xinetd and hosts.allow
Alexander Dalloz
alexander.dalloz at uni-bielefeld.de
Sat Apr 17 17:59:14 UTC 2004
Am Sa, den 17.04.2004 schrieb Alexander Dalloz um 18:30:
> tcp_wrappers is from a time when packet filtering was no standard. I
> prefer to set up clean and managable iptables chains/rules which even
> allows you stateful inspection. Having restrictive settings in more than
> 1 place makes it harder to administrate. And it does not necessarily
> improve security. I would kick all hosts.deny and hosts.allow settings
> and stick with iptables.
I forgot to mention: shut down all services you do not need. I.e. by
default the portmapper runs on FC1 and offers RPC connects on port 111
which is a risc. If you do not run an NFS server stop that service with
"chkconfig portmap off; service portmap stop". And if services offer you
to configure restrictions, then use that feature. I.e. Sendmail is by
default restricted to only listen on localhost. You may extend that by
adding a DAEMON_OPTIONS line to sendmail.mc to let Sendmail also listen
on 192.168.2.1, if that is your host's IP. That still restricts usage
for Sendmail without any need to create an iptables rule nor
restrictions using hosts.deny.
Alexander
--
Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13
Fedora GNU/Linux Core 1 (Yarrow) on Athlon CPU kernel 2.4.22-1.2179.nptl
Sirendipity 19:54:30 up 1 day, 23:43, load average: 0.02, 0.03, 0.05
[ Γνωθι σ'αυτον - gnothi seauton ]
my life is a planetarium - and you are the stars
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040417/429d9f27/attachment-0001.sig>
More information about the fedora-list
mailing list