Add an example hosts.allow for the (base system) tcp_wrappers.

Anyone with good ideas for this is welcome to contribute.

1 files changed, 48 insertions, 0 deletions

diff --git a/etc/hosts.allow b/etc/hosts.allow
new file mode 100644
index 0000000..b421ab1
--- /dev/null
+++ b/etc/hosts.allow
@@ -0,0 +1,48 @@
+#
+# hosts.allow access control file for "tcp wrapped" apps.
+# $Id$
+#
+# NOTE: The hosts.deny file is not longer used.  Instead, put both 'allow'
+#       and 'deny' rules in the hosts.allow file.
+# see hosts_options(5) for the format of this file.
+# hosts_access(5) no longer fully applies.
+
+# This is an example! You will need to modify it for your specific
+# requirements!
+
+# Start by allowing everything (this prevents the rest of the file
+# from working, so remove it when you need protection).
+ALL : ALL : allow
+
+# Wrapping sshd(8) is not normally a good idea, but if you
+# need to do it, here's how
+#sshd : .evil.hacker.org : deny 
+
+# Prevent those with no reverse DNS from connecting.
+ALL : PARANOID : RFC931 20 : deny
+
+# Allow anything from localhost
+ALL : localhost : allow
+
+# Sendmail can help protect you against spammers and relay-rapers
+sendmail : localhost : allow
+sendmail : .mydomain.com : allow
+sendmail : .evil.spamnest.org : deny
+sendmail : ALL : allow
+
+# Provide a small amount of protection for ftpd
+ftpd : .warez.d00d.org : deny
+ftpd : ALL : allow
+
+# You need to be clever with finger; do _not_ backfinger!! You can easily
+# start a "finger war".
+fingerd : ALL \
+	: spawn (echo Finger. | \
+	 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
+	: deny
+
+# The rest of the daemons are protected. Backfinger and log by email.
+ALL : ALL \
+	: severity auth.info : spawn (/usr/bin/safe_finger -l @%h | \
+	 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d  (denied)" root) & \
+	: twist /bin/echo "You are not welcome to use %d from %h."