5.9. TCP_WRAPPERS

By default Red Hat Linux allows all service requests. Using TCP_WRAPPERS makes securing your servers against outside intrusion is a lot simpler and painless then you would expect. Deny all hosts by putting ALL: ALL@ALL, PARANOID in the /etc/hosts.deny file and explicitly list trusted hosts who are allowed to your machine in the /etc/hosts.allow file. This is the safest and the best configuration. TCP_WRAPPERS is controlled from two files and the search stops at the first match.

/etc/hosts.allow
/etc/hosts.deny

Access will be granted when a daemon, client pair matches an entry in the /etc/hosts.allow file. Otherwise, access will be denied when a daemon, client pair matches an entry in the /etc/hosts.deny file. Otherwise, access will be granted.

  1. Edit the hosts.deny file vi /etc/hosts.deny and add the following lines: Access is denied by default.

    
             # Deny access to everyone.
                 ALL: ALL@ALL, PARANOID # Matches any host whose name does not match its address, see below.
                 
    Which means all services, all locations, so any service not explicitly allowed is then blocked, unless they are permitted access by entries in the allow file.

    Note: With the parameter PARANOID; If you intend to run telnet or ftp services on your server, dont forget to add the client's machine name and IP address in your /etc/hosts file on the server or you can expect to wait several minutes for the DNS lookup to time out, before you get a login: prompt.

  2. Edit the hosts.allow file vi /etc/hosts.allow and add for example, the following line: The explicitly authorized host are listed in the allow file. As an example:sshd: 208.164.186.1 gate.openna.com, For your client machine: 208.164.186.1 is the IP address and gate.openna.com the host name of one of your client allowed using sshd.

  3. The tcpdchk program is the tcpd wrapper configuration checker. It examines your tcp wrapper configuration and reports all potential and real problems it can find. After your configuration is done, run the program tcpdchk.

    
             [root@deep] /# tcpdchk
                 

Note: Error messages may look like this:


             warning: /etc/hosts.allow, 
             line 6: can't verify hostname: gethostbyname(win.openna.com) failed.              
             
             
If you receive this kind of error message, check in your DNS configuration file for the existence of this hostname.

5.9.1. Don't display system issue file

If you don't want your systems issue file to be displayed when people log in remotely, you can change the telnet option in your /etc/inetd.conf file to look like:


               telnet  stream  tcp     nowait  root    /usr/sbin/tcpd  in.telnetd -h
               
Adding the -h flag on the end will cause the daemon to not display any system information and just hit the user with a login: prompt. This hack is only necessary if you are using a telnet daemon on your server instead I recommend you use SSH.