205Chapter 6Securing LinuxThe rsync service is (Top ten web hosting) a nice
205Chapter 6Securing LinuxThe rsync service is a nice one to turn on if your machine is an FTP server. It enablespeople to use an rsync client (which includes a checksum-search algorithm) todownload files from your server. With that feature, users can restart a disrupteddownload without having to start from the beginning. Because most services are disabled by default, your computer is only as insecureas you make it. You can double-check that insecure services, such as rlogin and rsh(which are included in the rsh-server package), are also disabled by making surethat disabled = yesis set in the /etc/xinetd.d/rloginand rshfiles. You can make the remote login service active but disable the use of the /etc/ host.equivand .rhostsfiles, requiring rloginto always prompt for a pass- word. Rather than disabling the service, locate the server line in the rshfile(server = /usr/sbin/in.rshd) and add a space followed by -Lat the end. You now need to send a signal to the xinetd process to tell it to reload its configura- tion file. The quickest way to do that is to restart the service. As the root user, typethe following from a shell: # service xinetd restartStopping xinetd: [ OK ] Starting xinetd: [ OK ] That s it you have enabled the ipop3 service. Provided that you have properlyconfigured your mail server, clients should now be able to get their mail from yourcomputer. Using TCP WrappersCompletely disabling an unused service is fine, but what about the services thatyou really need? How can you selectively grant and deny access to these services? With most current Linux distributions, TCP wrapper support has been integratedinto the xinetd daemon. Xinetd will look at the /etc/hosts.allowand /etc/hosts. denyfiles to determine when a particular connection should be granted or refusedfor services such as rlogin, rsh, telnet, finger, and talk. When a service that relies on TCP wrappers is requested, the hosts.allowandhosts.denyfiles are scanned and checked for an entry that matches the IP addressof the connecting machine. The following checks are made when connection attemptsoccur: .If the address is listed in the hosts.allowfile, the connection is allowed, andhosts.denyis not checked. .Otherwise, if the address is in hosts.deny, the connection is denied. .Finally, if the address is in neither file, the connection is allowed. TipTip12_