Thursday, July 31, 2008

Security with TCP wrappers

TCP_wrappers is on by default and you do not need to start any service for it to work.
TCP_wrappers is configured by editing 2 files /etc/hosts.allow and /etc/hosts.deny

When your system receives a network request for a service. The request is passed on to tcp_wrappers
tcp_wrappers is very straight forward and easy to set-up.
Users and clients that are listed in /etc/hosts.allow are allowed access to the listed services
and users and clients that are listed in the /etc/hosts.deny file are denied access to the listed services.
It's important to know the order of things that your system takes to make its decisions. When a request is made of your system, your system will first read your /etc/hosts.allow file and if it finds a rule in there for the requested service the rule is obeyed and no additional searches take place. If there are no rules in /etc/hosts.allow for the requested service then your system will look in /etc/hosts.deny and if it sees a rule in their for the service the service is denied. If your system sees no rules in neither /etc/host.allow nor in /etc/hosts.deny then the service is automatically granted access.
the syntax of your access rules are as follows

(SERVICES to allow or block separated by commas) : Clients or source destinations
so lets set up some rules, edit /etc/host.deny using your favourite text editor and add the following line

ALL : ALL

this will make your server air tight as every service from every host is Denied.
however we can allow the clients and services that we want by adding them to the /etc/hosts.allow file, remember your system Will first check your /etc/hosts.allow file and if it finds any rules in there then those rules are obeyed and no further checking for those rules will take place , so by adding the following line to /etc/hosts.allow

ALL : 192.168.0.0/24

substitute 192.168.0.0/24 with the ip address of the network that you want to allow access to your server from


this will allow access to all services from the 192.168.0.0 network to have access on your server but all other networks will be denied since the rule in your /etc/hosts.deny file will block them.

Your access rules can be very flexible , for example you could add a rule like so into your /etc/hosts.allow file

ALL : 192.168.0.0/24 EXCEPT 192.168.0.10

this would allow all hosts from the 192.168.0.0 network access to all services on your server except for host 192.168.0.10 who will be denied.

you can also allow access to specific services only eg:

sshd, ftpd, telnetd, http : 192.168.0.20

would allow host 192.168.0.20 to ssh, ftp telnet and access your server over http .

likewise you could also deny access to specific services and specific users by adding the rules into your /etc/hosts.deny file

eg :
ALL EXCEPT sshd : 192.168.0.0/24
added to your /etc/hosts.deny file would deny all services except ssh from all hosts on the 192.168.0/24 network.

as you can see TCP_WRAPPERS is extremely flexible and straight forward to use.

Other recognised commands that you can put into your /etc/hosts.allow and /etc/hosts.deny files are
.hostname.com (will block or allow clients from the specified hostname eg :
ALL : hostname.com in your /etc/hosts.allow file will allow all clients from the hostname.com domain access to all services on your server.

user@machine_name.hostname.com will apply to the specific user from a given computer

192.168. since the IP address ends with a . it specifies all hosts whose IP address starts with 192.168.

to see the exact names of all the services that you can allow or deny take a look at your /etc/services file.

No comments: