System administrators must be able to manage inbound and outbound network traffic as well as prevent unwelcome visitors. UNIX like systems offer several tools to successfully fulfill these tasks. TCP Wrappers is one of the oldest and this short article is trying to give you practical examples of its use.
Network communications connect various programs which listen on specific ports and expect requests for connection (these programs are called as daemons). TCP Wrappers intercepts these requests prior they are handled by daemons and manipulate them in accordance with particular rules, set up by administrator in configuration file. According these rules TCP Wrappers makes decision whether the request will be accepted, denied or modified. Deamons may but don’t have to cooperate with TCP Wrappers, it’s up to the administrator to determine which service will use it. There should be noted, that TCP Wrappers works with connections executed by means of protocols TCP and UDP.
To enable any service work with TCP Wrappers, there are two conditions necessary to be met at least. First one – TCP Wrappers must be enabled for paricular daemon, second one – rule entries must be made for particular daemon. Enabling service to work with wrappers is most often done by entries in config of particular service. For example, if we want our VSFTPD cooperate with TCP Wrappers, add following entry to its config (/usr/local/etc/vsftpd.conf):
Once it’s done, we can go to the TCP Wrappers rulemaking files – /etc/hosts.allow or /etc/hosts.deny and write rules for request handlig of particular service. Here should be noted that TCP Wrappers first parses hosts.allow, then hosts.deny. You don’t have to have both these files, it depends on your request assesment policy. If you decide all traffic to some daemon be denied except couple of IPs or IP ranges, use white list approach (hosts.allow) and vice versa, if you wish all clients to be served by deamon except some IPs or ranges, use black list policy and make entries of unwanted stations into the hosts.deny.
I could write another paragraphs describing all directives and options of TCP Wrappers but I prefer examples before hundreds of words. Basic structure of any rule is:
Anyway, you can find deeper explanations at RedHat or FreeBSD documentation pages concerning this topic. So, here is one of the hosts.allow (white list approach) files, setting up rules for SSH and VSFTP deamons:
ALL : localhost 127.0.0.1 : allow
sshd : 192.168.1.5 : allow
vsftpd : 192.168.1.0/255.255.255.0 : allow
fingerd : ALL : spawn (echo Finger. | /usr/bin/mail -s “tcpd\: %u@%h[%a] fingered me!” root)
ALL : ALL : severity auth.info : twist /bin/echo “You are not authorized to use %d.”
Short explanation by lines:
- deny any connection to ALL daemons for clients which are without valid DNS record and send them message about it
- allow any connection to ALL daemons from localhost
- allow any connection to sshd for client 192.168.1.5
- allow any connection to vsftpd for clients 192.168.1.0/255.255.255.0
- deny ALL connections to fingerd and notify the root about attempt to finger the server
- deny ALL connections to ALL daemons and send a message to the client which initiated connection that is not welcome
Briefly sumarized: ALL connections to ALL daemons are denied except localhost and those from specified IPs to specified services, because if incoming connection doesn’t match any of the rules, the last one is applied. If does some, relevant rule is applied and evaluation ends immediately.
To have stated above settings effective, it is necessary check whether tcp_wrappers=YES is in vsftpd.conf, but SSHD is most often compiled with TCP Wrappers support by default, so we can skip this step. If you use inetd for daemons management, place inetd_flags=”-Ww” into the /etc/rc.conf to have its services working with TCP Wrappers. Finally, particular daemons must be restarted to reload their configs with TCP Wrappers enabling directives, but entries in hosts files (both .allow and .deny) are anytime effective immediately after saving without need to restart the service.
If you set up all correctly but TCP Wrappers still doesn’t work properly, check again if:
- Particular daemon was compiled with TCP Wrappers support
- TCP Wrappers was enabled in config file of the daemon
- Daemon was restarted to load new settings enabling TCP Wrappers
- Rules were setup correctly
IMPORTANT REMINDER! While writing the rules, keep in mind that hosts.allow is assesed before hosts.deny and that first match of request with rules ends the assesment! First comes first served! Ignoring this can lead to security issues or TCP Wrappers rules not working properly at least.