GenerationIP

Just for you

  • Increase font size
  • Default font size
  • Decrease font size
Home Documentation Mini Howto Howto on tcp wrapper

Howto on tcp wrapper

E-mail Print PDF
User Rating: / 4
PoorBest 

Type : System
Operating System : Redhat,Fedora,Centos

Tcp Wrapper is a very simple solution to secure the acces on your linux services. Tcp Wrapper is based on libwrap to limit the acces and give you the option to allow or deny an ip address or an ip range. Tcp_wrapper can be used also to trace the acces on each services. Tcp wrapper can be used if you have also iptables and selinux.

CONFIGURATION FILE

Tcp wrapper used 2 files to allow or deny ip address or an ip range.

  • /etc/hosts.allow : If tcp_wrapper find a match, it grants access
  • /etc/hosts.deny : If tcp_wrapper find a match, it refuses access
OPTIONS
  • SYNTAXE :

daemon_list : client_list [:option[:option....]]

  • WILDCARD :

ALL :

The universal wildcard, always matches.

LOCAL :

Matches any host whose name does not contain a dot character.

UNKNOWN:

Matches any user whose name is unknown, and matches any host whose name or address are unknown. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is talking to.

KNOWN :

Matches any user whose name is known, and matches any host whose name and address are known. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is talking to.

PARANOID :

Matches any host whose name does not match its address. When tcpd is built with -DPARANOID (default mode), it drops requests from such clients even before looking at the access control tables. Build without -DPARANOID when you want more control over such requests.

  • OPERATOR

EXCEPT Intended use is of the form: ‘list_1 EXCEPT list_2´; this construct matches anything that matches list_1 unless it matches list_2. The EXCEPT operator can be used in daemon_lists and in client_lists. The EXCEPT operator can be nested: if the control language would permit the use of parentheses, ‘a EXCEPT b EXCEPT c´ would parse as
‘(a EXCEPT (b EXCEPT c))´.

  • EXPENSION

%a (%A) The client (server) host address.
%c Client information: user@host, user@address, a host name, or just an address, depending on how much information is available.
%d The daemon process name (argv[0] value).
%h (%H) The client (server) host name or address, if the host name is unavailable.
%n (%N) The client (server) host name (or "unknown" or "paranoid").
%p The daemon process id.
%s Server information: daemon@host, daemon@address, or just a daemon name, depending on how much information is available.
%u The client user name (or "unknown").
%% Expands to a single ‘%´ character.

Characters in % expansions that may confuse the shell are replaced by underscores.

 

EXAMPLE :

Those examples are usefull if you have defined the default policy like in the tips section.

In /etc/hosts.allow

in.telnetd : ALL EXCEPT 10.0.0, LOCAL : twist = echo "Telnet of %u@%h - %c - `date` " >> /var/log/telnet.log

in.tftpd : ALL

sshd, vsftpd : 192.168.4.0/255.255.254 EXCEPT 192.168.4.10

in.rlogind : ALL EXCEPT .example.com

 

TIPS :

The default policy (no access) is implemented with a trivial deny file:

/etc/hosts.deny:
ALL: ALL

Check if a service support tcp_wrapper :

With the command LDD you can check if a ssh support tcp_wrapper

Example :

#ldd /usr/sbin/sshd
libwrap.so.0 => /lib64/libwrap.so.0 (0x00002ae845682000)
libpam.so.0 => /lib64/libpam.so.0 (0x00002ae84588b000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002ae845a96000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00002ae845c9b000)
libaudit.so.0 => /lib64/libaudit.so.0 (0x00002ae845eb3000)
libfipscheck.so.1 => /usr/lib64/libfipscheck.so.1 (0x00002ae8460cd000)
libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002ae8462d0000)
libutil.so.1 => /lib64/libutil.so.1 (0x00002ae846621000)
libz.so.1 => /usr/lib64/libz.so.1 (0x00002ae846824000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00002ae846a39000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002ae846c51000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00002ae846e89000)
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002ae84709f000)
libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002ae8472cd000)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002ae847562000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002ae847788000)
libnss3.so => /usr/lib64/libnss3.so (0x00002ae84798a000)
libc.so.6 => /lib64/libc.so.6 (0x00002ae847cb5000)
/lib64/ld-linux-x86-64.so.2 (0x00002ae845465000)
libsepol.so.1 => /lib64/libsepol.so.1 (0x00002ae84800d000)
libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002ae848253000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002ae84845c000)
libnssutil3.so => /usr/lib64/libnssutil3.so (0x00002ae84865e000)
libplc4.so => /usr/lib64/libplc4.so (0x00002ae84887b000)
libplds4.so => /usr/lib64/libplds4.so (0x00002ae848a80000)
libnspr4.so => /usr/lib64/libnspr4.so (0x00002ae848c83000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00002ae848ebd000)

if in the result, you have libwrap the daemon can be secure with tcp wrapper.


Last Updated on Saturday, 30 January 2010 22:31