hosts.allow revision 46667
145088Smarkm# 245088Smarkm# hosts.allow access control file for "tcp wrapped" apps. 346667Sobrien# $Id: hosts.allow,v 1.2 1999/04/08 19:08:53 markm Exp $ 445088Smarkm# 545088Smarkm# NOTE: The hosts.deny file is not longer used. Instead, put both 'allow' 645088Smarkm# and 'deny' rules in the hosts.allow file. 745088Smarkm# see hosts_options(5) for the format of this file. 845088Smarkm# hosts_access(5) no longer fully applies. 945088Smarkm 1045088Smarkm# This is an example! You will need to modify it for your specific 1145088Smarkm# requirements! 1245088Smarkm 1345088Smarkm# Start by allowing everything (this prevents the rest of the file 1445088Smarkm# from working, so remove it when you need protection). 1545488Smarkm# The rules here work on a "First match wins" basis. 1645088SmarkmALL : ALL : allow 1745088Smarkm 1845088Smarkm# Wrapping sshd(8) is not normally a good idea, but if you 1945088Smarkm# need to do it, here's how 2045488Smarkm#sshd : .evil.cracker.example.com : deny 2145088Smarkm 2245088Smarkm# Prevent those with no reverse DNS from connecting. 2345088SmarkmALL : PARANOID : RFC931 20 : deny 2445088Smarkm 2545088Smarkm# Allow anything from localhost 2645088SmarkmALL : localhost : allow 2745488SmarkmALL : my.machine.example.com : allow 2845088Smarkm 2945088Smarkm# Sendmail can help protect you against spammers and relay-rapers 3045088Smarkmsendmail : localhost : allow 3145488Smarkmsendmail : .nice.guy.example.com : allow 3245488Smarkmsendmail : .evil.cracker.example.com : deny 3345088Smarkmsendmail : ALL : allow 3445088Smarkm 3545488Smarkm# Portmapper is used for all RPC services; protect your NFS! 3645488Smarkmportmap : localhost : allow 3745488Smarkmportmap : .nice.guy.example.com : allow 3845488Smarkmportmap : .evil.cracker.example.com : deny 3945488Smarkmportmap : ALL : allow 4045488Smarkm 4145088Smarkm# Provide a small amount of protection for ftpd 4245488Smarkmftpd : localhost : allow 4345488Smarkmftpd : .nice.guy.example.com : allow 4445488Smarkmftpd : .evil.cracker.example.com : deny 4545088Smarkmftpd : ALL : allow 4645088Smarkm 4745088Smarkm# You need to be clever with finger; do _not_ backfinger!! You can easily 4845088Smarkm# start a "finger war". 4945088Smarkmfingerd : ALL \ 5045088Smarkm : spawn (echo Finger. | \ 5145088Smarkm /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ 5245088Smarkm : deny 5345088Smarkm 5445088Smarkm# The rest of the daemons are protected. Backfinger and log by email. 5545088SmarkmALL : ALL \ 5646667Sobrien : severity auth.info : spawn (/usr/bin/finger -l @%h | \ 5745088Smarkm /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \ 5845088Smarkm : twist /bin/echo "You are not welcome to use %d from %h." 59