122
Chapter 8. TCP Wrappers and
xinetd
special file or email an administrator. Below is an example of a booby trap in the
hosts.deny
file
which will write a log line containing the date and client information every time a host from the the
IP range 10.0.1.0 to 10.0.1.255 attempts to connect via Telnet:
in.telnetd: 10.0.1.: spawn (/bin/echo `date` %c >> /var/log/telnet.log) &
Another feature of using shell commands is support for expansions. Expansions provide the com
mand with information about the client, server, and process involved. Below is a list of supported
expansions:
%a
The client's IP address.
%A
The server's IP address.
%c
Supplies a variety of client information, such as the username and hostname, or the username
and IP address.
%d
The daemon process name.
%h
The client's hostname (or IP address, if the hostname is unavailable).
%H
The server's hostname (or IP address, if the hostname is unavailable).
%n
The client's hostname. If unavailable,
unknown
is printed. If the client's hostname and host
address do not match,
paranoid
is printed.
%N
The server's hostname. If unavailable,
unknown
is printed. If the server's hostname and host
address do not match,
paranoid
is printed.
%p
The daemon process ID.
%s
Various types of server information, such as the daemon process and the host or IP address
of the server.
%u
The client's username. If unavailable,
unknown
is printed.
For a full explanation of available shell commands, as well as some additional access control exam
ples, review see the man page for
hosts_access
.
Note
Special attention must be given to portmap when host access control lists. Only IP addresses or
the ALL option should be used when specifying hosts to allow or deny, as host names are not sup
ported. In addition, changes to the host access control lists that concern portmap may not take affect
immediately.
As widely used services, such as NIS and NFS, depend on portmap to operate, be aware of these
limitations before depending on hosts.allow and hosts.deny to control access.
8.3. Access Control Using
xinetd
The benefits offered by TCP wrappers are enhanced when the
libwrap.a
library is used in conjunc
tion with
xinetd
, a super daemon that provides additional access, logging, binding, redirection and
resource utilization control.
Red Hat Linux configures a variety of popular network services to be used with
xinetd
, including
FTP, IMAP, POP, and Telnet. When any of these services are accessed via their port numbers in
/etc/services
, the
xinetd
daemon handles the request. Before bringing up the requested network
service,
xinetd
ensures that the client host information meets the access control rules, the number of
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved