The Fermi Red Hat Linux v5.0.2 distribution allows telnet, ftp, gopher,
rlogin, etc. from off-site machines (for a complete list of services see the
/etc/inetd.conf file).
Background:
TCP_wrappers can be used to limit access to a machine on a machine-to-machine
or domain basis. TCP_wrappers will also log any attempt to gain access to a
machine in the /var/log/messages file. TCP_wrappers is installed by default
on all Fermi Red Hat Linux distributions (type 'rpm -q tcp_wrappers' to verify
this).
Solution:
To limit access to on-site and specific IP addresses or domains off-site edit
the following files accordingly:
Add to /etc/hosts.deny
ALL: ALL
This will deny all services listed in /etc/inetd.conf to all nodes. This file
is parsed *first* by tcp_wrappers.
Add to /etc/hosts.allow
ALL: .fnal.gov
This will allow all services to all nodes within the fnal.gov domain. The
preceeding dot (.) is necessary. This file is parsed *second* by tcp_wrappers.
To allow access to other nodes off-site, specify them one by one or by domain.
For example, add something like the following lines to the /etc/hosts.allow:
ALL: .anl.gov
ftp: claret.kpno.noao.edu
telnet: [email protected]
-The first entry will allow all servics listed in /etc/inetd.conf to all nodes
in the anl.gov domain.
-The second entry will allow ftp access to anyone from claret.kpno.noao.edu
-The third entry will allow telnet access to [email protected]
_________________________________________________________________________
Dan Yocum | Phone: (630) 840-8525
Computing Division OSS/FSS | Fax: (630) 840-6345
Fermi National Accelerator Laboratory | email: [email protected]
P.O. Box 500 | WWW: www-oss.fnal.gov/~yocum/
Batavia, IL 60510 | "TANSTAAFL"
_______________________________________|_________________________________