Chapter 8. TCP Wrappers and


xinetd


121


Caution


The KNOWN, UNKNOWN, and PARANOID wildcards should be used very carefully, as a disruption in name


resolution may make prevent legitimate users from gaining access to a service.


The access control language also contains a powerful operator,


EXCEPT


, which allows separate lists to


be combined within the same rule line. When


EXCEPT


is used between two lists, the first list applies


unless an entry from the second list matches an entity covered by the first list.


EXCEPT


can be used


with daemon or client lists. Consider the following


hosts.allow


example:


# all domain.com hosts are allowed to connect


# to all services except cracker.domain.com


ALL: .domain.com EXCEPT cracker.domain.com


# 123.123.123.* addresses can use all services except FTP


ALL EXCEPT in.ftpd: 123.123.123.


Note


Organizationally, it usually makes more sense to use EXCEPT operators sparingly, choosing instead


to place the exceptions to the rule in the other access control file. This allows all administrators to


quickly scan the appropriate files to see what hosts should be allowed or denied access to which


services, without having to sort through the various EXCEPT operators.


The best way to manage access control with


hosts.allow


and


hosts.deny


is to use the two files


together to achieve the desired results.


Users that wish to prevent any hosts other than specific ones from accessing services usually place


ALL: ALL


in


hosts.deny


. Then, they place lines in


hosts.allow


, such as:


in.telnetd: 10.0.1.24


in.ftpd: 10.0.1. EXCEPT 10.0.1.1


Alternatively, if you wish to allow anyone to use network services except for specific hosts, leave


hosts.allow


blank and add any necessary restrictions to


hosts.deny


such as:


in.fingerd: 192.168.0.2


Warning


Be very careful about using hostnames and domain names in both access control files, especially


hosts.deny. Various tricks could be used by an attacker to circumvent rules specifying a hostname or


domain name. In addition, if your system selectively allows access based on hostname and domain


name information, any disruption in DNS service would prevent even authorized users from using


network services.


Using IP addresses whenever possible can prevent many problems when constructing access control


rules, especially those that deny access.


Beyond simply allowing or denying access to services for certain hosts, the TCP wrappers also sup 


ports the use of shell commands. These shell commands are most commonly used with deny rules


to set up booby traps, which usually trigger actions that log information about failed attempts to a








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      tomcat hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved