1999-03-28 10:47:26 +00:00
|
|
|
#
|
|
|
|
# hosts.allow access control file for "tcp wrapped" apps.
|
1999-08-03 14:52:46 +00:00
|
|
|
# $Id: hosts.allow,v 1.3 1999/05/08 02:19:25 obrien Exp $
|
1999-03-28 10:47:26 +00:00
|
|
|
#
|
|
|
|
# NOTE: The hosts.deny file is not longer used. Instead, put both 'allow'
|
|
|
|
# and 'deny' rules in the hosts.allow file.
|
|
|
|
# see hosts_options(5) for the format of this file.
|
|
|
|
# hosts_access(5) no longer fully applies.
|
|
|
|
|
|
|
|
# This is an example! You will need to modify it for your specific
|
|
|
|
# requirements!
|
|
|
|
|
|
|
|
# Start by allowing everything (this prevents the rest of the file
|
|
|
|
# from working, so remove it when you need protection).
|
1999-04-08 19:08:53 +00:00
|
|
|
# The rules here work on a "First match wins" basis.
|
1999-03-28 10:47:26 +00:00
|
|
|
ALL : ALL : allow
|
|
|
|
|
|
|
|
# Wrapping sshd(8) is not normally a good idea, but if you
|
|
|
|
# need to do it, here's how
|
1999-04-08 19:08:53 +00:00
|
|
|
#sshd : .evil.cracker.example.com : deny
|
1999-03-28 10:47:26 +00:00
|
|
|
|
|
|
|
# Prevent those with no reverse DNS from connecting.
|
|
|
|
ALL : PARANOID : RFC931 20 : deny
|
|
|
|
|
|
|
|
# Allow anything from localhost
|
|
|
|
ALL : localhost : allow
|
1999-04-08 19:08:53 +00:00
|
|
|
ALL : my.machine.example.com : allow
|
1999-03-28 10:47:26 +00:00
|
|
|
|
|
|
|
# Sendmail can help protect you against spammers and relay-rapers
|
|
|
|
sendmail : localhost : allow
|
1999-04-08 19:08:53 +00:00
|
|
|
sendmail : .nice.guy.example.com : allow
|
|
|
|
sendmail : .evil.cracker.example.com : deny
|
1999-03-28 10:47:26 +00:00
|
|
|
sendmail : ALL : allow
|
|
|
|
|
1999-08-03 14:52:46 +00:00
|
|
|
# Exim is an alternative to sendmail, available in the ports tree
|
|
|
|
exim : localhost : allow
|
|
|
|
exim : .nice.guy.example.com : allow
|
|
|
|
exim : .evil.cracker.example.com : deny
|
|
|
|
exim : ALL : allow
|
|
|
|
|
1999-04-08 19:08:53 +00:00
|
|
|
# Portmapper is used for all RPC services; protect your NFS!
|
|
|
|
portmap : localhost : allow
|
|
|
|
portmap : .nice.guy.example.com : allow
|
|
|
|
portmap : .evil.cracker.example.com : deny
|
|
|
|
portmap : ALL : allow
|
|
|
|
|
1999-03-28 10:47:26 +00:00
|
|
|
# Provide a small amount of protection for ftpd
|
1999-04-08 19:08:53 +00:00
|
|
|
ftpd : localhost : allow
|
|
|
|
ftpd : .nice.guy.example.com : allow
|
|
|
|
ftpd : .evil.cracker.example.com : deny
|
1999-03-28 10:47:26 +00:00
|
|
|
ftpd : ALL : allow
|
|
|
|
|
|
|
|
# You need to be clever with finger; do _not_ backfinger!! You can easily
|
|
|
|
# start a "finger war".
|
|
|
|
fingerd : ALL \
|
|
|
|
: spawn (echo Finger. | \
|
|
|
|
/usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
|
|
|
|
: deny
|
|
|
|
|
|
|
|
# The rest of the daemons are protected. Backfinger and log by email.
|
|
|
|
ALL : ALL \
|
1999-05-08 02:19:25 +00:00
|
|
|
: severity auth.info : spawn (/usr/bin/finger -l @%h | \
|
1999-03-28 10:47:26 +00:00
|
|
|
/usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \
|
|
|
|
: twist /bin/echo "You are not welcome to use %d from %h."
|