Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
61626364656667686970
Chapter 2. Securing Your Network
60
: spawn /bin/echo `/bin/date` access denied to %h>>/var/log/sshd.log \
: deny
Similarly, expansions can be used to personalize messages back to the client. In the following
example, clients attempting to access FTP services from the example.com domain are informed that
they have been banned from the server:
vsftpd : .example.com \
: twist /bin/echo "421 %h has been banned from this server!"
For a full explanation of available expansions, as well as additional access control options, refer to
section 5 of the man pages for hosts_access (man 5 hosts_access) and the man page for
hosts_options.
Refer to Section 2.3.5, “Additional Resources” for more information about TCP Wrappers.
2.3.3. xinetd
The xinetd daemon is a TCP-wrapped super service which controls access to a subset of popular
network services, including FTP, IMAP, and Telnet. It also provides service-specific configuration
options for access control, enhanced logging, binding, redirection, and resource utilization control.
When a client attempts to connect to a network service controlled by xinetd, the super service
receives the request and checks for any TCP Wrappers access control rules.
If access is allowed, xinetd verifies that the connection is allowed under its own access rules for that
service. It also checks that the service is able to have more resources assigned to it and that it is not in
breach of any defined rules.
If all these conditions are met (that is, access is allowed to the service; the service has not reached
its resource limit; and the service is not in breach of any defined rule), xinetd then starts an instance
of the requested service and passes control of the connection to it. After the connection has been
established, xinetd takes no further part in the communication between the client and the server.
2.3.4. xinetd Configuration Files
The configuration files for xinetd are as follows:
/etc/xinetd.conf — The global xinetd configuration file.
/etc/xinetd.d/ — The directory containing all service-specific files.
2.3.4.1. The /etc/xinetd.conf File
The /etc/xinetd.conf file contains general configuration settings which affect every service under
xinetd's control. It is read when the xinetd service is first started, so for configuration changes to
take effect, you need to restart the xinetd service. The following is a sample /etc/xinetd.conf
file:
defaults
{
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}