Wednesday, February 3, 2010

TCP Wrappers

If you want to set up a very good security you must build a layerd security.Tcp Wrappers is like a basic firewall that protects your network services.

A basic security before you set up ipfilters firewall   looks like this:
xinetd -->TCPWrappers-->network service (layerd security)
To create the TCP Wrappers rules edit these two files:

hosts.allow and hosts.deny

These two files, located in your /etc/ folder, allow you to limit or permit connections from specific hosts or ips. Using these two files you could setup a whitelisting basic firewall or blacklist.

Here is the format:

daemon_list : client_list [ : shell command]

daemon_list - is a list of one or more daemon process names (argv[0] values) or server port numbers or wildcards.
client_list - is a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address.
shell command is optional
List elements should be separated by blanks and/or commas.


Here are lists of wildcards support by tcp wrappers:

ALL The universal wildcard, always matches. 
LOCAL Matches any host whose name does not contain a dot character.
UNKNOWN Matches any user whose name is unknown, and matches any host whose name or address are unknown. 
KNOWN Matches any user whose name is known, and matches any host whose name and address are known.  
PARANOID Matches any host whose name does not match its address.

Shell commands

I never used theese but you can open a shell type man hosts.allow to find out more

Example of editing rules for TCP Wrappers:

Open your favorite editor and open the hosts.allow file

sudo nano /etc/hosts.allow

ALL: 127.0. (the 127.0. range is allowed)

telnetd : (specific IP) 192.168.0. (specific range) EXCEPT (range exceptions)

sudo nano  /etc/hosts.deny

ALL : ALL (denying all services to all hosts)

How to test if tcpwrappers is working:

1.Open a shell and type:
tcpdchk -v   (tcpdchk examines your tcp wrapper configuration and reports all potential and real problems it can find. The program examines the tcpd access control files (by default, these are /etc/hosts.allow and /etc/hosts.deny), and compares the entries in these files against entries in the inetd(xinetd) network configuration file.)
2.Open a shell and type:
tcpdmatch in.telnetd (tcpdmatch predicts how the tcp wrapper would handle a specific request for a service.The program examines the tcpd access control tables (default /etc/hosts.allow and /etc/hosts.deny) and prints its conclusion. For maximal accuracy, it extracts additional information from your inetd(xinetd) network configuration file.When tcpdmatch finds a match in the access control tables, it identifies the matched rule. In addition, it displays the optional shell commands or options in a pretty-printed format; this makes it easier for you to spot any discrepancies between what you want and what the program understands.)
 How to check if a service is compatible with tcpwrappers:
1. Not all the services are compatible with TCP Wrappers , so to see which services are compatible open a shell and type:

ldd /usr/sbin/telnetd | grep libwrap (this example tests the telnet service)

In the example above we see that the telnetd (telnet server) is referring to the, so we can tell that any restrictions in hosts.allow and hosts.deny are applicable to that service.

No comments:

Post a Comment