding a rule to /etc/hosts.deny such as ALL: aaa.bbb.ccc.* would ban all attempts from that network segment to connect to the server, ie before fail2ban would (eventually) ban connection attempts.
This, however, does not seem correct and I could use a pointer to correct my misunderstanding. How is hosts.deny used and what have I missed?
Is it necessary to run:
iptables -I INPUT -s aaa.bbb.ccc.0/24 -j DROP
to drop incoming connection attempts from that subnet?
Upstream openssh dropped support for tcp wrappers (hosts.deny) a while ago but RHEL had patched support back in for a while, but I believe it isn’t supported anymore.
For what it’s worth, if you use the fail2ban-firewalld package, it uses ipset rather than iptables, which is more efficient.
-- Jonathan Billings _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Noted, thank you.
-
H -
Jon Pruente -
Jonathan Billings -
Kenneth Porter -
Leon Fauster -
mario juliano grande-balletta -
Pete Biggs -
Scott Techlist -
Stephen John Smoogen