In the world of Linux there are numerous ways that you can configure a Linux server to allow or deny access to a service, and while many people like to rely solely on Iptables, I wanted to take the opportunity to get my feet wet with TCP Wrappers. Note that this post is not meant to be the be-all end-all post on tcp wrappers. I am not going to review each and every configuration option, and trust me there are quite a few. Rather this is going to be a simple post which explains how to use tcp wrappers.
TCP Wrappers Configuration Files
First off you need to know that there are two configuration files for TCP wrappers. They are listed below.
#/etc/hosts.allow
#/etc/hosts.deny
To determine if a remote host is allowed to access a local service, the hosts.allow file referenced first, then the hosts.deny is referenced. Each file is read from the top down.
Rules in the hosts.allow take precedence over rules in the hosts.deny. Access will be granted for rules in the /etc/hosts.allow, and denied for rules in the /etc/hosts.deny ( note that this is not always the case, however this is how most people use tcpwrappers)
Basic rules are configured using the format below
<daemon list> : <client list> [: <option> : <option> ]
Below is a very simple and basic rule for sshd. In this example we want to allow all hosts in the domain fatmin.com to have access to sshd, and we want to deny sshd access to everyone else.
So in the /etc/hosts.allow
sshd : *.fatmin.com
and in /etc/hosts.deny
sshd: ALL
Creating Rule Matching Patterns
Ok, so what I have shown you above is a very simple example using a very simple matching rule, however there are actually quite a few ways to format a rule lets review a few of the more common ones that you might see.
Match by Hostname – All hosts below in the domain fatmin.com matched. Vsftpd is specified service
vsftpd: .fatmin.com
Match by IP address – All hosts in 192.168.x.x are matched. Vsftpd is specified service
vsftpd: 192.168.
Match by IP/Subnet – All hosts in 192.168.0.0/24 are matched. Vsftpd is specified service
vsftpd: 192.168.0.0/255.255.255.0
Match All – All Services and Hosts are matched.
ALL : ALL
What Services Use TCP Wrappers
Initially TCP Wrapper only “wrapped” services that were configured as part of inet.d, or xinet.d, but over time more and more processes have been configured to use librap.so. The example below shows how see if a daemon used libwrap, and can therefore be allowed or blocked via tcpwrappers.
Below we are locating the sshd binary and seeing if it uses libwrap. Which is does.
# whereis sshd
# ldd /usr/sbin/sshd | grep wrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f03f005d000)
Below we are locating the smbd binary and seeing if it uses libwrap. Which is does not.
# whereis smbd
# ldd /usr/sbin/smbd | grep wrap
Instead of checking one service at a time you can run the command below. Note that if a service is not installed, it will not show up
# strings -f /usr/sbin/* |grep hosts_access
/usr/sbin/rpc.mountd: hosts_access
/usr/sbin/sshd: hosts_access
/usr/sbin/tcpd: hosts_access_verbose
/usr/sbin/tcpdmatch: hosts_access_verbose
/usr/sbin/vsftpd: hosts_access
/usr/sbin/xinetd: hosts_access
Note that httpd, samba (smb) and nfs are not configured by default to use tcpwrappers (however it can be done but that is outside the scope of this post)
Configuration Examples
Below are are few more configuration examples that might be useful for reference.
Allow tftpd access from fatmin, and block everyone else.
#/etc/hosts.allow
in.tftpd : .fatmin.com
#/etc/hosts.deny
in.tftpd : .ALL
Allow SSH access from fatmin.com, but block from example.com. Also send log to sshd.log
#/etc/hosts.allow
sshd: .fatmin.com
#/etc/hosts.deny
sshd : .example.com \
: spawn /bin/echo `/bin/date` access denied>>/var/log/sshd.log \
: deny
Block tfpd access for all of fatmin.com except for server1.fatmin.com. Note that there is no corresponding hosts.allow entry needed.
#/etc/hosts.deny
tftpd .fatmin.com EXCEPT server1.fatmin.com