The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]
FreeBSD Support
 New Topic  |  Go to Top  |  Go to Topic  |  Search  |  Log In   Previous Message  |  Next Message 
 RE: tcp wrapper
Author: el_kab0ng 
Date:   11-08-00 17:48

The hosts.allow file is in fact a tcp wrappers file...

a decent example is as follows:

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
sshd : .domain.com : allow
sshd : some IP : allow
sshd : 123.somehost.net : allow
sshd : some other IP : allow

# Prevent those with no reverse DNS from connecting.
ALL : PARANOID : RFC931 20 : deny

# Allow anything from localhost
ALL : localhost : allow
ALL : .mydomain.com : allow

# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
sendmail : ALL : allow

# Exim is an alternative to sendmail, available in the ports tree - I comment this since I don't use it in the first place...and I do believe by default it's already commented out.

# exim : localhost : allow
# exim : .nice.guy.example.com : allow
# exim : .evil.cracker.example.com : deny
# exim : ALL : allow

# Portmapper is used for all RPC services; protect your NFS!
# (IP addresses rather than hostnames *MUST* be used here)
portmap : localhost : allow
# portmap : .nice.guy.example.com : allow
# portmap : .evil.cracker.example.com : deny
portmap : ALL : deny

# Provide a small amount of protection for ftpd
ftpd : localhost : allow
ftpd : someip : allow
ftpd : .somedomain.com : allow
ftpd : 123.somehost.net : allow
ftpd : someotherIP : allow
ftpd : ALL : deny

# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL
: spawn (echo Finger. |
/usr/bin/mail -s "tcpd: %u@%h[%a] fingered me!" root) &
: deny

# The rest of the daemons are protected.
ALL : ALL
: severity auth.info
: twist /bin/echo "You are not welcome to use %d from %h."

# Portsentry Entries
ALL: 209.10.218.250 : DENY
ALL: 207.55.203.141 : DENY
ALL: 207.55.203.141 : DENY
ALL: 209.24.64.4 : DENY

The port sentry entries are auto generated by Portsentry to block folks who get cute and try to scan my box, or connect to a port not running a service....

Hope this sample helps...

 Reply To This Message  |  Forum List  |  Flat View   Newer Topic  |  Older Topic 

 Topics Author  Date
 tcp wrapper   new
Peter 10-08-00 13:02 
 RE: tcp wrapper   new
el_kab0ng 11-08-00 17:48 


 Forum List  |  Need a Login? Register Here 
 User Login
 User Name:
 Password:
 Remember my login:
   
 Forgot Your Password?
Enter your email address or user name below and a new password will be sent to the email address associated with your profile.
How to get the most out of the forum

phorum.org