TCP Wrapper(tcpd), Snort, tcpdump, sendmail, iptables, PAM, syslog, nmap, access list, rate-limit grammar comparison

[TCP Wrapper(tcpd)]
○ Path : /etc/hosts.allow, /etc/hosts.deny
○ Example : in.telnetd : 192.168.0.1 : SPAWN /bin/mail -s "denied" root (usage for hosts.deny file)

[Snort]
○ Path : /etc/snort/rules/local.rules
○ Example : alert tcp 192.168.0.1 any -> 192.168.1.254 80 (msg:"flooding"; content:"GET / HTTP/1."; nocase; depth:13; sid:1000001; threshold:type threshold, track by_src, count10, seconds 10;)

[tcpdump]
○ Example 1 : tcpdump host 192.168.0.1 and \(A or B\)
○ Example 2 : tcpdump -i eth0 tcp dst port 80 and not dst net 192.168.0.0/24

[sendmail]
○ Path : /etc/mail/access
○ Example :
sunlinux.net RELAY
192.168.0.1 REJECT

[iptables]
○ Path : /etc/sysconfig/iptables
○ Example : iptables -A INPUT -p tcp -s 192.168.0.1 --dport 80 --tcp-flags SYN,FIN SYN -j DROP

[PAM]
○ Path : /etc/pam.d
○ Example : auth requisite pam_security.so

[syslog]
○ Path : /etc/syslogd.conf
○ Example : authpriv.info;auth.* /var/log/messages

[nmap]
○ Example : nmap -T4 -sT -p 1:1023 192.168.0.0 0.0.0.255

[access list]
○ Example 1 : access-list 150 permit icmp host 192.168.0.1 host 192.168.0.2 echo-reply
○ Example 2 : access-list 100 deny ip 192.168.10.0 0.0.0.255 host 192.168.22.2

[rate-limit]
○ Example : rate-limit input access-group 150 2000000 250000 250000 conform-action transmit exceed-action drop