VPS v2 Support Documentation

Controlling Services on VPS v2

TYou can control various services on the VPS v2 that are started by any inetd-type process such as telnet, ssh, ftp, smtp, pop, or imap.

When an incoming connection is received by the system for one of these services, the system looks for configuration files (/etc/hosts.allow and /etc/mail/access.db) that contain instructions on how to handle these services. To security-harden your server against hackers and probing IPs, edit these files.

Create and edit the /etc/hosts.allow file for all services you want tighter control over.

The access.db file already exists as the access.sample file, until it is edited. Edit the /etc/mail/access.db for the Sendmail connections only, for Sendmail is the only process that reads the access.db file.

To read the hosts_options man page:

Connect to your server using SSH and type the following:

man hosts_options

The generic format of the hosts.allow file is described in hosts_options, section (5).

There are some implementation details which are specific to VPS v2 and differ from the manpage documentation:

* Options supported in inetd are allow, deny, twist, and setenv.
* Options most useful are deny and allow.

To create the hosts.allow file:

Connect to your server using SSH and type the following:

cd /etc

vi hosts.allow

The hosts.allow file now exists, waiting for entries that the system will read sequentially.

Editing the hosts.allow file

Each example listed below works independently of the others. As soon as a connection is matched to the appropriate service/client pair, the processing of the file ends. Therefore, order is significant in the arrangement of the rules within the /etc/hosts.allow file.

It is assumed that you have logged in to your server using SSH and have created/opened the /etc/hosts.allow file in an editor.

To block incoming mail from certain IP addresses:

Type the following:

sendmail : 192.168.1.1 : deny

To block an ssh connection from certain IP addresses:

Type the following:

sshd : 192.168.1.1 : deny

To block incoming mail from everywhere except certain whitelisted IP addresses:

Type the following:

sendmail : 192.168.2.2 : allow

sendmail : ALL : deny

To cleanly deny service and request that the sender retry later:

Type the following:

sendmail : ALL : twist /bin/echo "450 account busy, please try later."

To provide a more descriptive reason for blocking:

Type the following:

sendmail : 192.168.1.1 : twist /bin/echo "550 Connection refused --too much spam from your IP"

To set optional directives that influence the behavior of the process (if the service utilizes environment variables):

Type the following:

sendmail : 192.168.2.2 : allow

To disable Telnet, thereby forcing shell access via SSH:

Type the following:

telnetd : ALL : deny

To tighten security on FTP (if you know where people will be uploading content from):

Type the following:

proftpd : 192.168.2.2 : allow

proftpd : 192.168.2.3 : allow

proftpd : ALL : deny

Editing the access.db file

The /etc/mail/access file is for Sendmail only. No other process reads this one. Sendmail reads hosts.allow and access.db about the same time, although access is faster. Order of entry is not important in access.db.

The /etc/mail/access file name initially appears as access.sample until you edit it. Then it becomes access.db. This file affects only Sendmail's connections.

It is assumed that you have logged in to your server using SSH and have opened the /etc/mail/access.db file in an editor.

To block incoming mail from certain IP addresses:

Type the following:

Connect:192.168.1.1   REJECT

To provide a more descriptive reason for blocking:

Type the following:

Connect:192.168.1.1   ERROR: "550 Connection refused/ --too much spam from your IP"

To set a directive that influences the behavior of a process, if the service utilizes environment variables:

Type the following:

Connect:192.168.2.2   OK