 |
|
| Support Home Documentation Knowledgebase Help Desk Blog |
| Hosting > Virtual Private Servers > FreeBSD VPS > Administration > Advanced > | Thursday, August 28, 2008 | ||||||||||||||||||||||||||||||||||||||||||||||||||||
Controlling Services on VPSYou can control various services on the VPS that are started by any inetd-type process such as telnet, ssh, ftp, smtp, pop, or imap. When an incoming connection is received by the system for one of these services, the system looks for configuration files (/etc/mail/access and /etc/hosts.allow) that contain instructions on how to handle these services. To security-harden your server against hackers and probing IPs, edit these files: accessThe access file already exists as the access.sample file, until it is edited. Edit the /etc/mail/access file for the Sendmail connections only, for Sendmail is the only process that reads the access.db file.There are also a number of other features of the access file, which are documented in the /usr/share/sendmail/cf/README file. hosts.allowEdit the /etc/hosts.allow file for all services you want tighter control over. To read the hosts_options man page, connect to your server using SSH and type the following:man hosts_optionsThe generic format of the hosts.allow file is described in hosts_options, section (5). There are some implementation details which are specific to VPS v2 and differ from the manpage documentation: * Options supported in inetd are allow, deny, twist, and setenv. Editing the hosts.allow fileEach example listed below works independently of the others. As soon as a connection is matched to the appropriate service/client pair, the processing of the file ends. Therefore, order is significant in the arrangement of the rules within the /etc/hosts.allow file.It is assumed that you have logged in to your server using SSH and have opened the /etc/hosts.allow file in an editor. To block incoming mail from certain IP addresses type the following: sendmail : 192.168.1.1 : denyTo block an ssh connection from certain IP addresses type the following: sshd : 192.168.1.1 : denyTo block incoming mail from everywhere except certain whitelisted IP addresses type the following: sendmail : 192.168.2.2 : allowTo cleanly deny service and request that the sender retry later type the following: sendmail : ALL : twist /bin/echo "450 account busy, please try later."To provide a more descriptive reason for blocking type the following: sendmail : 192.168.1.1 : twist /bin/echo "550 Connection refused --too much spam from your IP"To set optional directives that influence the behavior of the process (if the service utilizes environment variables) type the following: sendmail : 192.168.2.2 : allowTo disable Telnet, thereby forcing shell access via SSH type the following: telnetd : ALL : denyTo tighten security on FTP (if you know where people will be uploading content from) type the following: proftpd : 192.168.2.2 : allow Editing the access fileThe /etc/mail/access file is for Sendmail only. No other process reads this one. Sendmail reads hosts.allow and access.db about the same time, although access is faster. Order of entry is not important in access.db.The /etc/mail/access file name initially appears as access.sample until you edit it. Then it becomes access.db. This file affects only Sendmail's connections. It is assumed that you have logged in to your server using SSH and have opened the /etc/mail/access file in an editor. To block incoming mail from certain IP addresses type the following: Connect:192.168.1.1 REJECTTo provide a more descriptive reason for blocking type the following: Connect:192.168.1.1 ERROR: "550 Connection refused/ --too much spam from your IP"To set a directive that influences the behavior of a process, if the service utilizes environment variables type the following: Connect:192.168.2.2 OKSee also: http://support.alpineweb.com/vps2/admin/email/spam/access.html |
|
| Home | Site Map | Customer Backroom | Copyright © 1997-2008 AlpineWeb Design |