Announcement

Collapse
No announcement yet.

Linux TCPWRAPPERS

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Linux TCPWRAPPERS

    Linux TCPWRAPPERS

    On Linux systems access to specific users, computers or networks can be blocked through the /etc/hosts.allow or /etc/hosts.deny files. The system is known as tcpwrappers, which is enabled by default and installed through tcp_wrappers.rpm RPM. The Linux services or commands that can be controlled through tcp_wrappers are those that use the libwrap library :

    Code:
    # ldd /usr/sbin/sshd | grep -i libwrap
    libwrap.so.0 => /lib/libwrap.so.0
    In this case the sshd Linux service can be controled through tcpwrappers using the file /etc/hosts.allow and /etc/hosts.deny : sshd is tcpwrapper-aware.
    TCPwrappers dynamics

    When the system receives a network request for a service that is tcpwrapper-aware, it passes the request to tcpwrappers that checks its access rules. If there are no restrictions on the particular host, IP address or user tcpwrappers allows the access and passes control back to the service.

    Access control on tcpwrappers can be configured through /etc/hosts.allow and /etc/hosts.deny files using the following order:

    * First searches on /etc/hosts.allow, if tcpwrappers finds a match access is allowed and no more searches are done.
    * If no match is found on /etc/hosts.allow it searches on /etc/hosts.deny. If tcpwrappers finds a match access is denied.
    * Finally if no match is found on either file, access is allowed.
    /etc/hosts.allow and /etc/hosts.deny

    The same configuration parameters can be used in both /etc/hosts.allow and /etc/hosts.deny to tell tcpwrappers which clients are allowed or denied:

    daemons : clients

    As example in order to allow/deny access to ALL tcpwrappers services to ALL clients:

    ALL : ALL

    This configuration on /etc/hosts.deny will deny access to all tcpwrappers services. However this line on /etc/hosts.allow will allow access to all tcpwrappers services with no restrictions.

    In order to deny sshd access from the IP 192.168.10.100 the following configuration can be used on /etc/hosts.deny :
    Code:
    # cat /etc/hosts.deny
    
    sshd : 192.168.10.100
    The same configuration on /etc/hosts.allow will allow access to sshd services to 192.168.10.100.These files can contain more that one line so order is important, first match is applied :

    Code:
    # cat /etc/hosts.deny
    
    sshd, vsftpd : ALL EXCEPT 192.168.10.1
    ALL:ALL
    With this configuration access to sshd and vsftpd will be allowed only from 192.168.10.1 and the access to the rest of tcpwrappers services will be denied.
    Client Matching

    The following are the configuration parameters that can be used in order to match clients on allow/deny rules for the tcpwrappers network services :

    ALL
    ALL clients.

    .info.net
    Match all clients on the info.net domain, the same as *.info.net

    192.168.
    Match all clients with an IP address of 192.168.Z.Z.

    192.168.0.0/255.255.0.0
    Match all clients on 192.168.0.0/255.255.0.0 subnet. (CIDR notation does not work : 192.168.0.0/16 NOT VALID !!!)

    Exceptions

    Parameter EXCEPT can be used to build exceptions in access rules. For example the following line on /etc/hosts.deny will deny access to telnet network service from all hosts on 192.168.10.0/24 LAN EXCEPT 192.168.10.1 :
    Code:
    # cat /etc/hosts.deny
    
    telnetd : 192.168.10.0/255.255.255.0 EXCEPT 192.168.10.1
    It can be used also on the daemon list part :
    Code:
    # cat /etc/hosts.allow
    
    ALL EXCEPT sshd : .info.net
    With this configuration access to all tcpwrappers services except sshd will be allowed from .info.net domain. This is true if sshd is denied on /etc/hosts.deny, if not sshd will be also allowed, keep in mind that /etc/hosts.allow specifies what is explicitly allowed.
    Wildcards

    The following are wildcards that can be used on /etc/hosts.allow/deny files:

    ALL
    Matches everything and can be used for both the daemon list and the client list.

    LOCAL
    Matches any host that does not contain a period (.), such as localhost.

    KNOWN
    Matches any host where the hostname and host address can be resolved by our DNS.

    UNKNOWN
    Matches any host where the hostname or host address can not be resolved by our DNS.

    PARANOID
    Matches any host where the hostname does not match with his IP address.
    Shell Commands

    An optional field can be used on /etc/hosts.allow/deny in order to execute shell commands when a match is found through the 'spawn' and 'twist' directives.
    spawn

    Executes a shell command as a child process when a match is found. This feature can be used in order to get client or proccess information. In the following example all clients attempting to access vsftpd services are logged to file /var/log/audit_vsftpd.log and the connection will be allowed.
    Code:
    # cat /etc/hosts.allow
    vsftpd : ALL : spawn /bin/echo `/bin/date` from %h>>/var/log/audit_vsftpd.log
    twist
    Replaces the requested service with the specified command. Useful to send messages to connection clients :

    Code:
    # cat /etc/hosts.deny
    
    telnetd : 192.168.10.0/255.255.255.0 : twist /bin/echo "What are you doing %a!!!"
    In this case when a client from 192.1568.10.0/24 LAN try to connect to telnet service, tcpwrappers deny the access and send the message to the client.

    Expansions

    In most of the cases expansions are used with the spawn and twist operators in order to retrieve information about the client that is trying to connect to the tcpwrapped network service. It also provides information about the server and process in execution :

    %a
    Prints the client IP address.

    %A
    Prints the server IP address.

    %c
    Prints a variety of client information, such as the username and hostname.

    %d
    Prints the daemon process name.

    %h
    Prints the client hostname (IP address if the hostname is unknown).

    %H
    Prints the server hostname (IP address if the hostname is unknown).

    %n
    Prints the client hostname. If unavailable, unknown is printed. If the client hostname and host address do not match, paranoid is printed.

    %N
    Prints the server hostname. If unavailable, unknown is printed. If the server hostname and host address do not match, paranoid is printed.

    %p
    Prints the daemon process ID.

    %s
    Prints various types of server information, such as the daemon process and the host or IP address of the server.

    %u
    Prints the client username. If unavailable, unknown is printed.

    Lets have a look on examples explained on the previous section :
    Code:
    # cat /etc/hosts.allow
    vsftpd : ALL : spawn /bin/echo `/bin/date` from %h>>/var/log/audit_vsftpd.log
    In this case all attempts to use vsftpd will be logged on /var/log/audit_vsftpd.log with the date and the client hostname (%h) and the connection will be allowed.
    Code:
    # cat /etc/hosts.deny
    telnetd : 192.168.10.0/255.255.255.0 : twist /bin/echo "What are you doing %a!!!"
    Telnet logins from 192.168.10.0/24 will be denied with the message "What are you doing %a !!!" where %a will be replaced with the client IP address.
    Last edited by kuldeep; 02-25-2015, 10:43 PM.
Working...
X