Installation guide

ManualsBrandsPythonQ ManualsIndustrial248-8XX

121

122

123

124

125

126

127

128

129

130

122 Chapter 8. TCP Wrappers and xinetd

special ﬁle or email an administrator. Below is an example of a booby trap in the hosts.deny ﬁle

which will write a log line containing the date and client information every time a host from the the

IP range 10.0.1.0 to 10.0.1.255 attempts to connect via Telnet:

in.telnetd: 10.0.1.: spawn (/bin/echo ‘date‘ %c >> /var/log/telnet.log) &

Another feature of using shell commands is support for expansions. Expansions provide the com-

mand with information about the client, server, and process involved. Below is a list of supported

expansions:

• %a — The client’s IP address.

• %A — The server’s IP address.

• %c — Supplies a variety of client information, such as the username and hostname, or the username

and IP address.

• %d — The daemon process name.

• %h — The client’s hostname (or IP address, if the hostname is unavailable).

• %H — The server’s hostname (or IP address, if the hostname is unavailable).

• %n — The client’s hostname. If unavailable, unknown is printed. If the client’s hostname and host

address do not match, paranoid is printed.

• %N — The server’s hostname. If unavailable, unknown is printed. If the server’s hostname and host

address do not match, paranoid is printed.

• %p — The daemon process ID.

• %s — Various types of server information, such as the daemon process and the host or IP address

of the server.

• %u — The client’s username. If unavailable, unknown is printed.

For a full explanation of available shell commands, as well as some additional access control exam-

ples, review see the man page for hosts_access.

Note

Special attention must be given to portmap when host access control lists. Only IP addresses or

the ALL option should be used when specifying hosts to allow or deny, as host names are not sup-

ported. In addition, changes to the host access control lists that concern portmap may not take affect

immediately.

As widely used services, such as NIS and NFS, depend on portmap to operate, be aware of these

limitations before depending on hosts.allow and hosts.deny to control access.

8.3. Access Control Using xinetd

The beneﬁts offered by TCP wrappers are enhanced when the libwrap.a library is used in conjunc-

tion with xinetd, a super-daemon that provides additional access, logging, binding, redirection and

resource utilization control.

Red Hat Linux conﬁgures a variety of popular network services to be used with xinetd, including

FTP, IMAP, POP, and Telnet. When any of these services are accessed via their port numbers in

/etc/services, the xinetd daemon handles the request. Before bringing up the requested network

service, xinetd ensures that the client host information meets the access control rules, the number of