The file /etc/hosts.deny together with /etc/hosts.allow provides a simple access control mechanism for network services supporting TCP wrappers. The following line in the file ensures that access to services supporting this mechanism is denied to any clients not mentioned in /etc/hosts.allow:
ALL: ALLIt is advised to inspect available network services which might be affected by modification of file mentioned above prior to performing the remediation of this rule. If there exist services which might be affected and access to them should not be blocked, modify the /etc/hosts.allow file appropriately before performing the remediation.
Correct configuration in /etc/hosts.deny ensures that no explicitly mentioned clients will be able to connect to services supporting this access control mechanism.
To properly set the group owner of /etc/hosts.allow, run the command:
$ sudo chgrp root /etc/hosts.allow
The /etc/hosts.allow file is used to control access of clients to daemons in the server. Insecure groupownership of this file could allow users to grant clients unrestricted access or no access at all to services in the server.
To properly set the group owner of /etc/hosts.deny, run the command:
$ sudo chgrp root /etc/hosts.deny
The /etc/hosts.deny file is used to control access of clients to daemons in the server. Insecure groupownership of this file could allow users to grant clients unrestricted access or no access at all to services in the server.
To properly set the owner of /etc/hosts.allow, run the command:
$ sudo chown root /etc/hosts.allow
The /etc/hosts.allow file is used to control access of clients to daemons in the server. Insecure groupownership of this file could allow users to grant clients unrestricted access or no access at all to services in the server.
To properly set the owner of /etc/hosts.deny, run the command:
$ sudo chown root /etc/hosts.deny
The /etc/hosts.deny file is used to control access of clients to daemons in the server. Insecure groupownership of this file could allow users to grant clients unrestricted access or no access at all to services in the server.
To properly set the permissions of /etc/hosts.allow, run the command:
$ sudo chmod 0644 /etc/hosts.allow
The /etc/hosts.allow file is used to control access of clients to daemons in the server. Insecure groupownership of this file could allow users to grant clients unrestricted access or no access at all to services in the server.
To properly set the permissions of /etc/hosts.deny, run the command:
$ sudo chmod 0644 /etc/hosts.deny
The /etc/hosts.deny file is used to control access of clients to daemons in the server. Insecure groupownership of this file could allow users to grant clients unrestricted access or no access at all to services in the server.
When network services are using the xinetd service, the
tcp_wrappers package should be installed.
The tcp_wrappers package can be installed with the following command:
$ apt-get install tcp_wrappers
Access control methods provide the ability to enhance system security posture by restricting services and known good IP addresses and address ranges. This prevents connections from unknown hosts and protocols.
The tcpd package can be removed with the following command:
$ apt-get remove tcpd
Administrators can use TCP wrapper library and daemon for host control over network services. In these implementations, xinetd runs tcpd program, which first looks at the incomming connection as well as the access control lists in the /etc/hosts.allow and /etc/hosts.deny files. Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation. The removal of tcpd package will support this protective measure in addition.
The xinetd package can be removed with the following command:
$ apt-get remove xinetd
Removing the xinetd package decreases the risk of the xinetd service's accidental (or intentional) activation.
The xinetd service can be disabled with the following command:
$ sudo systemctl mask --now xinetd.service
The xinetd service provides a dedicated listener service for some programs, which is no longer necessary for commonly-used network services. Disabling it ensures that these uncommon services are not running, and also prevents attacks against xinetd itself.