Chapter 8. TCP Wrappers and
xinetd
121
Caution
The KNOWN, UNKNOWN, and PARANOID wildcards should be used very carefully, as a disruption in name
resolution may make prevent legitimate users from gaining access to a service.
The access control language also contains a powerful operator,
EXCEPT
, which allows separate lists to
be combined within the same rule line. When
EXCEPT
is used between two lists, the first list applies
unless an entry from the second list matches an entity covered by the first list.
EXCEPT
can be used
with daemon or client lists. Consider the following
hosts.allow
example:
# all domain.com hosts are allowed to connect
# to all services except cracker.domain.com
ALL: .domain.com EXCEPT cracker.domain.com
# 123.123.123.* addresses can use all services except FTP
ALL EXCEPT in.ftpd: 123.123.123.
Note
Organizationally, it usually makes more sense to use EXCEPT operators sparingly, choosing instead
to place the exceptions to the rule in the other access control file. This allows all administrators to
quickly scan the appropriate files to see what hosts should be allowed or denied access to which
services, without having to sort through the various EXCEPT operators.
The best way to manage access control with
hosts.allow
and
hosts.deny
is to use the two files
together to achieve the desired results.
Users that wish to prevent any hosts other than specific ones from accessing services usually place
ALL: ALL
in
hosts.deny
. Then, they place lines in
hosts.allow
, such as:
in.telnetd: 10.0.1.24
in.ftpd: 10.0.1. EXCEPT 10.0.1.1
Alternatively, if you wish to allow anyone to use network services except for specific hosts, leave
hosts.allow
blank and add any necessary restrictions to
hosts.deny
such as:
in.fingerd: 192.168.0.2
Warning
Be very careful about using hostnames and domain names in both access control files, especially
hosts.deny. Various tricks could be used by an attacker to circumvent rules specifying a hostname or
domain name. In addition, if your system selectively allows access based on hostname and domain
name information, any disruption in DNS service would prevent even authorized users from using
network services.
Using IP addresses whenever possible can prevent many problems when constructing access control
rules, especially those that deny access.
Beyond simply allowing or denying access to services for certain hosts, the TCP wrappers also sup
ports the use of shell commands. These shell commands are most commonly used with deny rules
to set up booby traps, which usually trigger actions that log information about failed attempts to a
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved