Oct 17th, 2009
Protect a server within a network by using a TCP Wrapper
Protect a server within a network by using a TCP Wrapper.
The Xinetd super server that comes with most Linux distributions includes a built-in TCP wrapper.
It can be used to explicitly define network services to accept incoming connections from specified servers and networks.
The TCP wrappers implements access control through the use of two files, /etc/hosts.allow and /etc/hosts.deny
A recommended security-strategy is to block all incoming requests by default, but allow specific hosts or networks to connect.
To deny everything by default, add the following line to /etc/hosts.deny:
To accept incoming SSH connections from e.g. nodes lab1, lab2 and lab3, add the following line to /etc/hosts.allow
To accept incoming SSH connections from all servers from a specific network, add the name of the subnet to /etc/hosts.allow.
For example:
To accept incoming ssh connections from IP address 192.168.0.1 and subnet 192.168.5, add the following line to /etc/hosts.allow:
You can even tell xinetd to limit the rate of incoming connections. The TCP wrapper is quite flexible. And xinetd provides its own set of host-based and time-based access control functions.