Search

Subscribe

Enter your email address below to subscribe to our privacy and security newsletter.



Name:
Email:

Menu

• Home
• Business/Corporate
• Computer Security
• Digital Signatures
• Encryption
• Firewalls
• Intrusion Detection
• Just Plain Silly
• Personal Security
• Privacy
• Residential Security
• Security Blogs
• Security Consultants
• Spam/Anti-Spam
• ssl
• Training
• Uncategorized
• Viruses
• Wireless Security

TCP Wrappers – It’s Not So Hard

By Ian Scott

Back in the “olden days,” before TCP Wrappers were ever thought of, the Eindhoven University of Technology in The Netherlands was experiencing some major instrusion problems on their systems. Somehow, a cracker was gaining access to their systems and for whatever reason, deleting the entire file system of the servers they managed to access.

Along came the brilliant Wietse Venema. You may have heard of Venema – the author of Postfix, The Coroner’s Toolkit, and regular columnist in Dr. Dobbs Journal

Venema needed to figure out a way to track the cracker that was somehow breaching the University systems. If you’d like to read the interesting story, you can download it here, but you will need the “ncompress” utility.

Venema’s program is probably one of the best places to start in securing your Linux or Unix computer. What it does is control access to running services via the hosts.deny and hosts.allow file. We’ll look at an example shortly.

Let’s first find out what TCP Wrappers is. Is it a firewall? Sort of. Prior to TCP Wrappers, access to a system was based on providing a correct password. TCP Wrappers however, goes further and allows you to narrow down access from where attempted accesses are being made.

Most Linux distributions include the TCP Wrappers package by default. Any service that has been compiled against the tcp wrappers library can use TCP Wrappers. When an attempt to connect to the service is made, TCP Wrappers will check two files – the hosts.deny and hosts.allow files. It will then provide access to the service based on the data in these files.

This does not mean that someone attempting to connect to the SSH service, for example, will still automatically obtain access. The connection must still provide the correct password. But if you don’t want ssh connections to your server in the first place, except for some IP’s or networks, TCP wrappers is your friend.

If, for instance, you have the ssh service running on a server, and need to connect to it, but don’t want anyone else connecting to it, through TCP Wrappers, you can configure your server to refuse all ssh connection attempts except from where you explicitly allow them.

And it’s pretty darn easy, as well. As mentioned above, there are two files – /etc/hosts.deny and /etc/hosts.allow. Let’s look at how we can make these files work for us.

Let’s say you don’t want anybody or anything to connect to your server. What you do is simply type the line:

ALL:ALL

in your /etc/hosts.deny file. Any service running on your machine that uses TCP wrappers will reject any connection attempts.

But sometimes, that’s not really what you want. You have SSH running as a daemon for a reason – there are times you want to be able to ssh into that server, right? But you’d prefer if only you could access the SSH service.

Assuming you have your own static IP address, here is what you could do:

Open hosts.deny in a text editor such as Emacs or vi. Type this in a new line:
SSHD:ALL

What this does is tell the TCP Wrapper program to deny ALL ssh connections to the server.

Ooops.. that’s not so good if you want to connect via ssh right? Well, that’s when you open up /etc/hosts.allow in your text editor, and assuming your IP address is ‘10.10.10.5′, you type: sshd:10.10.10.5

And once you’ve saved the files, all ssh connections except from 10.10.10.5 will be accepted.

Let’s say you want to be able to connect from every IP address within the 10.10.10 network. No problem. Instead of typing your full IP address, in the hosts.allow file, type this:

sshd:10.10.10.

Which will allow ssh connections from 10.10.10.0 through 10.10.10.255.

Any connection attempts made from outside the IP addresses listed in hosts.allow will be logged to your /var/log/messages (Linux) file.

I set up my various servers to allow services via TCP Wrappers based upon the use of the server. And if I want to allow temporary access to an IP, I can modify my /etc/hosts.allow file, and immediately upon saving it, the change will take effect. You don’t even have to restart the network, reboot, or do anything drastic. Simply saving the file will make the changes immediate.

Need to know if a service is compiled against TCP Wrappers? That’s easy to. At a command prompt, simply type:

strings -f <binary-name> | grep hosts_access

Of course, replace <binary-name> with the name of the service you want to query.

Although an older security tool, Wietse Venema has provided us with something that is powerful, easy, and often overlooked because many beginner Linux users spend more time trying to learn about IP-Tables and never really find out about what they can do with their hosts.deny and hosts.allow files – another layer of security that is quite simple to manage.

Read more in: Computer Security |

© SecPriv.com | About/Disclaimer | Privacy Policy