Controlling Services on VPS
You can control various services on the VPS that are started by any inetd-type process such as telnet, ssh, ftp, smtp,
pop, or imap.
When an incoming connection is received by the system for one of these services, the system looks for configuration files
(/etc/mail/access and /etc/hosts.allow) that contain instructions on how to handle these services. To security-harden your
server against hackers and probing IPs, edit these files:
access
The access file already exists as the access.sample file, until it is edited. Edit the /etc/mail/access file for the Sendmail
connections only, for Sendmail is the only process that reads the access.db file.
There are also a number of other features of the access file, which are documented in the /usr/share/sendmail/cf/README file.
hosts.allow
Edit the /etc/hosts.allow file for all services you want tighter control over.
To read the hosts_options man page, connect to your server using SSH and type the following:
man hosts_options
The generic format of the hosts.allow file is described in hosts_options, section (5).
There are some implementation details which are specific to VPS v2 and differ from the manpage documentation:
* Options supported in inetd are allow, deny, twist, and setenv.
* Options most useful are deny and allow.
Editing the hosts.allow file
Each example listed below works independently of the others. As soon as a connection is matched to the appropriate
service/client pair, the processing of the file ends. Therefore, order is significant in the arrangement of the rules
within the /etc/hosts.allow file.
It is assumed that you have logged in to your server using SSH and have opened the /etc/hosts.allow file in an editor.
To block incoming mail from certain IP addresses type the following:
sendmail : 192.168.1.1 : deny
To block an ssh connection from certain IP addresses type the following:
sshd : 192.168.1.1 : deny
To block incoming mail from everywhere except certain whitelisted IP addresses type the following:
sendmail : 192.168.2.2 : allow
sendmail : ALL : deny
To cleanly deny service and request that the sender retry later type the following:
sendmail : ALL : twist /bin/echo "450 account busy, please try later."
To provide a more descriptive reason for blocking type the following:
sendmail : 192.168.1.1 : twist /bin/echo "550 Connection refused --too much spam from your IP"
To set optional directives that influence the behavior of the process (if the service utilizes environment variables) type the following:
sendmail : 192.168.2.2 : allow
To disable Telnet, thereby forcing shell access via SSH type the following:
telnetd : ALL : deny
To tighten security on FTP (if you know where people will be uploading content from) type the following:
proftpd : 192.168.2.2 : allow
proftpd : 192.168.2.3 : allow
proftpd : ALL : deny
Editing the access file
The /etc/mail/access file is for Sendmail only. No other process reads this one. Sendmail reads hosts.allow and access.db about
the same time, although access is faster. Order of entry is not important in access.db.
The /etc/mail/access file name initially appears as access.sample until you edit it. Then it becomes access.db. This file
affects only Sendmail's connections.
It is assumed that you have logged in to your server using SSH and have opened the /etc/mail/access file in an editor.
To block incoming mail from certain IP addresses type the following:
Connect:192.168.1.1 REJECT
To provide a more descriptive reason for blocking type the following:
Connect:192.168.1.1 ERROR: "550 Connection refused/ --too much spam from your IP"
To set a directive that influences the behavior of a process, if the service utilizes environment variables type the following:
Connect:192.168.2.2 OK
See also: /support//vps2/admin/email/spam/access.html
|
