Need help with configuring hosts.allow and hosts.deny

[the_mutha]

Hello ppl!

I was reading the man pages for hosts.allow and hosts.deny, but have a hard time understanding how the naming convention for services works.

I want to add ALL: ALL in hosts.deny, and add rules to hosts.allow to enable the following ports ONLY access from outside:

httpd (port 80) access to all
pop3 access
smtp access (I use qmail)
sshd
and mysqld (3306)

I also have no idea how I can tell which services are being "supervised" by tcpwrapers. If I should make all my services run through xinetd instead/as well or not.

Basically, I want to secure up my box and need some help!

Thanks a bunch,
The Mutha.

[jasonlambert]

as far as i was aware it was only services that provided an interactive login, such as SSHD which used tcp wrappers?

I use iptables to control exactly what goes in and out from which IP addresses can access what ports etc, and i am more than confident this method provides a suitable level of security for me.

Jason

[the_mutha]

Hows does IPTABLES work? I want to limit my machine like a firewall. I.e. only allow input for

web port
pop3 port
smtp port
ping port
mysql port (3306)
ssh port

Does iptables need a special deamon to be running, and if so, what? Please give some examples if possible.

thanks!

[jasonlambert]

iptables is a command line tool which allows you to limit access to ports on your machine using a series of rules which you create. To fully appriciate iptables, it cannot be explained in a sentence. have a look here for a collection of howto's and tutorials:
http://www.netfilter.org/documentation/index.html#HOWTO

you may see some stuff relating to "ipchains", this is the older implementation of iptables. use iptables where possible, as it provides more features and greater control over your firewall.

Jason

[notez]

Hello ppl!

I was reading the man pages for hosts.allow and hosts.deny, but have a hard time understanding how the naming convention for services works.

I want to add ALL: ALL in hosts.deny, and add rules to hosts.allow to enable the following ports ONLY access from outside:

httpd (port 80) access to all
pop3 access
smtp access (I use qmail)
sshd
and mysqld (3306)

I also have no idea how I can tell which services are being "supervised" by tcpwrapers. If I should make all my services run through xinetd instead/as well or not.

Basically, I want to secure up my box and need some help!

Thanks a bunch,
The Mutha.

naming convention:
sendmail : localhost : allow
ftpd: 192.168.1.1/255.255.255.0: allow

You can only use qmail with tcp_wrapper if it's starting from inetd. Qmail recommend you do not start it that way.

Why would you want to deny web viewers to your web site?
if you must deny use the .htaccess file .

Like the other auth mentioned, IPtable is a wise choice.