TCP wrappers is a host-based mechanism that restricts access (thus “allow” and “deny”) to certain users according to their source (host, network or domain) and service they want to access (ftp, ssh, telnet, tftp, finger, rsh & talk). This security mechanism is configured and managed through two files: /etc/hosts.allow & /etc/hosts.deny.
For every incoming connection, the tcpd daemon (or tcp wrapper daemon) scans the /etc/hosts.allow file looking for a match. If it finds a match, it will stop scanning the file and will authorise the connection. If there's no match in that file, it will look into /etc/hosts.deny for another match. If it finds it, the connection will be denied. If it doesn't find a match in either file the connection will be authorised. If both files are empty or non-existent, tcp wrappers are effectively disabled and all connections are let through.
The basic entry into these 2 files follows the pattern: "service : source: option".
The services part can be set to either “ALL” or to a list of tcp wrapper aware services. If we want to see what binaries are linked with the libwrap.so library (tcp wrapper aware) we can quickly do so with the command:
root:/etc> strings -f /usr/sbin/* | grep hosts_access
/usr/sbin/auditd: hosts_access
/usr/sbin/rpcbind: hosts_access
/usr/sbin/rpc.mountd: hosts_access
/usr/sbin/rpc.rquotad: hosts_access
/usr/sbin/rpc.statd: hosts_access
/usr/sbin/sshd: hosts_access
The source part can be set to a list of IPs, DNSes, networks or domains. Let's look at some examples of entries on hosts.allow and hosts.deny to make sense of all that's been said:
Entry Allow or denies
ALL: ALL all services from all sources
ALL: server1 all services from the stated host
ALL: .domain.com all services from the stated domain
ALL: 110.12.13.14 all services from the stated IP
ALL: 110.12.0.0/24 all services from the stated network
ALL: 110.12. same as above
ALL: 110.12.0.0/255.255.255.0 same as above
ALL: 110.12.0.0/24 EXCEPT 110.12.12.,110.12.14. all services from 110.12.* except those originating from the 2 subnets
ALL: LOCAL all services from the local network (servers whose hostname does not contain any dots)
ALL: KNOWN all services from resolvable hosts
ALL: UNKNOWN all services from unresolvable hosts
vsftpd,sshd: LOCAL ssh & vsftp from the local network
sshd: /etc/ssh/ssh_sources ssh from the sources stated in the ssh_sources file
So far it should be very straight-forward. Let's look then at 2 very useful tricks we can use with tcp
wrappers...
If the following line is added to hosts.deny, the user, remote host and daemon whose access has been denied will be appended onto the given file. The spawn command can be used to execute any shell commands we need when the condition is met.
ALL : ALL : spawn (/bin/echo `date` %c %d >> /var/log/intruder_alert.log) &
We can achieve a similar result with the command:
ALL : ALL : severity emerg
This last command uses the default authpriv logging facility, but elevates the priority from the default value of info to emerg, which posts log messages directly to the console.
We can combine both in a single line:
ALL : ALL : spawn (/bin/echo `date` %c %d >> /var/log/intruder_alert.log) : severity emerg