In my opinion the correct strategy for pretty well any system manager is to put # Deny everything not explicitly allowed in hosts.allow ALL: ALL in /etc/hosts.deny, then figure out what you need in hosts.allow to make services work. This way you may lose a service for an hour or so while you experiment with different service names; the other way you can very easily end up running an unprotected service for ever because you have made a mistake. This certainly applies to workstation managers who are unlikely to want to run services anyway, and it applies to managers of important servers who are very serious about security. So, a request to SuSE: how about changing the default? You could distribute a well-documented hosts.allow which made it pretty well impossible to choose the wrong service name. Regards, Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691

Togan Muftuoglu schrieb am Wed, 14 Nov 2001 um 19:16:

* Nigel Cox; on 14 Nov, 2001 wrote:

...

it is as if tcpd is not reading the /etc/hosts.* files

Have you restarted inet.d

You don't have to. the tcp wrapper is started with every connection attempt, re-reading /etc/hosts.[allow|deny]. Even programs "directly" linked against libwrap (such as syslogd or sshd) don't have to be restarted; libwrap reads it's configuration files on each new connection. Regards, Bastian -- Bastian Friedrich bastian@bastian-friedrich.de Adress & Fon available on my HP http://www.bastian-friedrich.de/ \~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\ \ A mainframe: The biggest PC peripheral available.