From 6cbcd29274c7498622010b1c966062387aad552f Mon Sep 17 00:00:00 2001 From: markm Date: Sun, 28 Mar 1999 10:47:26 +0000 Subject: Add an example hosts.allow for the (base system) tcp_wrappers. Anyone with good ideas for this is welcome to contribute. --- etc/hosts.allow | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) create mode 100644 etc/hosts.allow (limited to 'etc/hosts.allow') diff --git a/etc/hosts.allow b/etc/hosts.allow new file mode 100644 index 0000000..b421ab1 --- /dev/null +++ b/etc/hosts.allow @@ -0,0 +1,48 @@ +# +# hosts.allow access control file for "tcp wrapped" apps. +# $Id$ +# +# NOTE: The hosts.deny file is not longer used. Instead, put both 'allow' +# and 'deny' rules in the hosts.allow file. +# see hosts_options(5) for the format of this file. +# hosts_access(5) no longer fully applies. + +# This is an example! You will need to modify it for your specific +# requirements! + +# Start by allowing everything (this prevents the rest of the file +# from working, so remove it when you need protection). +ALL : ALL : allow + +# Wrapping sshd(8) is not normally a good idea, but if you +# need to do it, here's how +#sshd : .evil.hacker.org : deny + +# Prevent those with no reverse DNS from connecting. +ALL : PARANOID : RFC931 20 : deny + +# Allow anything from localhost +ALL : localhost : allow + +# Sendmail can help protect you against spammers and relay-rapers +sendmail : localhost : allow +sendmail : .mydomain.com : allow +sendmail : .evil.spamnest.org : deny +sendmail : ALL : allow + +# Provide a small amount of protection for ftpd +ftpd : .warez.d00d.org : deny +ftpd : ALL : allow + +# You need to be clever with finger; do _not_ backfinger!! You can easily +# start a "finger war". +fingerd : ALL \ + : spawn (echo Finger. | \ + /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ + : deny + +# The rest of the daemons are protected. Backfinger and log by email. +ALL : ALL \ + : severity auth.info : spawn (/usr/bin/safe_finger -l @%h | \ + /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \ + : twist /bin/echo "You are not welcome to use %d from %h." -- cgit v1.1