Once we have running only what we want running (all starting via TCPD), let's make sure that only the systems/users that we want to use a service can use it. We're going to allow a local Web program to use IMAPD to access users' mail, so we need to allow access to IMAPD from the local system but deny access from anywhere else. So, our line in /etc/hosts.allow looks like this:
imapd: ALL except localhost, 127.0.0.1: DENY
Let's also allow only david on localhost or 127.0.0.1 to run the Samba Web Administration Tool (swat):
swat: ALL except david@localhost, email@example.com : DENY
We now have two lines we can test, so we pull out our handy-dandy checker tool, tcpdmatch, and check out our rules:
# tcpdmatch imapd pananix.com client: hostname mail.pananix.com client: address 18.104.22.168 server: process imapd matched: /etc/hosts.allow line 8 option: DENY access: denied
Well, that looks good. Anyone coming from the foreign address of either mail.pananix.com or IP 22.214.171.124 will be denied access to IMAPD per line 8 of the hosts.allow file.
Now lets see if this service will run locally:
# tcpdmatch imapd localhost client: hostname localhost client: address 127.0.0.1 server: process imapd access: granted
Well, I'd say that's a ROGER. Now let's see how swat holds up to the rules:
# tcpdmatch swat localhost client: hostname localhost client: address 127.0.0.1 server: process swat matched: /etc/hosts.allow line 7 option: DENY access: denied
Okay, so it appears no one can access swat, even locally. But we want user david to be able to run swat (at least locally):
]# tcpdmatch swat david@localhost warning: /etc/inetd.conf, line 75: in.tftpd: not found in /usr/sbin: No such file or directory client: hostname localhost client: address 127.0.0.1 client: username david server: process swat access: granted
We've got success. But let's make sure it's not a fluke:
# tcpdmatch swat firstname.lastname@example.org client: hostname chiriqui.pananix.com client: address 192.168.0.2 client: username david server: process swat matched: /etc/hosts.allow line 7 option: DENY access: denied
Looks like we're cooking with gas.