Type : System
Operating System : Redhat,Fedora,Centos
Tcp Wrapper is a very simple solution to secure the acces on your linux services. Tcp Wrapper is based on libwrap to limit the acces and give you the option to allow or deny an ip address or an ip range. Tcp_wrapper can be used also to trace the acces on each services. Tcp wrapper can be used if you have also iptables and selinux.
CONFIGURATION FILE
Tcp wrapper used 2 files to allow or deny ip address or an ip range.
- /etc/hosts.allow : If tcp_wrapper find a match, it grants access
- /etc/hosts.deny : If tcp_wrapper find a match, it refuses access
- SYNTAXE :
daemon_list : client_list [:option[:option....]]
- WILDCARD :
ALL :
The universal wildcard, always matches.
LOCAL :
Matches any host whose name does not contain a dot character.
UNKNOWN:
Matches any user whose name is unknown, and matches any host whose name or address are unknown. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is talking to.
KNOWN :
Matches any user whose name is known, and matches any host whose name and address are known. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is talking to.
PARANOID :
Matches any host whose name does not match its address. When tcpd is built with -DPARANOID (default mode), it drops requests from such clients even before looking at the access control tables. Build without -DPARANOID when you want more control over such requests.
- OPERATOR
EXCEPT Intended use is of the form: ‘list_1 EXCEPT list_2´; this construct matches anything that matches list_1 unless it matches list_2. The EXCEPT operator can be used in daemon_lists and in client_lists. The EXCEPT operator can be nested: if the control language would permit the use of parentheses, ‘a EXCEPT b EXCEPT c´ would parse as
‘(a EXCEPT (b EXCEPT c))´.
- EXPENSION
%a (%A) The client (server) host address.
%c Client information: user@host, user@address, a host name, or just an address, depending on how much information is available.
%d The daemon process name (argv[0] value).
%h (%H) The client (server) host name or address, if the host name is unavailable.
%n (%N) The client (server) host name (or "unknown" or "paranoid").
%p The daemon process id.
%s Server information: daemon@host, daemon@address, or just a daemon name, depending on how much information is available.
%u The client user name (or "unknown").
%% Expands to a single ‘%´ character.
Characters in % expansions that may confuse the shell are replaced by underscores.
EXAMPLE :
Those examples are usefull if you have defined the default policy like in the tips section.
In /etc/hosts.allow
in.telnetd : ALL EXCEPT 10.0.0, LOCAL : twist = echo "Telnet of %u@%h - %c - `date` " >> /var/log/telnet.log
in.tftpd : ALL
sshd, vsftpd : 192.168.4.0/255.255.254 EXCEPT 192.168.4.10
in.rlogind : ALL EXCEPT .example.com
The default policy (no access) is implemented with a trivial deny file:
/etc/hosts.deny:
ALL: ALL
Check if a service support tcp_wrapper :
With the command LDD you can check if a ssh support tcp_wrapper
Example :
#ldd /usr/sbin/sshd
libwrap.so.0 => /lib64/libwrap.so.0 (0x00002ae845682000)
libpam.so.0 => /lib64/libpam.so.0 (0x00002ae84588b000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002ae845a96000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00002ae845c9b000)
libaudit.so.0 => /lib64/libaudit.so.0 (0x00002ae845eb3000)
libfipscheck.so.1 => /usr/lib64/libfipscheck.so.1 (0x00002ae8460cd000)
libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002ae8462d0000)
libutil.so.1 => /lib64/libutil.so.1 (0x00002ae846621000)
libz.so.1 => /usr/lib64/libz.so.1 (0x00002ae846824000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00002ae846a39000)
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002ae846c51000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00002ae846e89000)
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002ae84709f000)
libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002ae8472cd000)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002ae847562000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002ae847788000)
libnss3.so => /usr/lib64/libnss3.so (0x00002ae84798a000)
libc.so.6 => /lib64/libc.so.6 (0x00002ae847cb5000)
/lib64/ld-linux-x86-64.so.2 (0x00002ae845465000)
libsepol.so.1 => /lib64/libsepol.so.1 (0x00002ae84800d000)
libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002ae848253000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002ae84845c000)
libnssutil3.so => /usr/lib64/libnssutil3.so (0x00002ae84865e000)
libplc4.so => /usr/lib64/libplc4.so (0x00002ae84887b000)
libplds4.so => /usr/lib64/libplds4.so (0x00002ae848a80000)
libnspr4.so => /usr/lib64/libnspr4.so (0x00002ae848c83000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00002ae848ebd000)
if in the result, you have libwrap the daemon can be secure with tcp wrapper.
United States : 
Unknown Browser
