HostedDB - Dedicated UNIX Servers
Securing-Optimizing-RH-Linux-1_2_44
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca © Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ® 44 [root@deep /]# chattr -i /etc/inetd.conf 11. TCP_WRAPPERS By default Red Hat Linux allows all service requests. Using TCP_WRAPPERS makes securing your servers against outside intrusion is a lot simpler and painless then you would expect. Deny all hosts by putting “ALL: ALL@ALL, PARANOID” in “/etc/hosts.deny” and explicitly list trusted hosts who are allowed to your machine in “/etc/hosts.allow” file is the safest and the best configuration. TCP_WRAPPERS is controlled from two files and the search stops at the first match. /etc/hosts.allow /etc/hosts.deny · Access will be granted when a (daemon, client) pair matches an entry in the /etc/hosts.allow file. · Otherwise, access will be denied when a (daemon, client) pair matches an entry in the /etc/hosts.deny file. · Otherwise, access will be granted. Step 1 Edit the hosts.deny file (vi /etc/hosts.deny) and add the following line: Access is denied by default. # Deny access to everyone. ALL: ALL@ALL, PARANOID #Matches any host whose name does not match its address, see bellow. Which means all services, all locations, so any service not explicitly allowed is then blocked, unless they are permitted access by entries in the allow file. NOTE: With the parameter  PARANOID; If you are intended to run telnet or ftp services on your server, don’t forget to add the client’s machine name and IP address in your “/etc/hosts”  file on the server or you can expect to wait several minutes for the DNS lookup to time out, before you get a login: prompt. Step 2 Edit the hosts.allow file (vi /etc/hosts.allow) and add for example, the following line: The explicitly authorized host are listed in the allow file. As an example: sshd: 208.164.186.1 gate.openarch.com For your client machine: 208.164.186.1 is the IP address and gate.openarch.com the host name of one of your client allowed using sshd. Step 3 The tcpdchk program, is the tcpd wrapper configuration checker. It examines your tcp wrapper configuration and reports all potential and real problems it can find. · After your configuration is done, run the program tcpdchk. [root@deep /]# tcpdchk