Harden TCP Wrapper
TCP Wrapper (tcpd) package is installed by default into Debian OS and often left unused. This section guides you on hardening Debian by using the TCP Wrapper.
Identified Threats
These are the identified threats related to Debian Software.
(T-42) TCPWrapper is Not Configured By Default
By default, TCP Wrapper is left untouched as this is user-specific usage.
Actions Required
Here are the list if actions to counter the issues.
Setup Whitelisting Policy
The first thing to do is to setup whitelisting policy in which all services from any client are denied unless it is explicitly allowed. This is done by:
Set ALL: ALL
into /etc/hosts.deny
file.
Permits Core Services
After setting whitelisting policy, it is time to whitelist some common core services. You can whitelist them by adding the service from clients address into /etc/hosts.allow
file. Here are some examples for core services like SSHD:
ALL: localhost
sshd : ALL
That's all for hardening Debian by implementing tcpwrapper policy.