|
TCP Wrappers
Access to inetd startable services can be controlled through
daemon tcpd; it reads the access rules from files /etc/hosts.allow and /etc/hosts.deny. Similarly, the access can be controlled
for the other services, such as portmap, if they have been compiled
with libwrap libraries.
Format of /etc/hosts.allow and /etc/hosts.deny:
/etc/hosts.allow -- is checked first by tcpd:
if the entries match, the host is allowed to access the service,
otherwise, /etc/hosts.deny is checked -- if the entries match,
the access is denied. If non of the entries match, or both
the files are empty, the access is allowed.
Keywords: ALL (matches all requests), EXCEPT, LOCAL (hosts
matching the local network - no domain), KNOWN (resolvable hosts),
PARANOID (hostname doesn't match IP), UNKNOWN (unresolvable hosts).
Example:
/etc/hosts.allow
/etc/hosts.deny
Exercise
Login to the console of smbhost VM:
Become root
Edit file /etc/hosts.deny and add the following entry:
Try SSH to smbhost from your desktop.
The SSH attempt should fail.
Edit file /etc/hosts.allow and add the following entry:
Try to SSH to smbhost from the desktop again.
|
|