1# 2# hosts.allow access control file for "tcp wrapped" apps.
| 1# 2# hosts.allow access control file for "tcp wrapped" apps.
|
3# $Id$
| 3# $Id: hosts.allow,v 1.1 1999/03/28 10:47:26 markm Exp $
|
4# 5# NOTE: The hosts.deny file is not longer used. Instead, put both 'allow' 6# and 'deny' rules in the hosts.allow file. 7# see hosts_options(5) for the format of this file. 8# hosts_access(5) no longer fully applies. 9 10# This is an example! You will need to modify it for your specific 11# requirements! 12 13# Start by allowing everything (this prevents the rest of the file 14# from working, so remove it when you need protection).
| 4# 5# NOTE: The hosts.deny file is not longer used. Instead, put both 'allow' 6# and 'deny' rules in the hosts.allow file. 7# see hosts_options(5) for the format of this file. 8# hosts_access(5) no longer fully applies. 9 10# This is an example! You will need to modify it for your specific 11# requirements! 12 13# Start by allowing everything (this prevents the rest of the file 14# from working, so remove it when you need protection).
|
| 15# The rules here work on a "First match wins" basis.
|
15ALL : ALL : allow 16 17# Wrapping sshd(8) is not normally a good idea, but if you 18# need to do it, here's how
| 16ALL : ALL : allow 17 18# Wrapping sshd(8) is not normally a good idea, but if you 19# need to do it, here's how
|
19#sshd : .evil.hacker.org : deny
| 20#sshd : .evil.cracker.example.com : deny
|
20 21# Prevent those with no reverse DNS from connecting. 22ALL : PARANOID : RFC931 20 : deny 23 24# Allow anything from localhost 25ALL : localhost : allow
| 21 22# Prevent those with no reverse DNS from connecting. 23ALL : PARANOID : RFC931 20 : deny 24 25# Allow anything from localhost 26ALL : localhost : allow
|
| 27ALL : my.machine.example.com : allow
|
26 27# Sendmail can help protect you against spammers and relay-rapers 28sendmail : localhost : allow
| 28 29# Sendmail can help protect you against spammers and relay-rapers 30sendmail : localhost : allow
|
29sendmail : .mydomain.com : allow 30sendmail : .evil.spamnest.org : deny
| 31sendmail : .nice.guy.example.com : allow 32sendmail : .evil.cracker.example.com : deny
|
31sendmail : ALL : allow 32
| 33sendmail : ALL : allow 34
|
| 35# Portmapper is used for all RPC services; protect your NFS! 36portmap : localhost : allow 37portmap : .nice.guy.example.com : allow 38portmap : .evil.cracker.example.com : deny 39portmap : ALL : allow 40
|
33# Provide a small amount of protection for ftpd
| 41# Provide a small amount of protection for ftpd
|
34ftpd : .warez.d00d.org : deny
| 42ftpd : localhost : allow 43ftpd : .nice.guy.example.com : allow 44ftpd : .evil.cracker.example.com : deny
|
35ftpd : ALL : allow 36 37# You need to be clever with finger; do _not_ backfinger!! You can easily 38# start a "finger war". 39fingerd : ALL \ 40 : spawn (echo Finger. | \ 41 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ 42 : deny 43 44# The rest of the daemons are protected. Backfinger and log by email. 45ALL : ALL \ 46 : severity auth.info : spawn (/usr/bin/safe_finger -l @%h | \ 47 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \ 48 : twist /bin/echo "You are not welcome to use %d from %h."
| 45ftpd : ALL : allow 46 47# You need to be clever with finger; do _not_ backfinger!! You can easily 48# start a "finger war". 49fingerd : ALL \ 50 : spawn (echo Finger. | \ 51 /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ 52 : deny 53 54# The rest of the daemons are protected. Backfinger and log by email. 55ALL : ALL \ 56 : severity auth.info : spawn (/usr/bin/safe_finger -l @%h | \ 57 /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \ 58 : twist /bin/echo "You are not welcome to use %d from %h."
|