Fedora TCP Wrappers
2007-10-17 12:37![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
gdtFedora ships with TCP Wrappers and every application that supports TCP Wrappers is shipped with libwrap enabled.
Less thrillingly, the default configuration disables TCP Wrappers. Let's fix that. Edit /etc/hosts.deny to deny access by default:
ALL: ALL
Obviously the local machine should be able to access itself using IPv4 and IPv6, so edit /etc/hosts.allow to read:
ALL: 127.
ALL: [::1]/128
Now for every application that needs access, add a line to /etc/hosts.allow. For example, Fedora runs sshd:
sshd: ALL
Another example, a e-mail server might have:
sendmail: ALL
imapd: ALL
The scanner used on the local NATed network might be:
saned: 192.168.1.0/255.255.255.0
One trick is the XINetD meta-daemon. The name used in hosts.allow is the program basename on the "server =" line, not the name in the "service" line.
For example, a TFTP daemon could have a /etc/xinetd.d/tftp of:
service tftp
{
socket_type = dgram
protocol = udp
wait = yes
user = root
server = /usr/sbin/in.tftpd
server_args = -U 117 -c -s /tftpboot -vvv
disable = no
per_source = 11
cps = 100 2
flags = IPv4
}
would have a hosts.allow of:
in.tfptd: 192.168.1.0/255.255.255.0