simple question about /etc/hosts.deny

[jols]

Does anyone know if the /etc/hosts.deny file is used by cPanel servers, i.e. if you pop an IP address in there, is it blocked from further access?

We do have apf installed to, and it has it's own deny file. I am just wondering if /etc/hosts.deny works as well.

I am trying to use PortSentry to block port 80 attacks, and PortSentry likes to use the hosts.deny file. I have not figureed out how to get PortSentry to add IPs to /etc/apf/deny_hosts.rules

 

[chirpy]

You have overkill if you're using APF and hosts.deny. You also should not use portsentry with APF as they can conflict in their tasks. hosts.deny is used by applications that use TCPWrappers, so adding IP addresses to it will not block all services.

I'd recommend disabling portsentry. Make sure you have ingress and egress filtering correctly configured in APF and use the /etc/apf/deny_hosts.rules file to block any IP that you want. However, you should keep a check on the number of IP addresses listed in there and keep it down to a sensible level (i.e. only ones that are actively attacking you, not leaving them in there so that it builds too large).

 

[jols]

What PortSentry vs. APF conflict?

Thanks much for your post/reply.


I am aware that I should keep the deny files down to logical lengths, and of course not put on a hair trigger with any automated security system. However, I am not sure that I agree that PortSentry with APF is overkill, although I do understand that this is the general consensus.

How exactly would PortSentry and APF conflict? I really don't get it. A blocked IP of someone attacking the server, is still a blocked IP of someone attacking the server. Yes? No? So how can two different defence systems, each using there own parameters for detection and enforcement, be in conflict with one another??? They certainly do not look at one-another! They do not interfere with each other's capacity for detection and enforcement, or do they?

I am not a firewall and security expert so bear with me, but we used PortSentry for years successfully for years fending off attacks from a bunch of Cobalt servers. I think PortSentry is quite effective using it, particularly in stealth mod to watch certain ports for unusual activity. Apparently so does Oricle who I believe bought all the licensing for the software at one point and tried to take it completely off the market in order to use the core program in their own proprietary system. Okay, this could be a rumor, but when I was finally ready to employ a sister product, HostSentry, any access to the official PortSentry site took me to Oricle.... But I digress.

I am just now getting into switching on, and working with the anti-DoS features of APF, but please just look at the two config files between APF and PortSentry. PortSentry appears to be the clear winner in terms of being more configurable, and in terms of being a much more of a dedicated application for fending off attacks. To bring APF/anti-DoS feature up to this level of control I believe we would need to install and use Snort with APF, (which is something else we may look at in the near future.)