1#
2# hosts.allow access control file for "tcp wrapped" apps.
| 1#
2# hosts.allow access control file for "tcp wrapped" apps.
|
3# $Id$
| 3# $Id: hosts.allow,v 1.1 1999/03/28 10:47:26 markm Exp $
|
4#
5# NOTE: The hosts.deny file is not longer used. Instead, put both 'allow'
6# and 'deny' rules in the hosts.allow file.
7# see hosts_options(5) for the format of this file.
8# hosts_access(5) no longer fully applies.
9
10# This is an example! You will need to modify it for your specific
11# requirements!
12
13# Start by allowing everything (this prevents the rest of the file
14# from working, so remove it when you need protection).
| 4#
5# NOTE: The hosts.deny file is not longer used. Instead, put both 'allow'
6# and 'deny' rules in the hosts.allow file.
7# see hosts_options(5) for the format of this file.
8# hosts_access(5) no longer fully applies.
9
10# This is an example! You will need to modify it for your specific
11# requirements!
12
13# Start by allowing everything (this prevents the rest of the file
14# from working, so remove it when you need protection).
|
| 15# The rules here work on a "First match wins" basis.
|
15ALL : ALL : allow
16
17# Wrapping sshd(8) is not normally a good idea, but if you
18# need to do it, here's how
| 16ALL : ALL : allow
17
18# Wrapping sshd(8) is not normally a good idea, but if you
19# need to do it, here's how
|
19#sshd : .evil.hacker.org : deny
| 20#sshd : .evil.cracker.example.com : deny
|
20
21# Prevent those with no reverse DNS from connecting.
22ALL : PARANOID : RFC931 20 : deny
23
24# Allow anything from localhost
25ALL : localhost : allow
| 21
22# Prevent those with no reverse DNS from connecting.
23ALL : PARANOID : RFC931 20 : deny
24
25# Allow anything from localhost
26ALL : localhost : allow
|
| 27ALL : my.machine.example.com : allow
|
26
27# Sendmail can help protect you against spammers and relay-rapers
28sendmail : localhost : allow
| 28
29# Sendmail can help protect you against spammers and relay-rapers
30sendmail : localhost : allow
|
29sendmail : .mydomain.com : allow
30sendmail : .evil.spamnest.org : deny
| 31sendmail : .nice.guy.example.com : allow
32sendmail : .evil.cracker.example.com : deny
|
31sendmail : ALL : allow
32
| 33sendmail : ALL : allow
34
|
| 35# Portmapper is used for all RPC services; protect your NFS!
36portmap : localhost : allow
37portmap : .nice.guy.example.com : allow
38portmap : .evil.cracker.example.com : deny
39portmap : ALL : allow
40
|
33# Provide a small amount of protection for ftpd
| 41# Provide a small amount of protection for ftpd
|
34ftpd : .warez.d00d.org : deny
| 42ftpd : localhost : allow
43ftpd : .nice.guy.example.com : allow
44ftpd : .evil.cracker.example.com : deny
|
35ftpd : ALL : allow
36
37# You need to be clever with finger; do _not_ backfinger!! You can easily
38# start a "finger war".
39fingerd : ALL \
40 : spawn (echo Finger. | \
41 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
42 : deny
43
44# The rest of the daemons are protected. Backfinger and log by email.
45ALL : ALL \
46 : severity auth.info : spawn (/usr/bin/safe_finger -l @%h | \
47 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \
48 : twist /bin/echo "You are not welcome to use %d from %h."
| 45ftpd : ALL : allow
46
47# You need to be clever with finger; do _not_ backfinger!! You can easily
48# start a "finger war".
49fingerd : ALL \
50 : spawn (echo Finger. | \
51 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
52 : deny
53
54# The rest of the daemons are protected. Backfinger and log by email.
55ALL : ALL \
56 : severity auth.info : spawn (/usr/bin/safe_finger -l @%h | \
57 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \
58 : twist /bin/echo "You are not welcome to use %d from %h."
|