LPIC-202ExamTopics

Exam Topics

2.205 objective 1: basic networking configuration

/etc/network/interfaces

 auto lo
 iface lo inet loopback

 auto eth0 
 iface eth0 inet static
   address 192.168.1.3
   netmask 255.255.254.0
   broadcast 192.168.1.255
   gateway 192.168.1.1
   # if resolvconf package is installed try the following
   dns-nameservers 192.168.1.2
   dns-search domain

For DHCP it has to be 

 iface eth0 inet dhcp

The line starting with auto says that this interface should go up at boot time.

ifconfig 

 ifconfig [interface] [option] [address]

virtual interfaces

are interfaces as eth0:0 eth0:1 

 ifconfig eth0:1 192.168.40.41 netmask 255.255.255.0

set MAC address

 ifconfig eth0 192.1658.40.40 netmask 255.255.255.0 broadcast 192.168.40.255 hw ether 1:02:03:04:05:06

route command

 route add default gw 192.168.40.1

is equivalent to 

 route add -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.40.1

understand the kernel routing table

Flag U means the route is up (usable) while G means the address represents a gateway.

The -C option causes route to display the complete routing cache stored on the local system.

To add an explicit host routing entry for the host 172.25.50.33 which will be reached through a different gateway from the default one enter: 

 route add -host 172.25.50.33 gw 192.168.45.2

To add a network to the routing table routing traffic to it through the gateway found at address 192.168.45.3 enter: 

 route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.45.3

To delete the default route enter 

 route del default gw 192.168.45.1
 route del -net 0.0.0.0 netmask 0.0.0.0 gw 192.168.45.1

Similar outputs as route gives can be obtained by 

 netstat -r
 netstat -rn

but netstat can only view the review settings.

ARP and related commands

ARP entries are cached on the hosts in the network for a period of time, which is defined by the /proc/sys/net/ipv4/neigh/eth0/gc_stale_time file. By default it is 60 seconds.

The arp command shows ARP cache.

Add a temporary (not only for 60 seconds) ARP entry to a host's ARP cache: 

 arp -s 192.168.0.45 00:02:03:F6:7C:48 temp

Add a ARP entry which will fall out of cache after a while. 

 arp -s 192.168.0.45 00:02:03:04:05:06

to delete that entry enter: 

 arp -d 192.168.0.45

arpwatch

 -f file
specifies which file to use for storing the ip/mac mappings 
 -i interface
specifies the interface 
 -m emailaddress
sets the email address to which arpwatch should report changes 
 -n network/netmask

dial-up connections

Each side runs a daemon called pppd. When connecting to an ISP through a modem or an isdn adapter, zou need to configure some of the files in /etc/ppp.

Password Authentication Protocol (PAP)

Challenge Handshake Authentication Protocol (CHAP)

An intelligent tool is wvdial, configured through wvdialconf. 

 pon providername

 poff providername
 -a stop all ppp connections
 -c cause pppd to renegotate compression
 -r cause the connection to be redialed after it is dropped.

isdn

After getting the isdn card into the kernel with something like this: 

 modprobe hisax type=3 protocol=2 io=0x180 irq=9

start the daemon with 

 ipppd

Afterwards you can use 

 isdnctrl action device
 isdnctrl addif ippp0
 isdnctrl addphone ippp0 out 21405060
 ...
 ipppd user foo defaultroute noipdefault -detach mru 1524 -bsdcomp /dev/ippp0 &
 ...
 isdnctrl hangup ippp0

IP routing configuration

 sudo echo "1" > /proc/sys/net/ipv4/ip_forward

or edit /etc/network/options file changing 

 ip_forward=no to yes

To forward the ip packets to the internet you need Network Address Translation since every router would delete packets with private network addresses as 192.168.x.x.

objective 2: advanced network configuration and troubleshooting

simply connectivity test

 telnet localhost 80

or 

 netcast localhost 80
 nc localhost 80

 tcpdump -i eth1 -v -vv -vvv -s0 not port ssh and host 192.168.45.1
 tcpdump -i eth0 -w /tmp/web -s0 dst 192.168.0.20 and dst port 80
 tcpdump -t -n -q host 192.168.0.20 and host 192.168.1.18 and port 110

etheral nowadays called wireshark. tetheral is the text based etheral: 

 tetheral -V -r /tmp/ping

 lsof -i tcp
 lsof -i udp
 lsof -i 192.168.1.1
 lsof -n
do not resolve hostnames 
 lsof -P
do not resolve port names 
 netstat -apne --inet
list only open ip-based network connectijons and show the PID as well as the program and username that opened the file 
 netstat -le --inet
list all ports that are listening

Mail and News

Topic 2.206

objective 2: using sendmail

building and editing configuration files: the m4 utility

If you learn the basics of the Unix m4 macro language for which the macros are written and adapt the macros to your needs in a plain text file, you can use the m4 utility to convert your macro file into a valid sendmail.cf file.

Some distributions ship with many sample .mc files, each designed to suit different purposes. All you have to do customize these .mc files to meet your own needs.

You need to edit the macro files otherwise every change to the sendmail.cf will be overwritten during the next run of the macros.

Additional configuration files

The sendmail.cf file ist not the only file that is used to configure Sendmail. 

 access
used to allow or deny access to systems and users 
 makemap hash access < access

 local-host-names
allows you to inform sendmail about the hostname of the computer 
 virtusertable
used to map incoming email to a local account. This is for routing specific addresses to groups of recipients or to define catchall rules for misspelled addresses. 
 makemap hash /etc/mail/virtusertable < sourcefile

 genericstable
used for outbound mail 
 genericsdomain
tells your system which addresses are considered local and which are considered remote 
 mailertable
can route email from remote systems 
 aliases
used to redirect mail for local recipients

restart sendmail with one of the following: 

 kill -HUP `cat /var/run/sendmail.pid`
 killall -HUP sendmail
 /etc/init.d/sendmail restart

objective 3: managing mail traffic

using procmail

The syntax for creating a recipe is comprised of three parts: 

 beginning
 condition
 action
  1. The beginning is a special character sequence, usually :0 on a line by itself, that informs Procmail that a recipe begins immediately.
  2. The condition specifies text matches or other conditions that the mail message must meet before it is processed. There can be multiple conditions in this section.
  3. The final action section contains processing directives that specify what actions to take (e.g. forwarding or deleting the mail) once the conditions have been met. 
 # starts comments
 :0
informs procmail that a recipe is beginning. Specifying :0c makes a copy of the matching message, meaning that the message will go on to appear in your inbox as well as be processed my the recipe. 
 *
Specifies a new condition. Placed at the front of a line in a recipe. 
 .*
Specifies the everything wildcard. This is never used at the start of a line and therefore can be distinguished from the previous item. For example Subject:.*Kenya.* in a condition matches any message with Kenya in the Subject field. 
 ^
instructs Procmail to look for the character or parameter that follows at the beginning of a line 
 !
in an action, forwards the message to the address you specify. For example, the following line: 
  ! asdf@domain.com
sends the message to the user you specify 
 Whc: filename.
specifies a lock file for the particular message. Useful to avoid race conditions, where another Procmail process might be running the same recipe.
Examples
 :0
 * ^From: knownspammer@domainofbadspammers.com
 /dev/null

 :0
 * ^From: .*@badspammer.com
 /dev/null

 :0
 * ^Subject:.*viagra.*
 /dev/null

 :0
 * ^From: info@domain.com
 ! pooremployee@domain.com

 :0 Whc: autoresponder.lock
 * $^To:.*\<$\LOGNAME\>
 * !^FROM_DAEMON
 * !^X-Loop: username#udel.edu
       | formail -rD 8192 out.cache
          :0 ehc
       | (formail -rA"Precedence: junk" A"X-Loop: your#own.mail.address";
          echo "I am currently out of the office."; BACKSLASH
          echo "I will return Thursday, September 13th."; BACKSLASH
          echo "-- "; cat $HOME/.signature_line.txt BACKSLASH
         ) | $SENDMAIL -oi -t

The formail command in this first part creates a file called out.cache that contains all mails sent. The -r option to formail strips unnecessary headers from the mail message, while the -D option limits the length of the message, to save on system resources and network bandwidth.

The second part begins at line with :0 ehc. This line directs the recipe to reply to messages even if they are not found in the out.cache file. The directive portion of the message contains the actual autoresponder message, complete with an email signature file. The backslashes are necessary for line continuation. The -oi option to Sendmail causes Sendmail not to send a message created from standard input, even if a single period is at the end. The -t option removes all recipients from the message headers.

For more information visit http://www.procmail.org.

Domain Name Service (DNS) 2.207

objective 1: basic dns server configuration (weight: 2)

Description: Candidates should be able to configure BIND to function as a caching-only DNS server. This objective includes the ability to convert older BIND configuration files to newer format, managing a running server and configuring logging.

/etc/named.conf

 options {
directory "/var/named"; 
 };

 zone "." {
    type hint;
    file "named.ca"
 };

 zone "1.168.192.in-addr.arpa" {
    type master;
    file "db.1.168.192.in-addr.arpa";
 };

 zone "example.com" {
    type master;
    file "db.example.com";
 };


 zone "example.net" {
    type slave;
    file "db.example.net";
    masters { 192.168.0.100; };
 };

Primary DNS

 zone "asdf.com" {
   type master;
   file "db.asdf.com";
 };

 @ IN SOA ns.asdf.com.   root.asdf.com. (
       2008111101; serial
       10800 ; refresh (3 hours)
       3600  ; retry (1 hour)
       604800 ; expire (7 days)
       86400 ) ; minimum (1 day)
       IN NS ns1.asdf.com.
       IN NS ns2.asdf.com.
       IN A  192.168.0.212
 www   IN A  192.168.0.212
 ftp   IN CNAME www
 node2 IN A 192.168.0.2
 router IN A 192.168.0.254
 ns1    IN A  192.168.0.10

The first section is the SOA (start of a zone authority) entry. The SOA entry contains the domain of the originating host, the domain address of the maintainer, the file serial number, and various time parameters as refresh, tetry, expire and minimum time to live.

Weiterhin wird definiert, dass der Primary dieser Zone ns.asdf.com. ist und dass der Administrator όber die E-Mail-Adresse root@asdf.com erreichbar ist (der „@“ muss durch einen „.“ ersetzt werden. (Kommt ein „.“ vor dem „@“ vor, z. B. vorname.nachname@example.com), so wird dieser mit einem „\“ maskiert – also z. B. vorname\.nachname.example.com)). Als Standard (Default) Time To Live fόr Resource Records dieser Zone ist 800 vorgegeben. 

 @ IN SOA ns.asdf.com.   root.asdf.com. (
       2008111101; serial
       10800 ; refresh (3 hours)
       3600  ; retry (1 hour)
       604800 ; expire (7 days)
       86400 ) ; minimum (1 day)
       IN NS ns1.asdf.com.
 2     IN    PTR   node2.asdf.com.
 10    IN    PTR   ns1.asdf.com.
 254   IN    PTR   router.asdf.com.

Make sure that you have no character before the content of the A respectively the PTR lines. I first formated them nicely but afterwards encounter problems that bind does not read them or spits errors as "unknown RR type in ..".

When a domain is registered, it must be registered with not only a primary DNS server, but also a secondary DNS server.

Secondary DNS

 zone "asdf.com " {
   type slave;
   file "db.asdf.com";
   masters { 192.168.2.50; };
 };

objective 2: create and maintain dns zones (weight: 3)

forward DNS zones

 options {
    directory "/var/named";
    forwarders {1.2.3.4, 1.2.3.5;};
 }

forward only

 options {
    directory "/var/named";
    forwarders {1.2.3.4, 1.2.3.5;};
    forward only;
 }

zone specific forwarding

 zone "asdf.com" IN { 
    type forward;
    forwarders {1.2.3.4, 1.2.3.5;};
 }

objective 3: securing a dns server (weight: 3)

Web Services (Apache and Squid) 2.208

objective 1: implementing a web server Weight: 2

Description: Candidates should be able to install and configure a web server. This objective includes monitoring the server's load and performance, restricting client user access, configuring support for scripting languages as modules and setting up client user authentication. Also included is configuring server options to restrict usage of resources. 

 <VirtualHost *:80>
    DocumentRoot /var/www/asdf
    DirectoryIndex index.mytype index.php index.html
 </VirtualHost>

secure access

 htpasswd -c /etc/apache2/htpasswd hans

 <Directory /var/www/securedir>
   AuthName "text for upcoming window in which you should enter user data"
   AuthType Basic
   AuthUserFile /etc/apache2/htpasswd
   require valid-user 
   # or if only for hans: require user hans
 </Directory>

install third-party modules

mod_php

 aptitude install libapache2-mod-php5

Test it with a site index.php: 

 <?php   phpinfo();  ?>

mod_perl

 aptitude install libapache2-mod-perl2

Test through creating cgi file under /usr/lib/cgi-bin/test.pl: 

 #!/usr/bin/perl
 print << "EOM";
 Content-Type: text/html; charset=utf-8;

 <html><body><h1>perl is running well</h1></html>
 EOM

ssl

 aptitude install openssl
 openssl genrsa -des3 -out server.key 1024
 cp server.key server.key.passphrase
 openssl rsa -in server.key.passphrase -out server.key
 openssl req -new -key server.key -out server.csr

 Listen 443
 SSLPassPhraseDialog guiltin
 SSLSessionCache dbm:/var/logs/ssl_scache
 SSLSessionCacheTimeout 300
 SSLMutex file:/var/logs/ssl_mutex
 SSLRandomSeed startup builtin
 SSLRandomSeed connect builtin

 <VirtualHost *:443>
   SSLEngine on 
   SSLCipherSuite
   ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
   SSLCertificateFile /etc/apache2/ssl/server.crt
   SSLCertificateKeyFile /etc/apache2/ssl/server.key
 </VirtualHost>

 openssl req -new -x509 -nodes -sha1 -days 365 -key server.key -out server.crt

objective 2: maintaining a web server Weight: 2

Description: Candidates should be able to configure a web server to use virtual hosts, Secure Sockets Layer (SSL) and customize file access.

redirecting request

 RewriteEnginge On
 RewriteRule ^(.+)$ http://www.asdf2.com [R]

Rewrite with use of an enviroment variable (see also http://httpd.apache.org/docs/1.3/mod/mod_reqrite.html) 

 RewriteCond %{QUERY_STRING} ^page.+
 RewriteRule ^(.+) /%{QUERY_STRING}.html

In words: If there is a query such as "?page123" and have the word page in it the we execute the RewriteRule.

tuning the server

objective 3: implementing a proxy server Weight: 2

Description: Candidates should be able to install and configure a proxy server, including access policies, authentication and resource usage.

You should know: 

 aptitude install squid

Options you should know: 

 cach_dir ufs /var/spool/squid 1024 L1 L2
sets ufs filesystem with 1 gb of space. The L1 (default is 16) gives the max count of top level directores are created and L2 sets how many second-level subdirectories are created (default 256)

The most important option is 

 acl intranet src 192.168.1.0/24
 http_access allow intranet
 http_access deny all

By default the squid.conf file is configured with ACL lines that will deny access to everything except the localhost. 

 acl blocked_sites dstdomain .web.de .google.de .google.com
 acl jupiter src 192.168.0.1
 acl saturn  src 192.168.0.2

 http_access allow localhost
 http_access deny blocked_sites
 http_access allow jupiter
 http_access deny saturn
 http_access deny all

With this configuration jupiter is not allowed to access google or web.de site because squid takes the first rule which matchs.

If you want to use authentication for access to the proxy server you get more information in the logfiles. Actually you can track back every access to the web to a specific user. 

 htpasswd -c /etc/squid/htpasswd hans

 auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squidusers.htpasswd
 acl passwd proxy_auth REQUIRED
 http_access allow intranet passwd

to increase speed of a webserver

You can use squid to increase speed of access to a webserver. 

 http_port 80
 httpd_accel_host 192.168.1.2
 acl acceleratedHost dst 192.168.1.2/255.255.255.255
 httpd_accel_port 80
 acl acceleratedPort port 80
 httpd_accel_with_proxy on
 acl all src 0.0.0.0/0.0.0.0
 acl intranet src 192.168.1.0/255.255.255.0
 http_access allow acceleratedHost acceleratedPort
 http_accesss allow intranet
 http_access deny all

Network Client Management 2.210

objective 1: DHCP configuration (weight 2)

Description: Candidates should be able to configure a DHCP server. This objective includes setting default and per client options, adding static hosts and BOOTP hosts. Also included is configuring a DHCP relay agent and maintaining the DHCP server.

DHCP can dynamically assign IP addresses from preassigned IP ranges in /etc/dhcpd.config and set up static IP addresses based on the network interface card's Media Access Controller address (MAC). DHCP can even restrict access by accepting requests only from specified MAC addresses.

Setting Up a DHCP Server 

 aptitude install dhcp

options you should know

 default-lease-time 21600;
how long the client can hold ip without reconfirming with server. 21600 means 6 hours 
 max-lease-time 43200;
if it has not been in touch within 43200 seconds (12 hours) it should consider itself to be out of a lease 
 option subnet-max 255.255.255.0;
 option broadcast-address 192.168.1.255;
 option routers 192.168.1.254;
 option domain-name-servers 192.168.1.1, 192.168.1.2;
 option domain-name "example.com";
 option ntp-servers 192.168.1.1;

random pool for ip numbers

 subnet 192.168.1.0 netmask 255.255.255.0 {
     range 192.168.1.10  192.168.1.100;
     range 192.168.1.150 192.168.1.200;
 }

The server takes randomly numbers out of the C-net 192.168.1.0 between 10-100 and 150-200.

Fixed addresses in dhcpd

One way to achieve that is to set the lease time very high. So the client have to be out of the net for a long time not to get the same number as before.

The better way is with a one-to-one relation between IP and MAC address. 

 host asdf {
    hardware ethernet 00:60:1D:1F:1E:EF;
    fixed-address 192.168.1.9;
 }

The address has to be outside the dynamic ranges.

dhcpd.leases

That is the file where the server saves its leases which it had given to clients. The full path is 

 /var/lib/dhcp/dhcpd.leases

Using DHCP Clients

pump

 aptitude install pump

 #/etc/pump.conf
 domainsearch "asdf.com"
 script /sbin/pump.script
 device eth0 { nodns }

The first line overrides the domain list that pump would use to update /etc/resolv.conf. The nodns keyword for eth0 stops pump from changing the resolv.conf for requests coming through eth0.

To get a DHCP lease for eth0, give 

 pump -i eth0

To check your DHCP lease enter: 

 pump --status

To release lease: 

 pump -r

To renew: 

 pump -R

dhcpclient

 dhcpclient

/etc/network/interfaces

 auto eth0 
 iface eth0 inet dhcp

DHCP Relay

To relay all requests seen on eth0 to the DHCP server ath 192.168.1.5, relaying can be started as follows. It will then catch all requests and relay them to the server, the server will answer back to the relay agent, and the relay agent will send the answer back to the requester.

objective 2: NIS configuration (weight 1)

Description: Candidates should be able to configure an NIS server. This objective includes configuring a system as an NIS client.

You must run the RPC portmapper (/usr/sbin/portmap) to run NIS. The RPC portmapper servers convert the RPC program numbering to TCP/IP or UDP/IP protocol port numbers.

Most Linux distributions ship with NIS Version 2. NIS Version 3 is known as NIS+ and is not in widespread use. 

 ypserv start
 yppasswdd start
 ypxfrd start
 ypbind start

initial the master server: 

 /usr/lib/yp/ypinit -m

NIS client-side tools

Keeping maps up to date: on client: 

 yppoll -h localhost passwd.byname
 yppoll -h asdf passwd.byname

and watch the differences.

on the master server: 

 yppush -h asdf passwd.byname

RPC calls

The utility rpcinfo can be used to detect and debug a variety of failures. Just type rpcinfo -p hostname to check how the things are going in your NIS server. 

 rpcinfo -p localhost

The output shows RPC program and version numbers, the protocols supported, IP port used by the RPC server and the name of the service. If rpcinfo times out while attempting to reach the remote machine and reports an error, check whether the portmapper sercie is alive. 

 /etc/init.d/portmap status

objective 3: LDAP configuration (weight 2)

Description: Candidates should be able to configure an LDAP server. This objective includes working with directory hierarchy, groups, hosts, services and adding other data to the hierarchy. Also included is importing and adding items, as well as adding and managing users.

objective 4: PAM Authentication (weight 2)

Description: The candidate should be able to configure PAM to support authentication using various available methods.

PAM is the Pluggable Authentication Modules system.

PAM Configuration

files located in /etc/pam.d

common entries that can be found under /etc/pam.d include chfn, chsh, halt, linuxconf, login, passwd, ppp, reboot, rexec, rlogin, rsh, shutdown, su, xdm, adn xscreensaver.

Looking at these files you will see four columns of information: 

 module-type control-flag module-path arguments

module-type: auth, account, session, password control-flag: optional, required, requisite, sufficient

System Security Topic 2.212

Objective 2:Configuring a Router

ip packet forwarding

 echo 1 > /proc/sys/net/ipv4/ip_forward

iptables

 -p --protocol
 -s --source
 -d --destination
 -j --jump
specifies what to do next if packet matches the rule: ACCEPT,DROP,DENY,MASQUERADE,DNAT 
 -i --in-interface
only allowed for INPUT, FORWARDING and PREROUTING table with parameter -A 
 -o --out-interface
for tables OUTPUT,FORWARDING and POSTROUTING 
 --dport, --destination-port
 -m state --state state
states as ESTABLISHED,INVALID,RELATED

An additional target used for port forwarding is DNAT. A rule that uses DNAT takes an additional option that specifies the address to redirect to and optionally the port, if that too is to be changed. An example use of DNAT is: 

 iptables -t nat -a PREROUTING ... --jump DNAT --to address[:port]

For a bigger example see Book LPI Linux Certification in a nutshell page 830.

If connection tracking for FTP was enabled both passive and active connections would be allowed in as RELATED. The same goes for the other protocol agents available in Linux 2.6.

Saveing and reloading rulesets

 iptables-save > firewall-rules
now we can reboot the system and afterward we regain the rules with 
 iptables-restore firewall-rules

ssh tricks

sshd, like the linux login program, denies logins when the file /etc/nologin exists.

tricks in hosts.allow and hosts.deny

 ALL EXCEPT 10.0.0.5, 10.0.0.6
all hosts are allowed except two 
 ALL EXCEPT vsftpd: ALL
all services are allowed for access except vsftpd

add second ip address to an ethernet interface

 ifconfig eth1:1 192.168.2.55 netmask 255.255.255.0

tcpdump

capture whole tcp package not only the header

 tcpdump -vvv -s 1518 -i eth0 -w cap1.cap

 tcpdump host host1 and \( host2 or host3 \)
 tcpdump -i eth1 not arp and not '(port ssh)' and not '(port http)'

 dst
 src
 host
 not or !
 and or &&
 or or ||

ping

 ping -a # audiable ping
 ping -f # flood pings
 ping -c # stop after number of count ping packages

enable ip forwarding 

 echo 1 > /proc/sys/net/ipv4/ip_forward

or 

 vim /etc/sysctl.conf

and add line 

 net/ipv4/ip_forward=1

then run command 

 sysctl -p /etc/sysctl.conf

netcat (nc)

Could be used as telnet replacement with 

 nc localhost 80
 HEAD / HTTP/1.0

 nc remotehost.org 25
 HELO remotehost.org
 mail from:<me@here.org>
 rcpt to:<you@remotehost.org>
 data

 bla
 .

easy file transportation only with netcat

or to establish a simple connection between two hosts. For example we want to transfer files from host A to B and do not have any possibility like ssh or ftp. Then we open a port on host A which should receive a tar-file. To obtain a port lower than 1000 you have to be root, so we use 1234. 

 nc -l -p 1234 | tar xvfp -

Now host A is listening on port 1234 and you can send a file from host B using netcat: 

 tar cfp - /path2files | nc -w 3 hostA 1234

You can also use other applications than tar. Next we want to save a complete partition over the network. 

 nc -l -p 1234 | dd of=backup_hda1
opens client listen connection 
 dd if=/dev/hda1 | nc -w 3 hostA 1234
writes data to port 1234 on host A.

ssh port forwarding

 ssh -L 2525:mail.example.com:25 login.example.com
log in to login.example.com, then forward connections to localhost port 2525 to port 25 on mail.example.com. The reason for binding to port 2525 is that one needs to be root to bind port 25. Normal user can only bind ports above port 1024.

TCP wrappers

 #/etc/inetd.conf
 ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/vsftpd
  1. do the service and origin have a match in /etc/hosts.allow? if so,allow the connection to continue at once.
  2. do they have a match in /etc/hosts.deny? If so, the connection is closed without reading any input.
  3. Otherwise, the connection is allowed to continue.

Specifying services in hosts.*: 

 vsftpd: 10.0.0/255.255.255.0

xinetd

 service rsync
 { 
   disable = no
   socket_type =stream
   wait = no
   user = root
   server = /usr/bin/rsync
   server_args= --daemon --server
   log_on_failure += USERID
   no_access = 10.0.0.0/16
   only_from = 0.0.0.0/0, 10.0.0.0/24
 }

IDS

portSentry

 #/etc/portsentry
 TCP_PORTS="4,8.15,16,23,42"
 UDP_PORTS="4,8.15,16,23,42"

tripwire

config file
finger print database
used for files that can be used across several hosts.
policy files which are created with twadmin. 
 tripwire --init
 tripwire --check
 tripwire --update
 tripwire --update-policy
 tripwire --test --email alert@example.com