Chapter 43. Securing Your Network
660
•
%N
— Returns the server's hostname. If unavailable,
unknown
is printed. If the server's hostname
and host address do not match,
paranoid
is printed.
•
%p
— Returns the daemon's process ID.
•
%s
—Returns various types of server information, such as the daemon process and the host or IP
address of the server.
•
%u
— Returns the client's username. If unavailable,
unknown
is printed.
The following sample rule uses an expansion in conjunction with the
spawn
command to identify the
client host in a customized log file.
When connections to the SSH daemon (
sshd
) are attempted from a host in the
example.com
domain, execute the
echo
command to log the attempt, including the client hostname (by using the
%h
expansion), to a special file:
sshd : .example.com \
: spawn /bin/echo `/bin/date` access denied to %h>>/var/log/sshd.log \
: deny
Similarly, expansions can be used to personalize messages back to the client. In the following
example, clients attempting to access FTP services from the
example.com
domain are informed that
they have been banned from the server:
vsftpd : .example.com \
: twist /bin/echo "421 %h has been banned from this server!"
For a full explanation of available expansions, as well as additional access control options, refer to
section 5 of the man pages for
hosts_access
(
man 5 hosts_access
) and the man page for
hosts_options
.
Refer to
Section 43.5.5, “Additional Resources”
for more information about TCP Wrappers.
43.5.3. xinetd
The
xinetd
daemon is a TCP-wrapped
super service
which controls access to a subset of popular
network services, including FTP, IMAP, and Telnet. It also provides service-specific configuration
options for access control, enhanced logging, binding, redirection, and resource utilization control.
When a client attempts to connect to a network service controlled by
xinetd
, the super service
receives the request and checks for any TCP Wrappers access control rules.
If access is allowed,
xinetd
verifies that the connection is allowed under its own access rules for
that service. It also checks that the service can have more resources allotted to it and that it is not in
breach of any defined rules.
If all these conditions are met (that is, access is allowed to the service; the service has not reached
its resource limit; and the service is not in breach of any defined rule),
xinetd
then starts an instance
of the requested service and passes control of the connection to it. After the connection has been
established,
xinetd
takes no further part in the communication between the client and the server.
Содержание ENTERPRISE LINUX 5 - VIRTUAL SERVER ADMINISTRATION
Страница 22: ...xxii ...
Страница 28: ......
Страница 36: ...10 ...
Страница 40: ...14 ...
Страница 96: ...70 ...
Страница 116: ...90 ...
Страница 144: ...118 ...
Страница 146: ......
Страница 158: ...132 ...
Страница 165: ...Installing and Removing Packages 139 Figure 11 7 Installing and removing packages simultaneously ...
Страница 166: ...140 ...
Страница 172: ...146 ...
Страница 178: ......
Страница 228: ...202 ...
Страница 264: ...238 ...
Страница 318: ...292 ...
Страница 330: ...304 ...
Страница 388: ...362 ...
Страница 428: ...402 ...
Страница 452: ......
Страница 458: ...432 ...
Страница 476: ...450 ...
Страница 478: ...452 ...
Страница 494: ...468 ...
Страница 498: ...472 ...
Страница 530: ...504 ...
Страница 536: ...510 ...
Страница 544: ...Chapter 36 Log Files 518 Figure 36 7 Log file contents after five seconds ...
Страница 546: ......
Страница 550: ...524 ...
Страница 576: ......
Страница 584: ...558 ...
Страница 608: ......
Страница 776: ...750 ...
Страница 796: ...770 ...
Страница 800: ...774 ...
Страница 804: ......
Страница 806: ...780 ...
Страница 808: ...782 ...
Страница 816: ...790 ...
Страница 820: ...794 ...
Страница 822: ...796 ...
Страница 830: ...804 ...
Страница 836: ...810 ...
Страница 844: ...818 ...
Страница 848: ...822 ...