There are restrictions on some of the daemons running on the server. The restrictions help in security of NFS and NIS so that everyone can't mount disks and find out passwords. The method of restricting access is through tcpwrappers. This is an option that is compiled into the following daemons: ypserv, ypbind and portmap. There are other daemons as well that have tcpwrappers compiled into them.
In general you want to deny everyone access to these daemons and ports, then just allow the hosts and domains you want to have access. This is accomplished through two files: /etc/hosts.deny and /etc/hosts.allow.
Here is what they should look like:
# # hosts.deny This file describes the names of the hosts which are # *not* allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # The portmap line is redundant, but it is left to remind you that # the new secure portmap uses hosts.deny and hosts.allow. In particular # you should know that NFS uses portmap! # # Deny access to hosts not in hosts.allow (Econ Dept) # Paul Gluhosky 23 Feb 2000 # ALL: ALL
# # hosts.allow This file describes the names of the hosts which are # allowed to use the local INET services, as decided # by the '/usr/sbin/tcpd' server. # # Restrict access to Econ Dept. Paul Gluhosky 23 Feb 2000 # ALL: 130.132.94.,127.0.0.1
All of the system log files are in /var/log or possibly a subdirectory under /var/log. By default, all the log system files are closed once a week, a new log file started and the daemons reloaded to use the new log file. Only 5 versions of the log files are kept, current log file, plus four previous. These ASCII log files can get quite large from time to time. It's a good idea to compress the old log files during the rotation process. Here's how to do it:
cd /etc
Edit logrotate.conf
uncomment the "compress" line (take away the "#")
If you have a process running that also generates logs, you can control what happens to these log files by creating a file in /etc/logrotate.d. Please look at the files in /etc/logrotate.d for examples, or read man logrotate.
The server host file (/etc/hosts) should contain all the hosts in the local domain, nothing else. The individual client machines should contain only the local client name and the server name. Of course they ALL should also contain the local loopback line:
127.0.0.1 localhostMake sure the loopback line appears as it does above. Sometimes the RedHat install adds extra entries.
There is a method of easily controlling which processes get started at boot time. This method is controlled through the /sbin/chkconfig command. The source files for chkconfig are in /etc/rc.d/init.d. You can list out all the processes by typing:
/sbin/chkconfig --list
You can turn processes on and off by using the "add" and "del" switches. Here is an example of turning the "inet" process on then off again.
/sbin/chkconfig --add inet /sbin/chkconfig --del inetKeep in mind that this does NOT start or stop the daemon from running. It simply changes what gets started or not at boot time. You have control of specifying at which boot level which processes start. You can specify these in the source files in /etc/rc.d/init.d. Please look at the source files in /etc/rc.d/init.d for examples or read man chkconfig for more information.