Security Consulting
  Unix Administration     Firewall     Intrusion Detection     Network Security     Hacking     MORE     HOME    

/etc/hosts.deny

TCP Wrappers use the file hosts.deny to check who they do not let in. Here is an exmaple script which alerts you when somebody tries to connect:
    ALL: ALL: spawn ( \
echo -e "\n\
TCP Wrappers\:  Connection Refused\n\
By\:		$(uname -n)\n\
Process\:	%d (pid %p)\n\
Host\:		%c\n\
Date\:		$(date)\n\
" | /bin/mail -s "From tcpd@$(uname -n). %u@%h -> %d." admin@somewhere.com)
Two explanations:
  • ALL is related to every IP address (unless overruled by hosts.allow)
  • spawn create the actual notification

    Be warned. No entries in hosts.allow could lock your machine down!

    A little bit another variant: 
      ALL EXCEPT proftpd, sshd, imaps: ALL: spawn ( \
echo -e "From\: root@cryptojail.net\n\
To\: admin@cryptojail.net\n\
Subject\: TCP wrapper Security Incident!\n\
TCP Wrappers\:  Connection Refused\n\
User\:          %u\n\
From\:          %h\n\
By\:            $(uname -n)\n\
Process\:       %d (pid %p)\n\
Host\:          %c\n\
Date\:          $(date)\n\
" | /usr/sbin/sendmail -t)



    CopyLeft (l) 2003 by Raffael Marty