diff --git a/hosts.allow b/hosts.allow new file mode 100644 index 0000000..df4e910 --- /dev/null +++ b/hosts.allow @@ -0,0 +1,64 @@ +# /etc/hosts.allow +# Make sure package tcpd is installed on your system for this to work. +# See 'man tcpd' and 'man 5 hosts_access' for a detailed description +# of /etc/hosts.allow and /etc/hosts.deny. +# +# short overview about daemons and servers that are built with +# tcp_wrappers support: +# +# package name | daemon path | token +# ---------------------------------------------------------------------------- +# ssh, openssh | /usr/sbin/sshd | sshd, sshd-fwd-x11, sshd-fwd- +# quota | /usr/sbin/rpc.rquotad | rquotad +# tftpd | /usr/sbin/in.tftpd | in.tftpd +# portmap | /sbin/portmap | portmap +# The portmapper does not verify against hostnames +# to prevent hangs. It only checks non-local addresses. +# +# (kernel nfs server) +# nfs-utils | /usr/sbin/rpc.mountd | mountd +# nfs-utils | /sbin/rpc.statd | statd +# +# (unfsd, userspace nfs server) +# nfs-server | /usr/sbin/rpc.mountd | rpc.mountd +# nfs-server | /usr/sbin/rpc.ugidd | rpc.ugidd +# +# (printing services) +# lprng | /usr/sbin/lpd | lpd +# cups | /usr/sbin/cupsd | cupsd +# The cupsd server daemon reports to the cups +# error logs, not to the syslog(3) facility. +# +# (Uniterrupted Power Supply Software) +# apcupsd | /sbin/apcupsd | apcupsd +# apcupsd | /sbin/apcnisd | apcnisd +# +# All of the other network servers such as samba, apache or X, have their own +# access control scheme that should be used instead. +# +# In addition to the services above, the services that are started on request +# by inetd or xinetd use tcpd to "wrap" the network connection. tcpd uses +# the last component of the server pathname as a token to match a service in +# /etc/hosts.{allow,deny}. See the file /etc/inetd.conf for the token names. +# The following examples work when uncommented: +# +# +# Example 1: Fire up a mail to the admin if a connection to the printer daemon +# has been made from host foo.bar.com, but simply deny all others: +# lpd : foo.bar.com : spawn /bin/echo "%h printer access" | \ +# mail -s "tcp_wrappers on %H" root +# +# +# Example 2: grant access from local net, reject with message from elsewhere. +# in.telnetd : ALL EXCEPT LOCAL : ALLOW +# in.telnetd : ALL : \ +# twist /bin/echo -e "\n\raccess from %h declined.\n\rGo away.";sleep 2 +# +# +# Example 3: run a different instance of rsyncd if the connection comes +# from network 172.20.0.0/24, but regular for others: +# rsyncd : 172.20.0.0/255.255.255.0 : twist /usr/local/sbin/my_rsyncd-script +# rsyncd : ALL : ALLOW +# + + diff --git a/hosts.deny b/hosts.deny new file mode 100644 index 0000000..f8e28d7 --- /dev/null +++ b/hosts.deny @@ -0,0 +1,7 @@ +# /etc/hosts.deny +# Make sure package tcpd is installed on your system for this to work. +# See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow +# for a detailed description. + +http-rman : ALL EXCEPT LOCAL + diff --git a/tcpd.changes b/tcpd.changes index 4231558..7414b26 100644 --- a/tcpd.changes +++ b/tcpd.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Oct 11 09:34:37 UTC 2022 - Danilo Spinella + +- Add hosts.allow and hosts.deny config files from the netcfg package, + as they are tcpd specific, bsc#1099755 + ------------------------------------------------------------------- Mon Sep 5 14:42:10 UTC 2022 - Ludwig Nussel diff --git a/tcpd.spec b/tcpd.spec index a782990..122e093 100644 --- a/tcpd.spec +++ b/tcpd.spec @@ -27,6 +27,8 @@ Group: Productivity/Networking/System URL: ftp://ftp.porcupine.org/pub/security/index.html Source: ftp://ftp.porcupine.org/pub/security/tcp_wrappers_%{version}.tar.gz Source2: baselibs.conf +Source3: hosts.allow +Source4: hosts.deny Patch0: tcp_wrappers_%{version}.diff Patch1: tcp_wrappers_%{version}-ipv6-1.6.diff Patch2: tcp_wrappers_%{version}-ipv6-fix.diff @@ -155,6 +157,10 @@ install -m 644 tcpd.8 tcpdchk.8 tcpdmatch.8 %{buildroot}%{_mandir}/man8 install -m 644 shared/libwrap.so.0.%{version} %{buildroot}/%{_libdir} ln -sf libwrap.so.0.%{version} %{buildroot}/%{_libdir}/libwrap.so.0 ln -sf libwrap.so.0.%{version} %{buildroot}/%{_libdir}/libwrap.so +mkdir -p %{buildroot}%{_sysconfdir} +for i in hosts.allow hosts.deny; do + install $RPM_SOURCE_DIR/$i %{buildroot}/%{_sysconfdir} +done %post -n %{lname} -p /sbin/ldconfig @@ -170,6 +176,8 @@ ln -sf libwrap.so.0.%{version} %{buildroot}/%{_libdir}/libwrap.so %defattr(-,root,root) %doc DISCLAIMER %attr(755,root,root) %{_libdir}/libwrap.so.0* +%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/hosts.allow +%verify(not md5 size mtime) %config(noreplace) %{_sysconfdir}/hosts.deny %files devel %defattr(644,root,root,755)