2.11 Configure TCP Wrappers - hosts.deny

Information

NOTE: Update the value of HOSTS_DENIED_NETWORK with the appropriate value for the local environment.

Solution

To enable TCP Wrappers, run the following commands:
1. Create and customize your policy in /etc/hosts.allow:
# echo "ALL: <net>/<mask>, <net>/<mask>" > /etc/hosts.allow
where each <net>/<mask> combination (for example, the Class C address block "192.168.1.0/255.255.255.0") can represent one network block in use by your organization that requires access to this system.
2. Create a default deny policy in /etc/hosts.deny:
# echo "ALL: ALL" >/etc/hosts.deny
3. Enable TCP Wrappers for all services started by inetd:
# inetadm -M tcp_wrappers=TRUE
To protect only specific inetd services, use the command:
# inetadm -m [FMRI] tcp_wrappers=TRUE
To enable TCP Wrappers for the RPC port mapping service, use the commands:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind

The versions of SSH and sendmail that ship with Solaris 11 will automatically use TCP Wrappers to filter access if a hosts.allow or hosts.deny file exists. To protect UDP and RPC-based services that are spawned from inetd, consider implementing a host-based firewall such as Solaris IP Filter. See ipfilter(5) for more information.

See Also

https://workbench.cisecurity.org/files/612

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(5)

Plugin: Unix

Control ID: d79717177878f26abd13bc7ca44a4b453466ce2e9d09f5e253cba67773da3c95