Access to inetd startable services can be controlled through
daemon tcpd; it reads the access rules from files /etc/hosts.allow and /etc/hosts.deny. Similarly, the access can be controlled
for the other services, such as portmap, if they have been compiled
with libwrap libraries.
Format of /etc/hosts.allow and /etc/hosts.deny:
/etc/hosts.allow -- is checked first by tcpd:
if the entries match, the host is allowed to access the service,
otherwise, /etc/hosts.deny is checked -- if the entries match,
the access is denied. If non of the entries match, or both
the files are empty, the access is allowed.
Keywords: ALL (matches all requests), EXCEPT, LOCAL (hosts
matching the local network - no domain), KNOWN (resolvable hosts),
PARANOID (hostname doesn't match IP), UNKNOWN (unresolvable hosts).
sshd: 22.214.171.124 128.6.
in.tftpd: LOCAL, .my.domain
in.rshd: 126.96.36.199 188.8.131.52
ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
Login to the console of smbhost VM:
Edit file /etc/hosts.deny and add the following entry:
Try SSH to smbhost from your desktop.
The SSH attempt should fail.
Edit file /etc/hosts.allow and add the following entry:
Try to SSH to smbhost from the desktop again.