On Tue, 2006-11-21 at 20:59 -0600, Paul Johnson wrote: > One security tip I got years ago was to turn off all access by setting > the file /etc/hosts.deny like this: > > ALL:ALL > > > And then in /etc/hosts.allow, I allow in only specific services and > specific ip address ranges that I want to allow. For example, I > usually allow only ssh connections from a few specific places: > > ALL: 127.0.0.1 > sshd: 24.124. > sshd: 129.237. > sshfwd-X11: 24.124. > sshfwd-X11: 129.237. > > This has served me well to keep out other users and protect myself > from starting services that I don't want. > > Now in FC6 I notice that xinetd is not installed and so these host > files have no effect. of course, I can install xinetd, but I'm > suspecting that the FC6 designers want me to do something else in > order to control access. How does one achieve the same effect without > using xinetd? > Maybe iptables? Iptables can certainly be configured to do what you have listed above, but not IMHO as easily nor as cleanly. The syntax is different and so somewhat harder to use. However, that seems like throwing the baby out with the bathwater. I would think that having tcpwrappers (which is what uses the hosts.deny and hosts.allow files) in effect was a good thing. > > -- > Paul E. Johnson > Professor, Political Science > 1541 Lilac Lane, Room 504 > University of Kansas >