By Kurt Seifried Rev 0.1
Network basics - Using tcp_wrappers to secure services called from inetd. (S02.C01)
By default in RedHat 5.X inetd is configured to use tcp_wrappers. This means all you have to do is edit the config files and restart inetd so it re-reads the config files. The two files that control access via tcp_wrappers are:
/etc/hosts.allow /etc/hosts.deny
hosts.allow is checked first, and the rules are checked from first to last, when it finds a rule that explicity allows you in (ie a rule allowing your host, domain, subnet mask, etc) it lets you connect to the service, if it fails to find any rules that pertain to you in hosts.allow, it then goes to check hosts.deny for a rule denying you entry. Again it checks the rules in hosts.deny from first to last, and the first rule it finds that denies you access (ie a rule disallowing your host, domain, subnet mask, etc) means it doesn't let you in. If it fails to find a rule denying you entry it then by default lets you. If you are paranoid like me the last rule (or only rule if you are going to a default policy of non-optimistic security) should be:
ALL:ALL in hosts.deny
which means all services, all locations, ie a default deny policy. You might also want to just default deny access to say telnet, and leave ftp wide open to the world, to do this you would have:
in.telnetd: 10.0.0.0/255.255.255.0 in.ftpd: ALL in hosts.allow, this will allow all ftp connections in, and telnet conenctions from 10.0.0.*, and then in.telnetd: ALL in hosts.deny, or if you wish to be really safe: ALL:ALL
If you leave a service on that you shouldn't have in inetd.conf, and DO NOT have a default deny policy, you could be up the creek. It is safer (and a bit more work, but in the long run less work) to have default deny rules for firewalling and tcp_wrappers, thus is you leave something on by default, by default there will be no access to it. If you install something OTOH that users need access and you forget to put allow rules in, they will quickly complain that they can't get access and you will be able to rectify the problem quickly. Better safe then sorry. The man pages for tcp_wrappers are very good and available by:
man hosts.allow and/or man hosts.deny
Contact Kurt Seifried, All rights reserved Kurt Seifried 1998, content and information may not be reposted physically or electronically without the express permission of the author, this includes but is not limited to www mirror sites, email, usenet news, etc.