General System Security
ALL: ALL@ALL, PARANOID # Matches any host whose name does not match its address, see bellow.
Which means all services, all locations, so any service not explicitly allowed is then blocked, unless they are permitted access by entries in the allow file.
NOTE: With the parameter “PARANOID”; If you intend to run telnet or ftp services on your server, don’t forget to add the client’s machine name and IP address in your “/etc/hosts” file on the server or you can expect to wait several minutes for the DNS lookup to time out, before you get a login: prompt.
Step 2
Edit the hosts.allow file (vi /etc/hosts.allow) and add for example, the following line:
The explicitly authorized host are listed in the allow file.
As an example:
sshd: 208.164.186.1 gate.openna.com
For your client machine: 208.164.186.1 is the IP address and gate.openna.com the host name of one of your client allowed using sshd.
Step 3
The tcpdchk program is the tcpd wrapper configuration checker. It examines your tcp wrapper
configuration and reports all potential and real problems it can find.
• After your configuration is done, run the program tcpdchk.
[root@deep /]# tcpdchk
NOTE: Error messages may look like this: warning: /etc/hosts.allow, line 6: can’t verify hostname: gethostbyname(win.openna.com) failed. If you receive this kind of error message, check in your DNS configuration file for the existence of this hostname.
Don’t let system issue file to be displayed
If you don’t want your systems issue file to be displayed when people log in remotely, you can change the telnet option in your 7etc/inetd.conf” file to look like:
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -h
Adding the “-h” flag on the end will cause the daemon to not display any system information and just hit the user with a login: prompt. This hack is only necessary if you’re using a telnet daemon on your server (instead I recommend you use SSH).