TCP Wrapper

-----------#

#  yum -y install tcp_wrappers

Make sure if a service can be under the TCP Wrapper control or not with the following command. If it includes a link to 'libwrap', it's possible.

[root@dlp ~]# ldd /usr/sbin/sshd | grep wrap

    libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f01b4e2a000)

# this service can be under TCP Wrapper control because it includes 'libwrap'

                           --------------------X----------------------------

[root@monitor ~]#  vi /etc/hosts.allow 

# hosts.allow   This file contains access rules which are used to

#

ALL: localhost

ALL: 127.0.0.1

ALL: 101.11.200.43

ALL: 192.168.

ALL: 192.168.1.0/23

ALL: 205.78.150.58          # Server iP Network

ALL: 103.217.111.210

sshd: 101.11.200.43 59.153.100.142 205.88.199.2 101.11.192.33 101.11.192.34 203.76.145.147 205.78.145.146 205.78.145.145 101.161.189.29 103.217.111.210 101.11.192.0/255.255.255.0 192.168.

ipop3d: ALL

imapd: ALL

vsftpd: ALL

---------------------------

[root@monitor ~]#  vi /etc/hosts.deny 

#

ALL: ALL

Configuration files

TCP wrappers rely on two configuration files as the basis for access control:

• /etc/hosts.allow

• /etc/hosts.deny

When a client attempts to connect to a network service on a remote system, these files are used to determine whether client access is allowed or denied. Use /etc/hosts.allow and /etc/hosts.deny to define rules that selectively allow or deny clients access to server daemons on local system. The format for entries is as follows for both files:

daemon_list : client_list [: command]

A description of each field follows:

• • daemon_list: A comma-separated list of daemons, or keyword ALL for all daemons

  • client_list: A comma-separated list of clients, or keyword ALL for all clients

  • command: An optional command that is executed when a client tries to access a server daemon

To allow client access, add the client host name or IP address in /etc/hosts.allow. To deny client access, add its name or IP address in /etc/hosts.deny.

The /etc/hosts.allow file is read first and is read from top to bottom. If a daemon-client pair matches the first line in the file, access is granted. If the line is not a match, the next line is read and the same check is performed. If all lines are read and no match occurs, the /etc/hosts.deny file is read, starting at the top. If a daemon-client pair match is found in the deny file, access is denied. If no rules for the daemon-client pair are found in either file, or if neither file exists, access to the service is granted.

Because access rules in hosts.allow are applied first, they take precedence over rules specified in hosts.deny. Therefore, if access to a service is allowed in hosts.allow, a rule denying access to that same service in hosts.deny is ignored. The following are some examples of entries in the /etc/hosts.allow file:

1. To allow clients on the 192.168.2 subnet to access FTP (daemon is vsftpd):

# vi /etc/hosts.allow vsftpd : 192.168.2.*

2. To allow all clients to access ssh, scp, and sftp (daemon is sshd):

# vi /etc/hosts.allow sshd : ALL

3. Place the following entry in the /etc/hosts.deny file to deny FTP service to all clients except subnet 192.168.2.* (this assumes the previous entry of vsftpd:192.168.2.* exists in /etc/hosts.allow):

# vi /etc/hosts.deny vsftpd : ALL

4. Use the .domain syntax to represent any hosts from a given domain. The following example allows connections to vsftpd from any host in the example.com domain (if the entry is in /etc/hosts.allow):

# vi /etc/hosts.allow vsftpd : .example.com

If this entry appears in /etc/hosts.deny, the connection is denied.

                           ----------------------------------------------------X---------------------------------------------------------

How to Use TCP Wrappers to Restrict Access to Services

As you edit /etc/hosts.allow and /etc/hosts.deny, make sure you add a newline by pressing Enter after the last non-empty line.

To allow SSH and FTP access only to 192.168.0.102 and localhost and deny all others, add these two lines in /etc/hosts.deny:

sshd,vsftpd : ALL ALL : ALL

and the following line in /etc/hosts.allow:

sshd,vsftpd : 192.168.0.102,LOCAL

TCP Wrappers – hosts.deny File

# # hosts.deny This file contains access rules which are used to # deny connections to network services that either use # the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # The rules in this file can also be set up in # /etc/hosts.allow with a 'deny' option instead. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd,vsftpd : ALL ALL : ALL

TCP Wrappers – hosts.allow File

# # hosts.allow This file contains access rules which are used to # allow or deny connections to network services that # either use the tcp_wrappers library or that have been # started through a tcp_wrappers-enabled xinetd. # # See 'man 5 hosts_options' and 'man 5 hosts_access' # for information on rule syntax. # See 'man tcpd' for information on tcp_wrappers # sshd,vsftpd : 192.168.0.102,LOCAL

These changes take place immediately without the need for a restart.

In the following image you can see the effect of removing the word LOCAL from the last line: the FTP server will become unavailable for localhost. After we add the wildcard back, the service becomes available again.

Verify FTP Access

To allow all services to hosts where the name contains example.com, add this line in hosts.allow:

ALL : .example.com

and to deny access to vsftpd to machines on 10.0.1.0/24, add this line in hosts.deny:

vsftpd : 10.0.1.

On the last two examples, notice the dot at the beginning and the end of the client list. It is used to indicate “ALL hosts and / or clients where the name or the IP contains that string”.

------