2002-09-09 08:14:30 +08:00
|
|
|
<sect2>
|
|
|
|
|
<title>Configuring tcpwrappers</title>
|
|
|
|
|
|
|
|
|
|
<sect3><title>Config files</title>
|
2003-04-21 06:15:01 +08:00
|
|
|
<para><filename>/etc/hosts.allow</filename>,
|
|
|
|
|
<filename>/etc/hosts.deny</filename></para>
|
2002-09-09 08:14:30 +08:00
|
|
|
|
|
|
|
|
<para>File protections: the wrapper, all files used by the wrapper,
|
|
|
|
|
and all directories in the path leading to those files, should be
|
|
|
|
|
accessible but not writable for unprivileged users (mode 755 or mode
|
|
|
|
|
555). Do not install the wrapper set-uid.</para>
|
|
|
|
|
|
|
|
|
|
<para>
|
|
|
|
|
Then perform the following edits on the
|
|
|
|
|
<filename>/etc/inetd.conf</filename> configuration file :
|
2003-04-07 01:54:24 +08:00
|
|
|
<screen><userinput>finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd</userinput></screen>
|
2002-09-09 08:14:30 +08:00
|
|
|
becomes:
|
2003-04-07 01:54:24 +08:00
|
|
|
<screen><userinput>finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd</userinput></screen></para>
|
2002-09-09 08:14:30 +08:00
|
|
|
<note><para>The finger server is used as an example here.</para></note>
|
2003-02-01 09:04:55 +08:00
|
|
|
<para>Similar changes must be made if xinetd is used, with the
|
2003-04-22 11:06:28 +08:00
|
|
|
emphasis being on calling <command>/usr/sbin/tcpd</command> instead of calling the
|
2002-09-09 08:14:30 +08:00
|
|
|
service daemon directly, and passing the name of the service daemon to
|
|
|
|
|
tcpd.</para>
|
|
|
|
|
</sect3>
|
|
|
|
|
|
|
|
|
|
</sect2>
|
|
|
|
|
|
