Controlling Services
You can control various services on the server that are started by an inetd-type process such as telnet, ftp, smtp, pop,
or imap. When a connection is received by the system for one of these services, the system looks for the configuration
file (~/etc/hosts.allow) that contains instructions on how to handle these services.
To configure your server to deny troublesome IPs, you can create and edit the ~/etc/hosts.allow file.
The generic format of the hosts.allow file is described in hosts_options, section (5).
To read the hosts_options man page:
Connect to your server using SSH and type the following:
% man 5 hosts_options
Some implementation details are specific to the system that differ from the manpage documentation:
The daemon_list is actually a service_list. The services are specified by name as listed in /etc/services. Since some services
are run on multiple ports (such as smtp), any instructions to manage these should include smtp (port 25), submission
(port 587), and aol (port 5190).
The only supported options are: allow, deny, twist, and setenv.
Each hosts.allow file edit example listed below works independently of the others. As soon as a connection is matched to
the appropriate service/client pair, the processing of the file ends. Therefore, order is significant in the arrangement of
the rules within the hosts.allow file.
The following procedures assume that you have logged in to your server using SSH and have created and opened the
~/etc/hosts.allow file in an editor.
To create the hosts.allow file:
Type the following:
cd ~/etc
vi hosts.allow
To block incoming mail from certain IP addresses:
Type the following:
smtp submission aol : 192.168.1.1 : deny
To block incoming mail from everywhere except certain whitelisted IP addresses:
Make entries that "allow" in the file before entries that will "deny" or "refuse." Type the following:
smtp submission aol : 192.168.2.2 : allow
smtp submission aol : ALL : deny
To cleanly deny service and request that the sender retry later:
Type the following:
smtp submission aol : ALL : twist /bin/echo "450 account busy, please try/ later."
To provide a more descriptive reason for blocking:
Type the following:
smtp submission aol : 192.168.1.1 : twist /bin/echo "550 Connection refused/ --too much spam from your IP"
To set optional directives which influence the behavior of the process (if the service uses environment variables):
Type the following:
smtp submission aol : 192.168.2.2 : allow
smtp submission aol : ALL : setenv RBL : setenv RBLONLYHEADER : RBLLIST /usr/home/[user]/etc/rbllist
To disable Telnet, thereby forcing shell access through SSH:
Type the following:
telnet : ALL : deny
To tighten security on FTP (if you know where people will be uploading content from you):
Type the following:
ftp : 192.168.2.2 : allow
ftp : 192.168.2.3 : allow
ftp : ALL : deny
|
