Tcp wrappers provides the following advantages against network services
Almost every application of the TCP/IP protocols is based on a client-
server model. for example telnet, ftp, ssh, etc..
TCP wrappers is used to allow/grant or deny access to the various services on your maschine from remote client/ or to the outside network or other machines on the same network. it does this by using two files called:
The TCP wrappers package (tcp_wrappers ) is installed by default and provides host-based access control to network services. The most important component within the package is the /usr/lib/libwrap.a
library. In general terms, a TCP wrapped service is one that has been compiled against the libwrap.a
When a connection attempt is made to a TCP wrapped service, the service first references the hosts access files (/etc/hosts.allow
) to determine whether or not the client host is allowed to connect. In most cases, it then uses the syslog daemon (syslogd)
to write the name of the requesting host and the requested service to /var/log/secure
- Rules define in hosts.allow takes precedence over rules in hosts.deny .
- You can have only one rule per service in hosts.allow and hosts.deny file.
- If there are no matching rules in either of the files or if the files don't exist, then the remote machine is allowed access to the service.
- Any changes to hosts.allow and hosts.deny file takes immediate effect.
Some of the example of it:
syntax of host access file: <daemon list>: <client list> [: <option>: <option>: ...]
The following wildcards may be used:
— Matches everything. It can be used for both the daemon list and the client list.
— Matches any host that does not contain a period (.), such as localhost.
— Matches any host where the hostname and host address are known or where the user is known.
— Matches any host where the hostname or host address are unknown or where the user is unknown.
— Matches any host where the hostname does not match the host address.
vsftpd : .example.com
This rule instructs TCP wrappers to watch for connections to the FTP daemon (vsftpd) from any host in the example.com domain. If this rule appears in hosts.allow, the connection will be accepted. If this rule appears in hosts.deny, the connection will be rejected
ALL : .xyz.com
Matches all hosts in the xyz.com domain . Note the dot (.) at the beginning.
ALL : 123.12.
Matches all the hosts in the 220.127.116.11 network. Note the dot (.) in the end of the rule.
ALL : 192.168.0.1/255.255.255.0
IP address/Netmask can be used in the rule
sshd : 192.168.5.5 : spawn /bin/echo `/bin/date` from %h >> /var/log/ssh.log : deny
Each time the rule is satisfied, the current date and the clients hostname %h is appended to the ssh.log file.
To determine if a network service binary is linked against libwrap.a, type the following command as the root user:
strings -f <binary-name> | grep hosts_access
# strings /usr/sbin/sendmail | grep hosts_access
Replacing <binary-name> with the name of the network service binary. If a prompt is returned, then the network service is not linked against libwrap.a .