In this exercise we will setup telnet in TCPWrappers. All attempts from untrusted network will be reject with next message: Your connection refused at $(/bin/date)

[root@security1 ~]# yum -y install telnet-server
[root@ security1 ~]# chkconfig telnet on
[root@ security1 ~]# cat /etc/services | grep telnet Look for a port on which telnet listen
telnet 23/tcp
telnet 23/udp
[root@ security1 ~]# iptables -A SECURITY -p tcp -s --dport 23 -j ACCEPT Open ports in firewall
[root@ security1 ~]# iptables -A SECURITY -p udp -s --dport 23 -j ACCEPT

Don't forget to save iptables, and restart service.
After this we should make a file which will be shown intruder when he wants to access service.

[root@security1 var]# mkdir /var/mesg
[root@security1 var]# touch /var/mesg/deny This will be file
[root@security1 var]# chmod +x /var/mesg/deny

Open your file for editing, and in this case it should look like this:

echo "External connection refused at $(/bin/date)

Now is time to setup tcpwrappers. In your /etc/hosts.deny you should add next line:

in.telnetd:ALL:twist /var/mesg/deny

Be sure that you add right permissions to trusted network. You should change /etc/hosts.allow according to this:

in.telnetd:127. 192.168.100.

You should also look for /etc/xinetd.d/telnet and setup disable = no directive. Then restart xinetd service, and try to telnet from both network, this will work!

[root@security1 var]# /etc/init.d/xinetd restart
Xinetd SENSOR traps

On xinetd you can define trap. In this exercise, we will set up a trap that will disable connections from machines that attempt to connect to the rlogind port on your machine. Search for a port on which listen login:

[root@security1 ~]# cat /etc/services | grep login
login 513/tcp

Add this in firewall:

[root@security1 ~]# iptables -A SECURITY -p tcp -s --dport 513 -j ACCEPT

After this you should change /etc/xinetd.d/rlogin, according to this:

service login
socket_type = stream
protocol = tcp
wait = no
user = root
server = /bin/false
flags = SENSOR
deny_time = 2 Denial time of two minutes

Restart service xinetd. After this try to telnet to security1, this should work. After this try rlogin security1, this is trigger a trap. Look for that in /var/log/messages.

Sep 8 11:12:21 security1 xinetd[6926]: 6926 {process_sensor} Adding to the global_no_access list for 2 minutes
Sep 8 11:12:21 security1 xinetd[6926]: FAIL: login address from=
Sep 8 11:14:21 security1 xinetd[6926]: At least 1 DENY_TIME has expired, global_no_access list updated