hosts.deny vs iptables

[jdow]

From: "Ed Kim" <ed.kim at rhatbox.com>
> jdow wrote:
>> From: "Bruno Wolff III" <bruno at wolff.to>
>>>  CodeHeads <codeheads at gmail.com> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> Hello all,
>>>> I searched the archives and google and did not find what i was 
>>>> looking for.
>>>>
>>>> This is my setup:
>>>> Web Server with virtual hosts; FC4; IPTables and SELinux Running
>>>>
>>>> My questions is which is better, IPTables or hosts.deny???
>>>
>>> You want to use iptables. There may be some benefit to using 
>>> hosts.deny/allow
>>> in that you can do dns look ups at the time of connection rather than 
>>> when
>>> the rules are set up. While you don't want to depend on DNS for 
>>> access, it
>>> is reasonable to use it do deny access in most situations.
>>>
>>>> I read some where, cannot remember, that hosts.deny does not read httpd
>>>> requests??
>>>
>>> For apache, you can configure allowed and denied hosts in httpd.conf 
>>> and you
>>> don't need hosts.deny/allow.
>>>
>>>>
>>>> I am mostly concerned in blocking IP ranges with either.
>>>
>>> For this case it is probably best to build these restrictions into your
>>> iptables rules.
>> 
>> Please, may I be obnoxious and introduce Belt and Suspenders to Mr.
>> Elastic Band, who is expected to work with them?
>> 
>> In depth defense is worth while. It also allows for interesting
>> fine tuning potentials.
>> 
>> {^_-}
>> 
> 
> There is a significant difference between hosts.deny and iptables.
> Iptables is a firewall, therefore it is the first line of defense 
> between your computer and the outside world.  If you want to make sure 
> something or someone doesnt get into your computer, use Iptables.
> 
> Hosts.deny is another layer of protection but it only works with TCP 
> wrapped applications.  Some examples of TCPwrapped apps are sshd, 
> xinetd, and sendmail...  you can tell if an application uses TCP 
> wrappers by the command
> strings -f /usr/sbin/sshd | grep hosts_access
> Because, apache does not use TCP wrappers, hosts.deny would be 
> ineffective for http requests.

As was pointed out apache has its own built in version of hosts.deny
etc. Firewalls are still a fine first layer of defense. If you do not
care if people from say parts of China and Korea, for example, use your
system you can block them at the firewall rather than wait until they
are inside and tickling apache. If you ALSO place them on the Apache
access denial list you have to remember this, hey - log your change
activities - good practice anyway, but you get a second level of
protection from locations that are troublesome. If you can find an
elastic band level of security use it, too.

(And unless it has changed since I last played with Apache you CAN
run it as an xinetd toy. But it's not recommended for rather obvious
reasons. {^_-})

{^_^}