Linux Security : TCP Wrapper

Linux Security : TCP Wrapper

by -
0 1391

Controlling access to network services is one of the most important security tasks facing a server administrator.Linux provides several tools for this purpose. For example, an iptables-based firewall filters out unwelcome network packets within the kernel’s network stack. For network services that utilize it, TCP Wrappers add an additional layer of protection by defining which hosts are or are not allowed to connect to “wrapped” network services.

Pros and Cons of TCP-Wrapper

 Disadvantages:

  1. All  Linux applications  should  be compiled with the libwrap library.
  2. The wrappers do not work with RPC services over TCP.
  3. The user name lookup feature of TCP Wrappers uses identd to identify the username of the remote host. By default, this feature is disabled, as identd may appear hung when there are a large number of TCP connections.

Advantages:

  1. Logging – Connections that are monitored by TCPD are reported through the syslog facility.
  2. Access Control – TCPD supports a simple form of access control that is based on pattern matching. You can even hook the execution of shell commands/script when a pattern matches.
  3. Host Name Verification – TCPD verifies the client host name that is returned by the address->name DNS server by looking at the host name and address that are returned by the name->address DNS server.
  4. Spoofing Protection.

Compatibility with Services

How do I now Whether a Program suppoerts TCP Wrappers or Not?

Find out the path of executable by which command like

# which sshd
/usr/sbin/sshd

then use ldd command to check comatibility i.e daemon supports TCP Wrappers or not

# ldd /usr/sbin/sshd | grep
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f86e565c000)

If this command returns with output having text content libwrap.so, then the daemon probably supports TCP Wrappers.
The ldd command is used to see if libwrap.so is a dependency or not.

How TCP Wrappers Work ?

When connections are attempted to a service using TCP wrappers, the following occurs (the following steps are important because order matters, and rules are processed line-by-line):

The process will check the file /etc/hosts.allow. Access will be granted if a match is found in the /etc/hosts.allow file.

The process will check the file /etc/hosts.deny. Access will be denied if a match is found in the /etc/hosts.deny file.

In the event no matching rules apply, access will be granted.

Syntax (format) Of Host Access Control Files

Both /etc/hosts.allow and /etc/hosts.deny use the following format:
daemon_list : client_list [ : shell_command ]
Where,
daemon_list – a list of one or more daemon process names.
client_list – a list of one or more host names, host addresses, patterns, or wildcards that will be matched against the client host name or address.
WildCards
The access control language supports explicit wildcards (quoting from the man page):
ALL    The universal wildcard, always matches.
LOCAL  Matches any host whose name does not contain a dot           character.
UNKNOWN
Matches  any  user  whose  name is unknown, and matches any host hose name or address are unknown.  This pattern should be  used  with  care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when  the software cannot  figure    out what type of network it is talking to.
KNOWN  Matches any user whose name is known, and matches any host   whose name  and  address  are  known. This pattern should be used with care: host names may be unavailable due to temporary name server problems.   A network address will be unavailable when the soft- ware cannot figure out what type of network it is talking to.

PARANOID
Matches any host whose name does not match  its  address.   When tcpd  is built with -DPARANOID (default mode), it drops requests from such clients even before  looking  at  the  access  control tables. Build  without    -DPARANOID  when you want more control  over such requests.

Examples

In this example, I will set default policy to deny access. Only explicitly  authorized hosts are permitted access. Update /etc/hosts.deny file as follows:

# The default policy (no access) is implemented with a trivial deny file
ALL: ALL

The ALL: ALL config will deny all service to all hosts unless they are permitted access by entries in the allow file. For example, allow access as follows via /etc/hosts.allow file:

ALL:ALL  <— allow all services from all clients

ALL: 192.168.0.55  <– allow all services from client 192.168.0.55

sshd:192.168.0.0/255.255.255.0 EXCEPT 192.168.0.55  <—allow sshd from network    192.168.0.0/24 except ipaddress 192.168.0.55

sshd ,ftpd : ALL  <–allow sshd, ftp from ALL clients

Can we use domain names instead of ip address ?

ALL: .kvit.in EXCEPT mail.kvit.in

(allow all services from domain .kvit.in  excepts from domain mail.kvit.in)
<–Matches all the hosts in the 123.12.0.0 network. Note the dot (.) in the end of the rule

sshd : 192.168.0.55 : allow
sshd : 192.168.0.58 : deny

Log and deny access (booby traps) – we do not allow connections from crackers.com:
ALL : 192.168.0.55 \
: spawn (/bin/echo %a from %h attempted to access %d >> \
/var/log/connections.log) \
: deny

# tail –f /var/log/connections

::ffff:192.168.0.55 from ::ffff:192.168.0.55 attempted to access sshd
::ffff:192.168.0.55 from ::ffff:192.168.0.55 attempted to access sshd
::ffff:192.168.0.55 from ::ffff:192.168.0.55 attempted to access sshd

an Linux Example
Allow access to various services inside LAN only via /etc/hosts.allow:
sendmail : 192.168.1.0/255.255.255.0
sshd : 192.168.1.2 172.16.23.12
Deny everything via /etc/hosts.deny:
ALL : ALL

Reject All Connections

Restrict all connections to non-public services to localhost only. Suppose SSHD and Sendmail are the names of services which must be accessed remotely. Edit /etc/hosts.allow. Add the following lines for sshd and ftpd:
sshd ,sendmail : ALL
ALL: localhost
Save and close the file. Edit /etc/hosts.deny. Add the following line:
ALL: ALL

Spawn examples

As mentioned above, you can couple the rules to certain shell commands by using the following two options.

Using spawn – This option launches a shell command as a child process. For example, look at the following rule:

sshd : 192.168.0.55 : spawn /bin/echo `/bin/date` from %h >> /var/log/connection.log : deny

Each time the rule is satisfied, the current date and the clients hostname %h is appended to the connection.log file.

tail -f /var/log/connection.log

Mon Sep 8 11:22:48 IST 2014 from ::ffff:192.168.0.55
Mon Sep 8 11:22:51 IST 2014 from ::ffff:192.168.0.55
Mon Sep 8 11:22:55 IST 2014 from ::ffff:192.168.0.55

Using twist – This is an option which replaces the request with the specified command. For example, if you want to send to the client trying to connect using ssh to your machine, that they are prohibited from accessing SSH, you can use this option.

sshd : client1.xyz.com : twist /bin/echo “You are prohibited from accessing this service!!” : deny

The ‘twist’ directive is used to replace the service with a selected command. It is commonly used to set up honeypots. Another use for it is to send messages to connecting clients. The ‘twist’ command must be used at the end of a rule line. Here is an example of using ‘twist’ in /etc/hosts.deny to send a message to a host that has abused FTP services, via the echo command:
Example using twist in /etc/hosts.deny
vsftpd : 192.168.0.55 \
: twist /bin/echo “Service suspended for abuse!”

When using spawn and twist, you can use a set of expressions. They are as follows :
%a — The client’s IP address.
%A — The server’s IP address.
%c — Supplies a variety of client information, such as the username and hostname, or the username and IP address.
%d — The daemon process name.
%h — The client’s hostname (or IP address, if the hostname is unavailable).
%H — The server’s hostname (or IP address, if the hostname is unavailable).
%n — The client’s hostname. If unavailable, unknown is printed. If the client’s hostname and host address do not match, paranoid is printed.
%N — The server’s hostname. If unavailable, unknown is printed. If the server’s hostname and host address do not match, paranoid is printed.
%p — The daemon process ID.
%s — Various types of server information, such as the daemon process and the host or IP address of the server.
%u — The client’s username. If unavailable, unknown is printed.

TCP Wrappers make a great complement to your current security measures. Remember: always thoroughly test any security implementation before moving to a production platform!

CEO, KV IT-Solutions Pvt. Ltd. | vikas@kvit.in | 9810028374|
Linux Professional and an Industrial Trainer | 20 + years Experience in IT Industry

” We are born free, No Gate and Windows can snatch our freedom “

Download PDF

SIMILAR ARTICLES

0 1122

0 789

NO COMMENTS

Leave a Reply

Required Captcha *