hosts.allow revision 45088
145088Smarkm# 245088Smarkm# hosts.allow access control file for "tcp wrapped" apps. 345088Smarkm# $Id$ 445088Smarkm# 545088Smarkm# NOTE: The hosts.deny file is not longer used. Instead, put both 'allow' 645088Smarkm# and 'deny' rules in the hosts.allow file. 745088Smarkm# see hosts_options(5) for the format of this file. 845088Smarkm# hosts_access(5) no longer fully applies. 945088Smarkm 1045088Smarkm# This is an example! You will need to modify it for your specific 1145088Smarkm# requirements! 1245088Smarkm 1345088Smarkm# Start by allowing everything (this prevents the rest of the file 1445088Smarkm# from working, so remove it when you need protection). 1545088SmarkmALL : ALL : allow 1645088Smarkm 1745088Smarkm# Wrapping sshd(8) is not normally a good idea, but if you 1845088Smarkm# need to do it, here's how 1945088Smarkm#sshd : .evil.hacker.org : deny 2045088Smarkm 2145088Smarkm# Prevent those with no reverse DNS from connecting. 2245088SmarkmALL : PARANOID : RFC931 20 : deny 2345088Smarkm 2445088Smarkm# Allow anything from localhost 2545088SmarkmALL : localhost : allow 2645088Smarkm 2745088Smarkm# Sendmail can help protect you against spammers and relay-rapers 2845088Smarkmsendmail : localhost : allow 2945088Smarkmsendmail : .mydomain.com : allow 3045088Smarkmsendmail : .evil.spamnest.org : deny 3145088Smarkmsendmail : ALL : allow 3245088Smarkm 3345088Smarkm# Provide a small amount of protection for ftpd 3445088Smarkmftpd : .warez.d00d.org : deny 3545088Smarkmftpd : ALL : allow 3645088Smarkm 3745088Smarkm# You need to be clever with finger; do _not_ backfinger!! You can easily 3845088Smarkm# start a "finger war". 3945088Smarkmfingerd : ALL \ 4045088Smarkm : spawn (echo Finger. | \ 4145088Smarkm /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \ 4245088Smarkm : deny 4345088Smarkm 4445088Smarkm# The rest of the daemons are protected. Backfinger and log by email. 4545088SmarkmALL : ALL \ 4645088Smarkm : severity auth.info : spawn (/usr/bin/safe_finger -l @%h | \ 4745088Smarkm /usr/bin/mail -s "tcpd\: %u@%h[%a] tried to use %d (denied)" root) & \ 4845088Smarkm : twist /bin/echo "You are not welcome to use %d from %h." 49