Is a default-deny on TCP Wrappers and xinetd set?
Not recommended for most users: Many network services can be configured to restrict access to certain network addresses (and in the case of 'xinetd' services in Linux-Mandrake 8.0 and Red Hat 7.x, other criteria as well). For services running under the older 'inetd' super-server (found in older versions of Linux-Mandrake and Red Hat, and current versions of some other distributions), some standalone services like OpenSSH, and --unless otherwise configured-- services running under Red Hat's xinetd super-server, you can configure restrictions based on network address in /etc/hosts.allow. The services using inetd or xinetd typically include telnet, ftp, pop, imap, finger, and a number of other services. If you would like, Bastille can configure a default policy for all inetd, xinetd, and TCP Wrappers-aware services to deny all connection attempts. While you might have already chosen to install Bastille's firewall, setting a default deny policy for these services gives more defense in depth. This will also configure xinetd so that the currently-installed xinetd services will use xinetd's more flexible access control and *not* /etc/hosts.allow. All other wrappers-based programs, like sshd, will obey the default-deny. As a special exception, Bastille currently allows sshd on a default-allow basis. If you wish this blocked as well, please change its line manually in hosts.allow.