Check your application whether compatible with tcp wrapper or not.
How can you find out if your application is compatible? Use this command:
syntax: ldd /path/to/binary | grep wrap (general example)hosts.allow and hosts.deny.
ldd /usr/sbin/sshd | grep wrap (shows that the sshd refers to libwrap)
libwrap.so.0 => /lib/libwrap.so.0 (0x00007f142f0af000)
ldd /usr/sbin/apache2 | grep wrap (show that apache does not refer to libwrap)
result zero
- host.allow ( Choose ip range that you want to allow )
ALL: 172.16.172.0/255.255.255.0 : ALLOW- host.deny (Paranoid setting block all connection except in hosts.allow)
ALL: 172.16.188.0/255.255.255.0 : ALLOW
ALL: 172.16.189.0/255.255.255.0 : ALLOW
ALL: 172.16.178.0/255.255.255.0 : ALLOW
ALL: 172.16.179.0/255.255.255.0 : ALLOW
#(denying all services to all hosts)
ALL:ALL
The syntax of the hosts.allow and hosts.deny files are:
service(s) : ips or hosts
conclusion
The hosts.allow and hosts.deny files are very flexible and allow you to lock down your network in very granular ways. The limitation of some applications not honoring hosts.allow and hosts.deny is the biggest thing to remember. Make sure the service you are trying to block refers to libwrap.so before you start writing rules or you may sit and wonder why your rules don’t work, when its really the application itself not being compatible.
If you need to hardened you system more, please read about this Ubuntu Hardening guide.
0 comments:
Post a Comment