download

Chapter 5The local address field has *:[port number] which means the service is listeningon all the available IP addresses. All these services should be modified so that theyonly listen to the host's IP address. All the above programs have their own method tochange the IP address binding.To force inetd to listen to a specific IP address, you should modify the inetd_flagsvariable in /etc/rc.conf:inetd_flags="-wW -C 60 -a 10.0.0.1"You should run /etc/rc.d/inetd reload for the changes to take effect.The next process that you should look into is sendmail. If your host system is nota mail server, you can modify the sendmail_enable in /etc/rc.conf so that thesendmail process listens only to the localhost:sendmail_enable="NO"Then you should run /etc/rc.d/sendmail restart in order to apply the changes.The next process you should look into is sshd. To force the ssh daemon to listen to aspecific IP address, you should modify the sshd configuration file located at /etc/ssh/sshd_config:ListenAddress 10.0.0.1In order to enforce the changes to take place, you should run /etc/rc.d/sshdreload. Use this command with caution if you are connected to your server via SSH.This may cause you to lock yourself out of the server. If you don't want to take a tripto your data center to restart sshd from the system's console, double-checkyour configuration!Finally, the daemon to look into is syslogd. Unless you are logging into the syslogmessages over the network, you don't want the syslog daemon to listen to anetwork socket. In this case, you may disable remote logging by adding this line to/etc/rc.conf:syslogd_flags="-ss"Running the /etc/rc.d/syslogd restart will enforce the changes to takeeffect immediately.If there is any other process that is listening on all interfaces for theincoming connections, consult the appropriate manual pages forinstructions to change the interface binding.[ 79 ]