mirror of
https://git.hardenedbsd.org/hardenedbsd/HardenedBSD.git
synced 2024-11-16 07:11:05 +01:00
b1be9320f3
action when denying access to a service. Unfortunately, this also makes a dandy denial-of-service attack possible. Change to just log the event and shoot a "go away" response back down the socket.
72 lines
2.3 KiB
Plaintext
72 lines
2.3 KiB
Plaintext
#
|
|
# hosts.allow access control file for "tcp wrapped" applications.
|
|
# $FreeBSD$
|
|
#
|
|
# NOTE: The hosts.deny file is no longer used.
|
|
# Instead, put both 'allow' and 'deny' rules in the hosts.allow file.
|
|
# See hosts_options(5) for the format of this file.
|
|
# hosts_access(5) no longer fully applies.
|
|
|
|
# _____ _ _
|
|
# | ____| __ __ __ _ _ __ ___ _ __ | | ___ | |
|
|
# | _| \ \/ / / _` | | '_ ` _ \ | '_ \ | | / _ \ | |
|
|
# | |___ > < | (_| | | | | | | | | |_) | | | | __/ |_|
|
|
# |_____| /_/\_\ \__,_| |_| |_| |_| | .__/ |_| \___| (_)
|
|
# |_|
|
|
# !!! This is an example! You will need to modify it for your specific
|
|
# !!! requirements!
|
|
|
|
|
|
# Start by allowing everything (this prevents the rest of the file
|
|
# from working, so remove it when you need protection).
|
|
# The rules here work on a "First match wins" basis.
|
|
ALL : ALL : allow
|
|
|
|
# Wrapping sshd(8) is not normally a good idea, but if you
|
|
# need to do it, here's how
|
|
#sshd : .evil.cracker.example.com : deny
|
|
|
|
# Prevent those with no reverse DNS from connecting.
|
|
ALL : PARANOID : RFC931 20 : deny
|
|
|
|
# Allow anything from localhost
|
|
ALL : localhost : allow
|
|
ALL : my.machine.example.com : allow
|
|
|
|
# Sendmail can help protect you against spammers and relay-rapers
|
|
sendmail : localhost : allow
|
|
sendmail : .nice.guy.example.com : allow
|
|
sendmail : .evil.cracker.example.com : deny
|
|
sendmail : ALL : allow
|
|
|
|
# Exim is an alternative to sendmail, available in the ports tree
|
|
exim : localhost : allow
|
|
exim : .nice.guy.example.com : allow
|
|
exim : .evil.cracker.example.com : deny
|
|
exim : ALL : allow
|
|
|
|
# Portmapper is used for all RPC services; protect your NFS!
|
|
# (IP addresses rather than hostnames *MUST* be used here)
|
|
portmap : localhost : allow
|
|
portmap : .nice.guy.example.com : allow
|
|
portmap : .evil.cracker.example.com : deny
|
|
portmap : ALL : allow
|
|
|
|
# Provide a small amount of protection for ftpd
|
|
ftpd : localhost : allow
|
|
ftpd : .nice.guy.example.com : allow
|
|
ftpd : .evil.cracker.example.com : deny
|
|
ftpd : ALL : allow
|
|
|
|
# You need to be clever with finger; do _not_ backfinger!! You can easily
|
|
# start a "finger war".
|
|
fingerd : ALL \
|
|
: spawn (echo Finger. | \
|
|
/usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
|
|
: deny
|
|
|
|
# The rest of the daemons are protected.
|
|
ALL : ALL \
|
|
: severity auth.info \
|
|
: twist /bin/echo "You are not welcome to use %d from %h."
|