3.11. Restricting Access by Remote Hosts (inetd)

Problem

You want only particular remote hosts to access a TCP service via inetd .

Solution

Use tcpd, specifying rules in /etc/hosts.allow and/or /etc/hosts.deny. Here’s an example of wrapping the Telnet daemon, in.telnetd, to permit connections only from IP address 192.168.1.100 or the example.com domain. Add to /etc/hosts.allow:

in.telnetd : 192.168.1.100
in.telnetd : *.example.com
in.telnetd : ALL : DENY

Then modify the appropriate configuration files to substitute tcpd for your service, and restart inetd.

Discussion

The control files /etc/hosts.allow and /etc/hosts.deny define rules by which remote hosts may access local TCP services. The access control daemon tcpd processes the rules and determines whether or not to launch a given service.

First set up your access control rules in /etc/hosts.allow and/or /etc/hosts.deny. Then modify /etc/inetd.conf to invoke the service through tcpd:

               Old /etc/inetd.conf:
telnet  stream  tcp  nowait  root  /usr/sbin/in.telnetd  in.telnetd

New /etc/inetd.conf:
telnet  stream  tcp  nowait  root  /usr/sbin/tcpd  /usr/sbin/in.telnetd

Finally restart inetd so your changes take effect. [Recipe 3.4]

See Also

hosts.allow(5), tcpd(8), inetd.conf(5).

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.