1

TCP Wrappers

TCP Wrapper is a host-based Networking ACL system, used to controlling access to network services.

Access Control to Network Services

Required Packages

[root@client1 Desktop]# rpm -qa tcp_wrappers*

tcp_wrappers-7.6-57.el6.x86_64
tcp_wrappers-libs-7.6-57.el6.x86_64

The Most Important library packages

/lib64/libwrap.so.0
/lib64/libwrap.so.0.7.6

TCP Wrappers Configuration Files

To determine if a client is allowed to connect to
service, TCP Wrappers reference the following two
files, which are commonly referred to as
“hosts access” files:

 /etc/hosts.allow
 /etc/hosts.deny

Help command
#man hosts_options
#man hosts_access

Note:
To determine if a network service binary is linked to “libwrap.so”, type the following command as the
root user:

ldd <binary-name> | grep libwrap

Example
[root@client1 Desktop]# ldd /usr/sbin/sshd | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f22184a9000)

[root@server1 Desktop]# ldd /usr/sbin/vsftpd | grep libwrap

libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f906a243000)
 2

Advantages of TCP Wrappers

TCP Wrappers provide the following advantages over other network service control techniques:

 Transparency to both the client and the wrapped network service — Both the connecting
client and the wrapped network service are unaware that TCP Wrappers are in use. Legitimate
users are logged and connected to the requested service while connections from banned clients
fail.

 Centralized management of multiple protocols — TCP Wrappers operate separately from the
network services they protect, allowing many server applications to share a common set of access
control configuration files, making for simpler management.

Important points when using TCP Wrappers to protect network services:

1. If access to a service is allowed in “hosts.allow”, a rule denying access to that same service in
“hosts.deny” is ignored.
2. The rules in each file are read from the top down and the first matching rule for a given service
is the only one applied. The order of the rules is extremely important
3. If no rules for the service are found in either file, or if neither file exists, access to the service is
granted.
4. TCP wrapped services do not cache the rules from the hosts access file, so any changes to
hosts.allow or hosts.deny take effect immediately without restarting network services.

Default Log Files

The TCP Wrappers will do all its logging via syslog according to yout /etc/syslog.conf file. The following
table lists the standard locations where messages from TCP Wrappers will appear:

1. AIX - /var/adm/messages
2. HP-UX - /usr/spool/mqueue/syslog
3. Linux - /var/log/messages
4. FreeBSD, OpenBSD, NetBSD - /var/log/messages
5. Mac OS X - /var/log/system.log
6. Solaris - /var/log/syslog

Formatting Access Rules

The format for both /etc/hosts.allow and /etc/hosts.deny is identical.

daemon_list : client_list : option : option ...

daemon_list : client_list [ : shell_command ]

Daemon list:
A comma - separated list of process names (not service names) or the ALL wildcard.

Client list:
A comma - separated list of hostnames, host IP addresses, special patterns, or wildcards
which identify the hosts affected by the rule.

Options:
 3

An optional action or colon - separated list of actions performed when the rule is
triggered. Option fields support expansions, launch shell commands, allow or deny access, and alter
logging behaviour.

Wildcards
Wildcards allow TCP Wrappers to more easily match groups of daemons or hosts.

ALL Specifies all networks

LOCAL Specifies the local network
EXCEPT Excludes a particular user/client
KNOWN Indicates all hosts that can be resolved by the system
UNKNOWN Indicates all hosts that can’t be resolved by the system
PARANOID Specifies that the forward and reverse lookup IP address don’t match

Examples

Server1.example.com - 192.168.1.100
Client1.example.com - 192.168.1.101
Client2.example.com - 192.168.1.102

Network - 192.168.1.0/24

1. Configure server1.example.com does not ssh access client1.example.com except

client2.example.com

Server1.example.com

[root@server1 ~]# vim /etc/hosts.allow

sshd : client1.example.com : deny
sshd : client2.example.com : allow

:wq!

or

vim /etc/hosts.allow
sshd : client2.example.com

vim /etc/hosts.deny
sshd : client1.example.com

or

vim /etc/hosts.allow
sshd : client1.example.com EXCEPT client2.example.com : deny

client1.example.com

[root@client1 Desktop]# ssh server1.example.com

ssh_exchange_identification: Connection closed by remote host

client2.example.com

[root@client2 Desktop]# ssh server1.example.com

[email protected]'s password:
Last login: Sun Nov 4 16:32:51 2012 from client1.example.com
 4

2. Deny the all daemon network services in example.com except vsftpd daemon services.

#vim /etc/hosts.allow
ALL EXCEPT vsftpd : .example.com : deny

Or

#vim /etc/hosts.allow
Vsftpd : .example.com

#vim /etc/hosts.deny
ALL : .example.com

Or

#vim /etc/hosts.deny
ALL EXCEPT vsftpd : .example.com

Note:
ALL : .example.com
ALL : *.example.com
ALL : 192.168.1.
ALL : 192.168.1.0/24
ALL : 192.168.1.100
ALL : 192168.1.0/255.255.255.0
ALL : *.example.com EXCEPT my.org
ALL : ALL EXCEPT *.example.com : deny

3. Allow all the daemon network services with in example.com only other all all network
restricted.
#vim /etc/hosts.allow
ALL : ALL EXCEPT *.example.com : deny

Or

#vim /etc/hosts.deny
ALL : ALL EXCEPT *.example.com

4. TCP Wrapper configure using shell commands example

Configure all daemon service running allowed details stored particular log file.

[root@server1 ~]# touch /var/log/tcp_wrappers.log

[root@server1 ~]# vim /etc/hosts.allow

ALL : *.example.com \ : spawn /bin/echo %d from %c user %u >> /var/log/tcp_wrappers.log \ : spawn
/bin/date >> /var/log/tcp_wrappers.log : allow

[root@server1 ~]# cat /var/log/tcp_wrappers.log

sshd from client2.example.com user unknown
Sun Nov 4 22:53:03 IST 2012
vsftpd from client2.example.com user unknown
Sun Nov 4 22:54:03 IST 2012