Controlling Access to Servers

As delivered by most vendors, Unix is a friendly and trusting operating system. By default, network services are offered to every other computer on the network. Unfortunately, this practice is not an advisable policy in today’s networked world. While you may want to configure your network server to offer a wide variety of network services to computers on your organization’s internal network, you probably want to restrict the services that your computer offers to the outside world.

A few Unix servers have built-in facilities for limiting access based on the IP address or hostname of the computer making the service request.[137] For example, NFS allows you to specify which hosts can mount a particular filesystem, and nntp allows you to specify which hosts can read Netnews. Unfortunately, these services are in the minority: most Unix servers have no facility for controlling access on a host-by-host or network-by-network basis.

There are several techniques that you can use to control access to servers that do not provide their own systems for access control. These include:

Use TCP Wrapperss

You can use the TCP Wrapperss program (developed by Wietse Venema) to control access to specific services according to rules located in the /etc/hosts.allow and /etc/hosts.deny files.[138] The TCP Wrappers program can log incoming connections via syslog—whether or not the actual Internet daemon provides logging. TCP Wrappers also allows different server executables ...

Get Practical UNIX and Internet Security, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.