Sunday, December 23, 2012

What Is TCP Wrappers And How To Configure It

Hello everybody,

TCP Wrappers protects Linux services, and of course, protects those services that communicate using the TCP protocol. It's really useful and very important because it gives you an extra layer of protection, especially for those services, such as vsFTP, that you can NOT limit access by IP address in the main configuration file; you can limit access by user and chroot jail in configuration file of vsFTP, but you should use TCP Wrappers to limit access by IP address.

How Do You Find a Service Is Protected by TCP Wrappers:


First, you should install the service that you want to use or make sure the service has been installed. For example, the following command will return all ssh packages that already installed
rpm -qa | grep ssh

Second, the word associated with TCP Wrappers is "hosts_access". So, you can use the "strings" command to look for "hosts_access" string in all binary files of services. Here is a script that I created to help you to find those services that support TCP Wrappers (Figure 1):


                                                                             Figure 1


Now, the associated library wrapper file linked to services is libwrap.so.0. So, you can use the ldd command to list the libraries used by the services, and of course, you can filter out the output by grep command (Figure 2):

                                                                             Figure 2

In this case, I used sshd service. After running the above command, I was sure that TCP Wrappers support sshd.

Configure TCP Wrappers


The configuration files for TCP Wrappers are /etc/hosts.allow and /etc/hosts.deny. So, users and clients listed in hosts.allow have access to desired service and users and clients listed in hosts.deny have not access to desired service. And here is the order of precedence:
  1.  First, it goes through the /etc/hosts.allow file. If it finds any match, it gives access and does NO more action or search.
  2. If it doesn't match anything in /etc/hosts.allow, it goes through /etc/hosts.deny file. If it finds any match, it will deny access.
  3. If it doesn't find any match in both hosts.allow and hosts.deny files, it gives access to the client by default.
Here is the format of both file:
daemon_list : client_list [ : shell command ]
  • daemon list is a list of one or more daemon process names, such as sshd or xinetd.
  • client list is a list of one or more host names, host addresses, patterns or wildcard that will be match against the client host name or address.
  • Shell Command is optional and can run a shell command if it matches any.
Let's say some examples:
ALL : ALL  ---> This line in "hosts.allow" file means grant access for all services to everybody

sshd : 10.0.0.153  ---> This line in hosts.deny file means deny access for sshd service to just 10.0.0.153 ip address(figure 3)
Obviously, if this line exists in both file, the mentioned ip address will be granted because hosts.allow has precedence to hosts.deny

ALL : .khosro.com  ---> (.) means all hosts with the specified domain name or IP network address. In this case, access to all hosts on the khosro.com domain for all services if it's in the hosts.allow

sshd : 10.0.0.0/255.255.255.0 EXCEPT 10.0.0.153  ---> You can specify IP network address with subnet mask and CIDR notation is NOT allowed, like 10.0.0.0/24. You can make an exception with EXCEPT operator. In this case, all IPs in 10.0.0.0/255.255.255.0 network have not access to sshd except 10.0.0.153 if this line exist in hosts.deny file.

sshd, xinetd : 10.0.0.153  ---> You can setup multiple services and addresses with commas.

sshd : user1@khosro.linux.com  ---> Grant access to the specific user if this line exists in the hosts.allow

Figures 3 to 5 show some good examples of TCP Wrappers with shell command:

Server A:
                                                                    Figure 3


Server B:
                                                                   Figure 4

Server A:
                                                                    Figure 5

"mail -s %d-%h root" is the command that send information to root user. The following expansions are available within shell commands:
%a (%A)              The client (server) host address.
%c                        Client information: user@host, user@address, a host name, or just an address, depending on how much information is available.
%d                       The daemon process name.
%h (%H)             The client (server) host name or address, if the host name is unavailable.
%n (%N)             The client (server) host name (or "unknown" or "paranoid").
%p                       The daemon process id.
%s                       Server information: daemon@host, daemon@address, or just a daemon name, depending on how much information is available.
%u                      The client user name (or "unknown").
%%                     Expands to a single ‘%´ character.
Characters in % expansions that may confuse the shell are replaced by underscores.

The safe_finger command comes with the tcpd wrapper. It limits possible damage from data sent
 by the remote finger server. It gives better protection than the standard finger command.

And that's all.
Hope you enjoyed.

Khosro Taraghi