Putting It All Together: An Example
The following examples use DNS hostnames for clarity. However, in general, it is more secure to use TCP Wrappers with explicit IP addresses.
Suppose that you want to allow all connections to your computer, except those from the computers in the domain pirate.net, with a simple /etc/hosts.allow file. Specify:
# # /etc/hosts.allow: # # Allow anybody to connect to our machine except people from pirate.net. # all : .pirate.net : deny all : all : allow
Suppose that you want to modify your rules to allow the use of finger from any of your internal machines, but you want to have external finger requests met with a canned message. You might try this configuration file:
# # /etc/hosts.allow: # # Allow finger from internal machines; give banner to others. # Otherwise, allow anybody to connect except people from pirate.net. # # in.fingerd : LOCAL : allow in.fingerd : all : twist /usr/local/bin/external_fingerd_message all : .pirate.net : deny all : all : allow
If you don’t want to allow pirate.net hosts to finger at all, reverse the order of the second and third rule so that the rules denying pirate.net hosts would match first.
If you discover repeated break-in attempts through telnet and rlogin from all over the world, but you have a particular user who needs to telnet into your computer from the host sleepy.com, you could accomplish this somewhat more complex security requirement with the following configuration file:
# # /etc/hosts.allow: # # Allow email from ...
Get Practical UNIX and Internet Security, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.