Security Information and Review

Collection of security information and review

Hardening Linux Server with TCP Wrappers

Author : Admin

TCP Wrappers, in the same manner by name, provides protection Linux server services that communicate using TCP packets. So, systems that communicate using TCP packets channel, those packets through TCP Wrappers and the request is checked against a series of rules. Majority of the commercial Linux server like Redhat Enterprise Linux AS, SLES and others distribution implement a facility known as TCP Wrappers. The TCP Wrappers are implemented using two files, one controlling what is specifically accepted and the other that specifies denials. The files are called /etc/hosts.allow and /etc/hosts.deny. These files provides ability to define access to Linux server services based on IP Address or hostname.

 

Rules of the TCP Wrappers in the /etc/hosts.allow and /etc/hosts.deny files, the process is sequential : clients and users listed in hosts.allow are allowed acess and clients / users listed in hosts.deny are denied access.

 

If rules in these files may appear to conflict, the TCP Wrappers system takes rule in the following order :

 

The rule from /etc/hosts.allow are read. If the rules in this file allow access, the TCP packets is granted. Control is immediately passed back to the service.

 

The rules from /etc/hosts.deny are read. If the rules in this file deny access, the TCP packets is denied and information may be sent back to the client, as suggested by the rule.

 

If there is no rule associated with the host, client or service in either file, access is granted and control is passed back to the service.

 

A specific format associated with directives in the TCP Wrappers rule files and basic format for command in each file is as follows :

1
2
3
4
5
6
 
	# specific format for command rule of the TCP Wrappers
	# daemon-list : client-list
	# see sample bellow
 
	ALL : ALL

This directive specifies all service or daemons and makes the rule applicable to all hosts on all IP address. If Administrator want to create finer-grained filters, such allows access through via SSH for specific client, as show command below:

1
2
3
 
	# Allow access ssh server to client
	sshd : 192.168.1.1

If we want to configure multiple services for a client, we can use commas or specify each service on a different line. See example bellow, multiple service for client and exceptions to a specific rule with the EXCPET directive.

1
2
3
4
5
6
7
8
9
 
	# file /etc/hosts.deny
	# ---------------------
 
	ALL : .hackers.com
	ALL : .crackers.com
 
	sshd : 192.168.1.0/255.255.255.0 EXCEPT 192.168.1.100
	apache2,vsftpd : 192.168.10.10

How we want to send a customized error message ..? If we want to send messages to the client, such as a warning to restricted users, the twist or spawn command. We can use variable %c for include the name and host in the connection request ( client information ) and several common variables such %a for client address, %A for host address and others variable. For example, take the following line in a /etc/hosts.deny file

1
2
 
	sshd : hackers.com : twist /bin/echo sorry %c, access denied

this command will send a error message if users from the hackers.com domain who try to connect via ssh. See example bellow, combination spawn and other command to send a error message to users.

1
2
3
 
	ALL:ALL : spawn (/bin/echo Security Alert from %a on %d on 'date' | \
	tee -a /var/log/security_Alert | mail hostmaster@example.local)

Conclusion : TCP Wrappers can provide an extra layer of security and support alerting mechanisms with the spawn or twist option.

 

 

Mohamad Widodo

Mohamad Widodo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Linux
If you like this posts, please leave messages / comments.