The following example entries in hosts.allow would allow access to all services by all hosts in the local domain (mynet.com):
ALL: .mynet.com : ALLOW ALL: ALL: DENYAlternatively, to prevent access only by hosts in the domain acme.com, the following entries would be needed in hosts.deny:
ALL: .acme.com: DENY ALL: ALL: ALLOWIt is also possible to configure ``booby traps''. These warn you if an attacker may be using a service such as TFTP to try and gain access to files on your system. An example of a booby trap is the following entry from the hosts.deny file:
in.tftpd: ALL: spawn (/usr/sbin/safe_finger -l @%h | \ /usr/bin/mail -s tftp-%d-%h root) &Instead of the requested file, in.tcpd uses the safe_finger program to send a finger probe to the attacking host. It then mails the result to root. Obviously, if the attacker is blocking finger or does not run the finger daemon, the probe will fail but the event will still be logged.
Attempts to hack into a system are sometimes initiated via finger and telnet. The following booby traps will warn you of such events:
in.fingerd: ALL: spawn (/usr/sbin/safe_finger -l @%h | \ /usr/bin/mail -s finger-%d-%h root) & in.telnetd: ALL: spawn (/usr/sbin/safe_finger -l @%h | \ /usr/bin/mail -s telnet-%d-%h root) &
The following entries in hosts.allow would allow normal TFTP, finger and telnet access from hosts in the local domain (mynet.com) without invoking the booby traps:
in.tftpd: .mynet.com in.fingerd: .mynet.com in.telnetd: .mynet.comThe following entries in hosts.allow would allow access to the above services from the domain mynet.com and subdomains such as rivers.mynet.com but block access from seas.mynet.com:
in.tftpd: .mynet.com EXCEPT .seas.mynet.com in.fingerd: .mynet.com EXCEPT .seas.mynet.com in.telnetd: .mynet.com EXCEPT .seas.mynet.comFor more information about using TCP Wrappers to configure access control, please consult the manual pages.
See also: