SUMMARY: Disabling logins except for specific IPs

From: Ashwin Purohit (purohit@gmail.com)
Date: Thu Jul 27 2006 - 16:50:45 EDT

• Next message: kdea@alpine-la.com: "i/o error when mounting Advfs filesets"
• Previous message: Ashwin Milind Purohit: "Disabling logins except for specific IPs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I asked essentially:

> What I'm basically looking for is a set of lines (in all files necessary to completely secure the machine) that, in human readable code, says "Allow logins from the following IP addresses only, via terminal, SSH, and everything else: xxx.xxx.xx.xx" for an OSF1 machine.

The answer was to install TCP Wrappers, which can be found at
ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz.
Oisin McGuinness recommends the following, as well:
"You then have an extra executable (say tcpd, which say you put
in /usr/local/bin/tcpd). Then change every remote login service line
in /etc/inetd.conf
so that tcpd is invoked 1st, and then it runs the actual program.

E.g., if you are using ssh from inetd.conf

ssh stream tcp nowait root /usr/local/bin/tcpd sshd -i

The access is controlled by two files
/etc/hosts.allow
/etc/hosts.deny

Simplest to have /etc/hosts.deny to deny all access to all services:
ALL: ALL
as contents, then for each service you want to allow selective access to
have a line in /etc/hosts.allow, for example:

sshd: LOCAL

will allow sshd to be started for connections from locally connected
(within same
network) machines."

Thanks to all who contributed so quickly:
Oisin McGuinness
A. Mahendra Rajah
Chris Eubanks
Graham Allan
Michael Bucholtz

-Ashwin Purohit
> Thanks,
> Ashwin Purohit
> purohit@stanford.edu
>

-- 
Ashwin Purohit
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error, or are not
the named addressee: please notify the sender immediately by e-mail
and delete this e-mail from your system, and do not disseminate,
distribute or copy this e-mail.  If you are not the intended recipient
you are notified that disclosing, copying, distributing or taking any
action in reliance on the contents of this information is strictly
prohibited.

• Next message: kdea@alpine-la.com: "i/o error when mounting Advfs filesets"
• Previous message: Ashwin Milind Purohit: "Disabling logins except for specific IPs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:50:31 EDT