TCP Wrappers to secure Linux

TCP Wrappers to secure Linux

by -
0 984

What are TCP Wrappers?

TCP Wrappers can be used to GRANT or DENY access to various services on your machine to the outside network or other machines on the same network.

We can do that using Access List Rules which are included in the two files /etc/hosts.allow and /etc/hosts.deny . TCP Wrappers also allow run-time reconfiguration without restarting or reloading the services they protect.

Advantages:

  • Logging Connections that are monitored by TCP Wrappers are reported through the syslog facility.
  • Access Control – TCP Wrappers supports a simple form of access control that is based on pattern matching. You can even hook the execution of shell commands/script when a pattern matches.
  • Host Name Verification – TCP Wrappers  verifies the client host name that is returned by the address->name DNS server by looking at the host name and address that are returned by the name->address DNS server.
  • Spoofing Protection.

Disadvantages:

TCP wrapper do not work with all apllications:

  • Programs or applications to be necessarily compiled with the libwrap library.
  • TCP wrappers do not support  RPC services over TCP

How to check for libwrap library ?

To check compatibility of given service with TCP wrapper  use command  ( example sshd)

[root@web ~]# which sshd

/usr/sbin/sshd

[root@web ~]# ldd /usr/sbin/sshd | grep libwrap

libwrap.so.0 => /lib/libwrap.so.0 (0x00cb5000)    <—This should come if service supports TCP Wrapper

The ldd command is used to see if libwrap.so is a dependency or not.

Note :  Here sshd service can be controlled by TCP Wrapper

Check compatibility for httpd service

[root@web ~]# which httpd

/usr/sbin/httpd

[root@web ~]# ldd /usr/sbin/httpd | grep libwrap     <—-No output means no dependency on TCP Wrapper

[root@web ~]#

How TCP Wrappers Work ?

When connections are attempted to a service using TCP wrappers, the following occurs (the following steps are important because order matters, and rules are processed line-by-line):

  1. The process will check the file /etc/hosts.allow. Access will be granted if a match is found in the /etc/hosts.allow file.
  2. The process will check the file /etc/hosts.deny. Access will be denied if a match is found in the /etc/hosts.deny file.
  3. In the event no matching rules apply, access will be granted.

Access control Syntax:
The syntax for both hosts.allow and hosts.deny file takes the following form:

 daemon : client [:option1:option2:…]

Where daemon can be a combination of ssh daemon, ftp daemon and so on.

client is a comma separated list of hostnames, host IP addresses, special patterns or special wildcards which identify the hosts effected by that rule.
options is an optional action like say sending mail to the administrator when this rule is matched, log to a particular file and so on. It can be a colon separated list of actions too.

Examples of using TCP Wrappers

Deny all Services:

By default /etc/hosts.allow and /etc/hosts.deny files is blank. So that all dependent service do not block with TCP Wrapper. Suppose I want to deny all services type:

We can watch activity by viewing log /var/log/messages

In file /etc/hosts.allow   should blank and in the file /etc/hosts.deny

/etc/hosts.allow    <—-should be blank

/etc/hosts.deny

ALL:ALL

Here  all services will be blocked from all clients.

Allow sshd on 192.168.0.15, rest will be denied

I want to allow SSH access to hosts in a particular IP Address 192.168.0.15  and deny access to all the others. I enter the following rule in the : type

/etc/hosts.allow
sshd : 192.168.0.15

/etc/hosts.deny
sshd : ALL

  Allow only sshd from network  192.168.0.0/24 except ipaddress 192.168.0.55

/etc/hosts.allow
sshd:192.168.0.0/255.255.255.0 EXCEPT 192.168.0.55

/etc/hosts.deny
ALL: ALL

Allow only sshd, ftp from ALL clients

 /etc/hosts.allow
sshd ,ftpd : ALL

/etc/hosts.deny
ALL: ALL

 Allow all services from domain .kvit.in  excepts from domain mail.kvit.in

Can be used domain names instead of ipaadress

/etc/hosts.allow
ALL: .kvit.in EXCEPT mail.kvit.in

/etc/hosts.deny
ALL: ALL

Note:  ALL : 192.168. (Matches all the hosts in the 192.168.0.0 network. Note the dot (.) in the end of the rule)

The next rule denys FTP access to all the hosts in the xyz.com  domain as well as hosts in the 192.168.0.0  network.

/etc/hosts.deny
vsftpd : 192.168.0. , xyz.com : spawn /bin/echo  `/bin/date` access denied >> /var/log/vsftpd.log : deny

Log and deny access 

ALL : 192.168.0.55 \    : spawn (/bin/echo %a from %h attempted to access %d >> \      /var/log/connections.log) \    : deny

# tail –f /var/log/connections

::ffff:192.168.0.55 from ::ffff:192.168.0.55 attempted to access sshd
::ffff:192.168.0.55 from ::ffff:192.168.0.55 attempted to access sshd
::ffff:192.168.0.55 from ::ffff:192.168.0.55 attempted to access sshd

The backslash (\) in the above rule is used to break the line and prevents the failure of the rule due to length.

spawn and deny are options. Spawn launches a shell command as a child process. In the above rule, spawn logs a message to the vsftpd log file each time the rule matches. deny is optional if you are including this rule in the hosts.deny file.

Note: The last line in the files hosts.allow and hosts.deny must be a new line character. Or else the rule will fail.
For example, you can use spawn option to send mail to the admin when ever a deny rule is matched.

Wildcards

You can use wildcards in the client section of the rule to broadly classify a set of hosts. These are the valid wildcards that can be used.

  • ALL – Matches everything
  • LOCAL – Matches any host that does not contain a dot (.) like localhost.
  • KNOWN – Matches any host where the hostname and host addresses are known or where the user is known.
  • UNKNOWN – Matches any host where the hostname or host address are unknown or where the user is unknown.
  • PARANOID – Matches any host where the hostname does not match the host address.

How Do I Examine My TCP Wrapper Configuration File?

Use the tcpdchk command to examine your TCP Wrapper configuration and report all of the potential and real problems it can find.
tcpdchk
tcpdchk -v

Be carefull:

  • Put TCP Wrappers behind a firewall systems as TCP Wrappers is no substitute for netfilter(IPTABLES) or pf firewall
  • Never configure TCP Wrappers on firewall host.
  • TCP Wrappers is good for use in production server. Remember: always thoroughly test  before any security implementation:

Reference  sites:

http://www.aboutlinux.info/2005/10/using-tcp-wrappers-to-secure-linux.html
https://en.wikipedia.org/wiki/TCP_Wrapper
http://www.cyberciti.biz/faq/tcp-wrappers-hosts-allow-deny-tutorial/
http://linuxgazette.net/162/prestia.html

Enjoy Linux…..It Works………..!!
(Do Share and comment if you find this post fruitful for you )
CEO, KV IT-Solutions Pvt. Ltd. | vikas@kvit.in | 9810028374|
Linux Professional and an Industrial Trainer | 20 + years Experience in IT Industry

” We are born free, No Gate and Windows can snatch our freedom “

Download PDF

SIMILAR ARTICLES

0 1037

0 697

NO COMMENTS

Leave a Reply

Required Captcha *