allow; the only line that refers to the lpd daemon does not refer to the
199.170.179 subnet or to the linuxtoys.net domain. xinetd continues on to the hosts.deny
file. The entry ALL: ALL matches anything, so tcpd denies the connection.
The ALL wildcard was also used in the hosts.allow file. In this case, you are telling xinetd to
permit absolutely any host to connect to the FTP service on the Linux box. This is appropriate for
running an anonymous FTP server that anyone on the Internet can access. If you are not running
an anonymous FTP site, you probably should not use the ALL flag.
A good rule of thumb is to make your hosts.allow and hosts.deny files as restrictive as possible
and then explicitly enable only those services that you really need. Also, grant access only to
those systems that really need access. Using the ALL flag to grant universal access to a particular
service may be easier than typing a long list of subnets or domains, but better a few minutes spent
on proper security measures than many hours recovering from a break-in.
For Linux systems that use the xinetd service, you can further restrict access to services
using various options within the /etc/xinetd.conf file, even to the point of limiting
access to certain services to specific times of the day.
Pages:
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487