Using TCP_WRAPPERS makes securing your servers against outside intrusion is a lot simpler and painless. TCP_WRAPPERS is controlled from two files:
Again it checks the rules in hosts.deny from first to last, and the first rule it finds that denies you access (i.e., a rule disallowing your host, domain, subnet mask, etc.) means it doesn't let you in. If it fails to find a rule denying you entry it then by default lets you. If you are really paranoid for security (or only rule if you are going to a default policy of non-optimistic security) should be in hosts.deny:
check man host.deny and man host.allow for more details.
/etc/hosts.allowhosts.allow is checked first, and the rules are checked from first to last. If it finds a rule that explicitly allows you in (i.e., a rule allowing your host, domain, subnet mask, etc.) it lets you connect to the service. If it fails to find any rules that pertain to you in hosts.allow, it then goes to check hosts.deny for a rule denying you entry.
/etc/hosts.deny
Again it checks the rules in hosts.deny from first to last, and the first rule it finds that denies you access (i.e., a rule disallowing your host, domain, subnet mask, etc.) means it doesn't let you in. If it fails to find a rule denying you entry it then by default lets you. If you are really paranoid for security (or only rule if you are going to a default policy of non-optimistic security) should be in hosts.deny:
ALL: 0.0.0.0/0.0.0.0which means all services, all locations, so any service not explicitly allowed is then blocked (remember the default is to allow). You might also want to just default deny access to say telnet and leave ftp wide open to the world. To do this you would have in hosts.allow:
in.telnetd: 10.0.0.0/255.255.255.0 # allow access from my internal network of 10.0.0.*in hosts.deny:
in.ftpd: 0.0.0.0/0.0.0.0 # allow access from anywhere in the world
in.telnetd: 0.0.0.0/0.0.0.0 # deny access to telnetd from anywhereor if you wish to be really safe:
ALL: 0.0.0.0/0.0.0.0 # deny access to everything from everywhereThis may affect services such as ssh and nfs, so be careful!
check man host.deny and man host.allow for more details.
0 Comment:
Post a Comment