How to control host access on UNIX/Linux

INTRODUCTION


There are simple ways to control access to the remote server. For most UNIX/Linux based machines, the Xaccess file can be used to control XDMCP access. For other TCP based connection, TCP Wrapper to block or allow all incoming TCP connections. This page explains how to control host access by using Xaccess and TCP Wrapper.


*This article requires remote server configuration. Administrator previlage may be required.



INFORMATION


1. How to use Xaccess to control host access (For XDMCP connection)

Xaccess file determines which machines can connect to Display Manger such as GDM, KDM and XDM. If a machine is not listed in this file, then it will not be able to request a login prompt. To control host access using Xaccess, you have to the following:


Open the Xaccess file. Depending on the operating system, you can find the file at:


Operating SystemsXaccess path
Unix/usr/lib/X11/xdm/Xaccess
Linux/etc/X11/xdm/Xaccess
CDE/usr/dt/config/Xaccess


To allow a host, add the host name or  the IP address. For example, if you want to allow 'example.domain' to use XDMCP, add:

     example.domain


To allow XDMCP request from all hosts, add *.

To deny a host, add the ! in front of the host name or the IP address. For example, if you want to deny XDMCP request from a host, 'example.domain', add

     ! example.domain



Note

The first configuration for a host name is effective. So, to disallow connection from a host, a line that starts with '!' must come before '*'.


2. How to use TCP Wrapper to control host access (For TELNET, SSH, Rlogin, Rsh, and Rexec)

TCP Wrapper is a host-based access control feature for UNIX based machines. It allows or denys the hosts that are listed on the /etc/hosts.allow and /etc/hosts.deny files. 


To allow a host to use a specific service, you would use the following format:

     SERVICE_NAME: [HOST/*]


For example, to allow a host, 'example.domain' to use TELNET service, add the following line in /etc/hosts.allow:

     TELNET : example.domain


To deny a host, 'example.domain' from using TELNET, add the following line in /etc/hosts.deny:

     TELNET : example.domain


Wild card character (*) can be used to allow or deny a range of hosts. For example, the following line represents the IP range from 192.168.1.0 to 192.168.1.255:

     TELNET: 192.168.1.*


To allow or deny all services from all hosts, you would add:

     ALL:ALL 


Note

The /etc/hosts.deny file is referred first.