tcp_wrappers
Security - Server Security

Set Up tcp_wrappers

tcp_wrappers is used to provide host based control over a number of stand alone servers like sshd and portmap. The libwrap.so library or tcp_wrappers uses two basic files to provide this management.

 

The first file you should configure is this file with the vi editor.

/etc/hosts.deny

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.

# See the manual pages hosts_access(5), hosts_options(5)

# and /usr/doc/netbase/portmapper.txt.gz

#

# Example: ALL: some.host.name, .some.domain

# ALL EXCEPT in.fingerd: other.host.name, .other.domain

#

# If you're going to protect the portmapper use the name "portmap" for the

# daemon name. Remember that you can only use the keyword "ALL" and IP

# addresses (NOT host or domain names) for the portmapper. See portmap(8)

# and /usr/doc/portmap/portmapper.txt.gz for further information.

#

# The PARANOID wildcard matches any host whose name does not match its

# address.

 

# You may wish to enable this to ensure any programs that don't

# validate looked up hostnames still leave understandable logs. In past

# versions of Debian this has been the default.

# ALL: PARANOID

The file by default is empty. You should add this line:

ALL: ALL

 

Note: If you are performing this process on a remote server, you will lock yourself out if you do this first. If you are doing it on a remote server perform the hosts.allow first so you are not locked out.

Save the configuration change. This effectively will deny all hosts except what you will allow. So now edit

/etc/hosts.allow

 

In this file you will allow only services and hosts which you want to permit. By default it also is empty. In this file you will need to list the service you want to allow and the IP Address or host to allow. The example shows SSHD and SMB.

 

# /etc/hosts.allow: list of hosts that are allowed to access the system.

# See the manual pages hosts_access(5), hosts_options(5)

# and /usr/doc/netbase/portmapper.txt.gz

#

# Example: ALL: LOCAL @some_netgroup

# ALL: .foobar.edu EXCEPT terminalserver.foobar.edu

#

# If you're going to protect the portmapper use the name "portmap" for the

# daemon name. Remember that you can only use the keyword "ALL" and IP

# addresses (NOT host or domain names) for the portmapper, as well as for

# rpc.mountd (the NFS mount daemon). See portmap(8), rpc.mountd(8) and

# /usr/share/doc/portmap/portmapper.txt.gz for further information.

#

SSHD: 192.168.5.23

SMB: 192.168.5.

 

These two examples show how to allow SSHD only to one computer at 192.168.5.23 but it also shows how to allow an entire subnet of 192.168.5.0/24 for Samba.

How It Works
One thing you will need to be careful of is that tcp_wrappers first will check /etc/hosts.allow to see if a service is specifically allowed and then it will check /etc/hosts.deny to see what is specifically denied. If it does not find anything it will allow the connection. That is why
/etc/hosts.deny must be deny all so you do not get blind sided by something you forgot.

 

tcpwrappers Options

 

tcp_wrappers Wildcards

ALL

matches all clients and hosts

LOCAL

matches all without a dot in the name

UNKNOWN

if a host or user cannot be looked up

KNOWN

all hosts and users that can be looked up

PARANOID

when hosts names do not match lookup

 

EXCEPT is used to create exceptions. For example if you wanted to allow all workstations on a subnet access to the Samba server on the subnet 192.168.5.0, except for one you would create a line like this in your /etc/hosts.allow.

 

SMB: ALL EXCEPT 192.168.5. 192.168.5.23

 

tcp_wrappers Notifications
Notify root of Access

 

#

SSHD: ALL: spawn echo “Access Attempt \from %c to %s “ | mail -s warning root

 

This example will notify root of all attempts to login into SSH. Notice the expansions of %c and %s.

 

 

Expansions

%c

Client info

%s

Server info

%h

Client host name

%p

Server Process ID (PID)

 

As root view the warning by typing mail at a terminal and then selecting the mail to read as in the Number 1. The email report to root will look like this:

 

mail

|Mail version 8.1 6/6/93. Type ? for help.

"/var/spool/mail/root": 1 message 1 new

>N 1 root@localhost.local Sat Jan 21 07:07 16/704 "warning"

& 1

Message 1:

From root@localhost.localdomain Sat Jan 21 07:07:41 2006

Date: Sat, 21 Jan 2006 07:07:09 -0700

From: root <root@localhost.localdomain>

To: root@localhost.localdomain

Subject: warning

 

Access Attempt from ::ffff:192.168.5.45 to sshd@::ffff:12.32.36.116 “