tcp_wrappers
| tcp_wrappers |
| Security - Server Security | ||||||||||||||||||||||
Set Up tcp_wrapperstcp_wrappers is used to provide host based control over a number of stand alone servers like sshd and portmap. The libwrap.so library or tcp_wrappers uses two basic files to provide this management.
The first file you should configure is this file with the vi editor. /etc/hosts.deny # /etc/hosts.deny: list of hosts that are _not_ allowed to access the system. # See the manual pages hosts_access(5), hosts_options(5) # and /usr/doc/netbase/portmapper.txt.gz # # Example: ALL: some.host.name, .some.domain # ALL EXCEPT in.fingerd: other.host.name, .other.domain # # If you're going to protect the portmapper use the name "portmap" for the # daemon name. Remember that you can only use the keyword "ALL" and IP # addresses (NOT host or domain names) for the portmapper. See portmap(8) # and /usr/doc/portmap/portmapper.txt.gz for further information. # # The PARANOID wildcard matches any host whose name does not match its # address.
# You may wish to enable this to ensure any programs that don't # validate looked up hostnames still leave understandable logs. In past # versions of Debian this has been the default. # ALL: PARANOID The file by default is empty. You should add this line: ALL: ALL
Note: If you are performing this process on a remote server, you will lock yourself out if you do this first. If you are doing it on a remote server perform the hosts.allow first so you are not locked out. Save the configuration change. This effectively will deny all hosts except what you will allow. So now edit /etc/hosts.allow
In this file you will allow only services and hosts which you want to permit. By default it also is empty. In this file you will need to list the service you want to allow and the IP Address or host to allow. The example shows SSHD and SMB.
# /etc/hosts.allow: list of hosts that are allowed to access the system. # See the manual pages hosts_access(5), hosts_options(5) # and /usr/doc/netbase/portmapper.txt.gz # # Example: ALL: LOCAL @some_netgroup # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu # # If you're going to protect the portmapper use the name "portmap" for the # daemon name. Remember that you can only use the keyword "ALL" and IP # addresses (NOT host or domain names) for the portmapper, as well as for # rpc.mountd (the NFS mount daemon). See portmap(8), rpc.mountd(8) and # /usr/share/doc/portmap/portmapper.txt.gz for further information. # SSHD: 192.168.5.23 SMB: 192.168.5.
These two examples show how to allow SSHD only to one computer at 192.168.5.23 but it also shows how to allow an entire subnet of 192.168.5.0/24 for Samba. How It Works
tcpwrappers Options
EXCEPT is used to create exceptions. For example if you wanted to allow all workstations on a subnet access to the Samba server on the subnet 192.168.5.0, except for one you would create a line like this in your /etc/hosts.allow.
SMB: ALL EXCEPT 192.168.5. 192.168.5.23
tcp_wrappers Notifications
# SSHD: ALL: spawn echo “Access Attempt \from %c to %s “ | mail -s warning root
This example will notify root of all attempts to login into SSH. Notice the expansions of %c and %s.
As root view the warning by typing mail at a terminal and then selecting the mail to read as in the Number 1. The email report to root will look like this:
|Mail version 8.1 6/6/93. Type ? for help. "/var/spool/mail/root": 1 message 1 new >N 1 root@localhost.local Sat Jan 21 07:07 16/704 "warning" & 1 Message 1: From root@localhost.localdomain Sat Jan 21 07:07:41 2006 Date: Sat, 21 Jan 2006 07:07:09 -0700 From: root <root@localhost.localdomain> To: root@localhost.localdomain Subject: warning
“Access Attempt from ::ffff:192.168.5.45 to sshd@::ffff:12.32.36.116 “
|
||||||||||||||||||||||
Subscribe
Contact Us
BeginLinux.com
(407)-620-4092
mike at beginlinux.com
 |
 |
 |
 |