Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
41424344454647484950
Securing Services With TCP Wrappers and xinetd
39
Serve only one type of network service per machine whenever possible.
Monitor all servers carefully for suspicious activity.
2.2.1. Securing Services With TCP Wrappers and xinetd
TCP Wrappers provide access control to a variety of services. Most modern network services, such as
SSH, Telnet, and FTP, make use of TCP Wrappers, which stand guard between an incoming request
and the requested service.
The benefits offered by TCP Wrappers are enhanced when used in conjunction with xinetd, a super
server that provides additional access, logging, binding, redirection, and resource utilization control.
Note
It is a good idea to use iptables firewall rules in conjunction with TCP Wrappers and xinetd
to create redundancy within service access controls. Refer to Section 2.5, “Firewalls” for more
information about implementing firewalls with iptables commands.
The following subsections assume a basic knowledge of each topic and focus on specific security
options.
2.2.1.1. Enhancing Security With TCP Wrappers
TCP Wrappers are capable of much more than denying access to services. This section illustrates
how they can be used to send connection banners, warn of attacks from particular hosts, and enhance
logging functionality. Refer to the hosts_options man page for information about the TCP Wrapper
functionality and control language. Refer to the xinetd.conf man page available online at http://
linux.die.net/man/5/xinetd.conf for available flags, which act as options you can apply to a service.
2.2.1.1.1. TCP Wrappers and Connection Banners
Displaying a suitable banner when users connect to a service is a good way to let potential attackers
know that the system administrator is being vigilant. You can also control what information about the
system is presented to users. To implement a TCP Wrappers banner for a service, use the banner
option.
This example implements a banner for vsftpd. To begin, create a banner file. It can be anywhere on
the system, but it must have same name as the daemon. For this example, the file is called /etc/
banners/vsftpd and contains the following line:
220-Hello, %c
220-All activity on ftp.example.com is logged.
220-Inappropriate use will result in your access privileges being removed.
The %c token supplies a variety of client information, such as the username and hostname, or the
username and IP address to make the connection even more intimidating.
For this banner to be displayed to incoming connections, add the following line to the /etc/
hosts.allow file:
vsftpd : ALL : banners /etc/banners/