[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ALL: PARANOID from /etc/hosts.deny ...

While /etc/hosts.deny is easy (I always use ALL: ALL), the real
problem is /etc/hosts.allow. The issue is that there is an
increasing number of services not run from inetd for which it 
is not clear 1)if they are wrapped, 2)what daemon name to use?
Some examples:
- netbios-ssn, netbios-ns service names, but one must use the
  binary names smbd, nmbd
- rpc.mountd binary, but one must use mountd daemon name
- rsync, apparently cannot be wrapped even when run from inetd
- ntpd, apparently not wrapped and without own access control
  (but there was a recent remote exploit)
- printer, apparently not wrapped but with own access control
- sendmail, apparently wrapped, the only package I noticed
  to add itself to /etc/hosts.{deny,allow}

Since tcp-wrappers are one important defense line it would be
very helpful to admins if this info is centrally available
(which is probably undoable), or at least that individual packages
are documented in README.Debian (like sendmail).

-Igor Mozetic

Reply to: