Different ways to block a hostname or IP address in Linux ?
Today we will look at an interesting topic to know the various ways to block specific hostnames or IP addresses on a Linux machine.
1. TCP Wrappers /etc/hosts.allow and /etc/hosts.deny
The beauty of tcp wrappers is that we can block any specific or all services from any IP address on our linux system.
The syntax of the file is also simple. We can have a sample look at below file.
a. To deny SSH from one IP address.
# cat /etc/hosts.deny sshd : 192.168.0.134 ### /etc/hosts.allow file remains empty
b. To allow SSH from only one IP address.
# cat /etc/hosts.deny sshd : ALL ALL : ALL # cat /etc/hosts.allow sshd : 192.168.0.134,LOCAL
2. Login Access Control Table: /etc/security/access.conf
/etc/security/access.conf file can accept or refuse a login based on a group of directives including:
(user/group, host),
(user/group, network/netmask) or
(user/group, tty).
To understand this, lets look at the file syntax.
This syntax can be found if you read the file /etc/security/access.conf.
[root@nglinux ~]# cat /etc/security/access.conf # User "root" should get access from network 192.168.201. # This term will be evaluated by string matching. # comment: It might be better to use network/netmask instead. # The same is 192.168.201.0/24 or 192.168.201.0/255.255.255.0 #+ : root : 192.168.201. # # User "root" should be able to have access from domain. # Uses string matching also. #+ : root : .foo.bar.org # # User "root" should be denied to get access from all other sources. #- : root : ALL # # User "foo" and members of netgroup "nis_group" should be # allowed to get access from all sources. # This will only work if netgroup service is available. #+ : @nis_group foo : ALL # # User "john" should get access from ipv4 net/mask #+ : john : 127.0.0.0/24 # # User "john" should get access from ipv4 as ipv6 net/mask #+ : john : ::ffff:127.0.0.0/127 # # User "john" should get access from ipv6 host address #+ : john : 2001:4ca0:0:101::1 # # User "john" should get access from ipv6 host address (same as above) #+ : john : 2001:4ca0:0:101:0:0:0:1 # # User "john" should get access from ipv6 net/mask #+ : john : 2001:4ca0:0:101::/64 # # All other users should be denied to get access from all sources. #- : ALL : ALL [root@nglinux ~]#
3. IP Tables or firewalld
IP Tables or firewalld work with netfilter kernel module to filter IPv4 packets and NAT.
These programs filters the selected packets and take action as defined in the rule.
Let us have a look at an example below:
a. To block a specific IP address.
# the syntax is as follows: iptables -A INPUT -s IP-ADDRESS -j DROP
b. How to add rule and check it out ?
### Lets block all packets from 192.168.0.5 IP address.
### Hence we will filter all such packets and then drop it.
[root@nglinux ~]# iptables -nvL
Chain INPUT (policy ACCEPT 696 packets, 76555 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 279 packets, 67982 bytes)
pkts bytes target prot opt in out source destination
[root@nglinux ~]#
[root@nglinux ~]# iptables -A INPUT -s 192.168.0.5 -j DROP
[root@nglinux ~]#
[root@nglinux ~]# iptables -nvL
Chain INPUT (policy ACCEPT 9 packets, 628 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 192.168.0.5 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 636 bytes)
pkts bytes target prot opt in out source destination
[root@nglinux ~]#
### We also need to save the iptables else the rules will disappear after service restart.
[root@nglinux ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@nglinux ~]#
Similarly we can also use firewalld command instead of iptables.
Both work on same module i.e. netfilter hence either of them will work at a time(both services can’t be started at a time).
4. PAM
PAM is an authentication module which can put several checks before authenticating users and granting them access to any system service or module.
With PAM also, we can block specific users and can also add a filter based on IP addresses or hostnames.
However for this, we need to use some third party PAM modules or shared objects.
For example:- we have a module called PAM ABL (PAM Auto Black List) available to prevent the system from brute force attacks.
The official documentation is available here.
5. Workaround: Entry in /etc/hosts file.
Another workaround is to make a dangling entry in /etc/hosts file so that your server can’t actually reach the real hostname.
Lets look at an example:-
[root@nglinux ~]# ping google.com PING google.com (172.217.31.206) 56(84) bytes of data. [root@nglinux ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 nglinux ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.23.22.1 google.com [root@nglinux ~]# ping google.com PING google.com (10.23.22.1) 56(84) bytes of data.