|Securing and Optimizing Linux: RedHat Edition -A Hands on Guide|
|Prev||Chapter 5. General System Security||Next|
By default Red Hat Linux allows all service requests. Using TCP_WRAPPERS makes securing your servers against outside intrusion is a lot simpler and painless then you would expect. Deny all hosts by putting ALL: ALL@ALL, PARANOID in the /etc/hosts.deny file and explicitly list trusted hosts who are allowed to your machine in the /etc/hosts.allow file. This is the safest and the best configuration. TCP_WRAPPERS is controlled from two files and the search stops at the first match.
Access will be granted when a daemon, client pair matches an entry in the /etc/hosts.allow file. Otherwise, access will be denied when a daemon, client pair matches an entry in the /etc/hosts.deny file. Otherwise, access will be granted.
Edit the hosts.deny file vi /etc/hosts.deny and add the following lines: Access is denied by default.
# Deny access to everyone. ALL: ALL@ALL, PARANOID # Matches any host whose name does not match its address, see below.
: With the parameter PARANOID; If you intend to run telnet or ftp services on your server, dont forget to add the client's machine name and IP address in your /etc/hosts file on the server or you can expect to wait several minutes for the DNS lookup to time out, before you get a login: prompt.
Edit the hosts.allow file vi /etc/hosts.allow and add for example, the following line: The explicitly authorized host are listed in the allow file. As an example:sshd: 220.127.116.11 gate.openna.com, For your client machine: 18.104.22.168 is the IP address and gate.openna.com the host name of one of your client allowed using sshd.
The tcpdchk program is the tcpd wrapper configuration checker. It examines your tcp wrapper configuration and reports all potential and real problems it can find. After your configuration is done, run the program tcpdchk.
[root@deep] /# tcpdchk
: Error messages may look like this:
If you receive this kind of error message, check in your DNS configuration file for the existence of this hostname.
warning: /etc/hosts.allow, line 6: can't verify hostname: gethostbyname(win.openna.com) failed.
If you don't want your systems issue file to be displayed when people log in remotely, you can change the telnet option in your /etc/inetd.conf file to look like:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -h