Changes to Makefile
I like to change a few things in the makefile so I can use some extra features of tcp_wrappers.

You'll want to enable the following options (by uncommenting them.) Read the comments in the makefile for what each one does. 

  • NETGROUP= -DNETGROUP

  • STYLE = -DPROCESS_OPTIONS     # Enable language extensions.

  • DOT= -DAPPEND_DOT

  • AUTH  = -DALWAYS_RFC931

  • KILL_OPT= -DKILL_IP_OPTIONS
    • Another important thing is to change the logging facility from LOG_MAIL to LOG_LOCAL3. This allows you to log all connections to a seperate file.

    Logging
    Then in your syslog.conf file you add. 
    local3.info                                     /var/log/syslog/connections
local3.err                                      /var/log/syslog/auth
    Hosts access examples
    I like to put everything into /etc/hosts.allow and just touch /etc/hosts.deny.

    Here's an example of a fairly standard hosts.allow that operates on the Least Privilege methodology. 

    #
# hosts.allow for machine isr0001.urh.uiuc.edu
#

# allow portmap requests (NFS, rusers, etc) from only the hosts that need it (me)

portmap: \
        127.0.0.1, \
	isr0001.urh.uiuc.edu, \
	isr0003.urh.uiuc.edu: \
	severity=local3.info: \
	ALLOW

# Allow special access (such as rsh) from only a few places

ALL EXCEPT in.telnetd, in.ftpd: \
	localhost, isr0001.urh.uiuc.edu, \
	workmachine.cso.uiuc.edu: \
	severity=local3.info: \
	ALLOW

# Allow telnetd and ftpd from acm, sites, and the machine room network
# but disallow the student cluster specifically since everyone on campus
# has access to those machines

in.telnetd, in.ftpd: \
	localhost, \
	.acm.uiuc.edu, \
	.sites.uiuc.edu, \
	128.174.5.0/255.255.255.128
        EXCEPT ux4.cso.uiuc.edu, ux5.cso.uiuc.edu, \
        ux8.cso.uiuc.edu, ux9.cso.uiuc.edu: \
        severity=local3.info: \
        ALLOW

# DENY everything else that makes it this far

ALL: \
        ALL: \
        severity=local3.err: \
        DENY

#
# END
#

    ACM@UIUC Main Page