A number of services in inetd are started through tcpd, like the above described telnet entry. tcpd is an additional check program around a service, hence the name wrapper. The configuration files for tcpd are hosts.allow, hosts.deny and hosts.equiv, which can all be found in /etc/. When tcpd starts it walks through each of these files to see if there are addional rules that prevents a service from supplying the access. If nothing is found the service is started.
The man-page for the following files is hosts_access(5).
This file describes who is allowed to what service. A simple example might be:
ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
This line says that all in inetd.conf configured services are allowed for machines from the .foobar.edu domain, except connections coming from the machine terminalserver. The otherway around is to give everybody within a domain access to a service:
in.ftpd: LOCAL, .mydomain.nl
LOCAL and ALL are special directives. LOCAL is each hostname which does not contain a dot, so it belongs to the owned domain. ALL is all hosts effectively: 0.0.0.0/0.
To start with this file should contain the line:
tcpd has the default behaviour: if there are no rules the accept. To create a secure system we want: if we haven't said it was alright, deny access. So change the hosts.deny file to only contain: