Securing-Optimizing-RH-Linux-1_2_44
Comments and suggestions concerning this book should be mailed to gmourani@videotron.ca
© Copyright 1999-2000 Gerhard Mourani and Open Network Architecture ®
44
[root@deep /]# chattr -i /etc/inetd.conf
11. TCP_WRAPPERS
By default Red Hat Linux allows all service requests. Using TCP_WRAPPERS makes securing
your servers against outside intrusion is a lot simpler and painless then you would expect. Deny
all hosts by putting ALL: ALL@ALL, PARANOID in /etc/hosts.deny and explicitly list trusted
hosts who are allowed to your machine in /etc/hosts.allow file is the safest and the best
configuration.
TCP_WRAPPERS is controlled from two files and the search stops at the first match.
/etc/hosts.allow
/etc/hosts.deny
·
Access will be granted when a (daemon, client) pair matches an entry in the /etc/hosts.allow file.
·
Otherwise, access will be denied when a (daemon, client) pair matches an entry in the /etc/hosts.deny file.
·
Otherwise, access will be granted.
Step 1
Edit the hosts.deny file (vi /etc/hosts.deny) and add the following line:
Access is denied by default.
# Deny access to everyone.
ALL: ALL@ALL, PARANOID #Matches any host whose name does not match its address, see bellow.
Which means all services, all locations, so any service not explicitly allowed is then blocked,
unless they are permitted access by entries in the allow file.
NOTE: With the parameter PARANOID; If you are intended to run telnet or ftp services on your
server, dont forget to add the clients machine name and IP address in your /etc/hosts file on
the server or you can expect to wait several minutes for the DNS lookup to time out, before you
get a login: prompt.
Step 2
Edit the hosts.allow file (vi /etc/hosts.allow) and add for example, the following line:
The explicitly authorized host are listed in the allow file.
As an example:
sshd: 208.164.186.1 gate.openarch.com
For your client machine: 208.164.186.1 is the IP address and gate.openarch.com the host name
of one of your client allowed using sshd.
Step 3
The tcpdchk program, is the tcpd wrapper configuration checker. It examines your tcp wrapper
configuration and reports all potential and real problems it can find.
·
After your configuration is done, run the program tcpdchk.
[root@deep /]# tcpdchk