TCP wrappers

TCP wrappers is a host-based mechanism that restricts access (thus “allow” and “deny”) to certain users according to their source (host, network or domain) and service they want to access (ftp, ssh, telnet, tftp, finger, rsh & talk). This security mechanism is configured and managed through two files: /etc/hosts.allow /etc/hosts.deny.

For every incoming connection, the tcpd daemon (or tcp wrapper daemon) scans the /etc/hosts.allow file looking for a match. If it finds a match, it will stop scanning the file and will authorise the connection. If there’s no match in that file, it will look into /etc/hosts.deny for another match. If it finds it, the connection will be denied. If it doesn’t find a match in either file the connection will be authorised. If both files are empty or non-existent, tcp wrappers are effectively disabled and all connections are let through.

The basic entry into these 2 files follows the pattern: “service : source: option”.

The services part can be set to either “ALL” or to a list of tcp wrapper aware services. If we want to see what binaries are linked with the libwrap.so library (tcp wrapper aware) we can quickly do so with the command:

root:/etc> strings -­f /usr/sbin/* | grep hosts_access
/usr/sbin/auditd: hosts_access
/usr/sbin/rpcbind: hosts_access
/usr/sbin/rpc.mountd: hosts_access
/usr/sbin/rpc.rquotad: hosts_access
/usr/sbin/rpc.statd: hosts_access
/usr/sbin/sshd: hosts_access

The source part can be set to a list of IPs, DNSes, networks or domains. Let’s look at some examples of entries on hosts.allow and hosts.deny to make sense of all that’s been said:

Entry                                                 Allow or denies

ALL: ALL                                          all services from all sources

ALL: server1                                    all services from the stated host

ALL: .domain.com                          all services from the stated domain

ALL: 110.12.13.14                           all services from the stated IP

ALL: 110.12.0.0/24                          all services from the stated network

ALL: 110.12.                                    same as above

ALL: 110.12.0.0/255.255.255.0       same as above

ALL: 110.12.0.0/24 EXCEPT 110.12.12.,110.12.14.    all services from 110.12.* except those originating from the 2 subnets

ALL: LOCAL                                    all services from the local network (servers whose hostname does not contain any dots)

ALL: KNOWN                                  all services from resolvable hosts

ALL: UNKNOWN                             all services from unresolvable hosts

vsftpd,sshd: LOCAL                      ssh & vsftp from the local network

sshd: /etc/ssh/ssh_sources          ssh from the sources stated in the ssh_sources file

So far it should be very straight-forward. Let’s look then at 2 very useful tricks we can use with tcp
wrappers…

If the following line is added to hosts.deny, the user, remote host and daemon whose access has been denied will be appended onto the given file. The spawn command can be used to execute any shell commands we need when the condition is met.

ALL : ALL : spawn (/bin/echo `date` %c %d >> /var/log/intruder_alert.log) &

We can achieve a similar result with the command:

ALL : ALL : severity emerg

This last command uses the default authpriv logging facility, but elevates the priority from the default value of info to emerg, which posts log messages directly to the console.

We can combine both in a single line:

ALL : ALL : spawn (/bin/echo `date` %c %d >> /var/log/intruder_alert.log) : severity emerg

 

<< ssh                           DNS client >>