TCP Wrapper

From SysadminWiki

TCP wrapper system controls the incoming TCP connections. At the beginning it was invoked through a standalone program called by Xinetd through tcpd (http://www.faqs.org/docs/linux_network/x-087-2-appl.tcpd.html) daemon. Nowadays it is invoked either through a library (libwrap.a or its dynamic counterpart libwrap.so) called by the network server (for example ssh ) that is being contacted by the remote client. Also xinetd uses library calls and doesn't need anymore to wrap the services with tcpd.

The access control rules are contained in /etc/hosts.allow and /etc/hosts.deny. TCP wrappers look for the required server into:

  • parse hosts.allow
    • find a match: perform the action and returns control to the server
    • doesn't find a match.
  • parse hosts.deny
    • find a match: perform the action and close the connection
    • doesn't find a match
  • allow the connection without performing any action

In current TCP wrappers versions there is no need to have two files which have been left for backward compatibility with older versions which were less flexible.

The hosts.* syntax is quite simple 

<server_list>: <client_hosts_list>: <shell_command>
  • <server_list>
    • Comma or blank space separated list of daemons (i.e. sshd telnetd...).
    • ALL is a self explaining keyword to mean all the servers.
  • <client_hosts_list>
    • Comma or blank space separated list of hosts.
    • Incomplete hosts names and IP addresses can be used.
    • Special attention goes to the use of '.' if the host name is preceded by a '.' or the IP address is followed by '.' they are interpreted as subnets.
    • If you use hostnames rather than IP address a dns lookup is performed.
  • <shell_command>
    • This are the actions that can be performed instead or aside of giving the connection. Mostly useful for further logging or checks.
    • There are two types of syntax a classical and an extended depending libwrap being compiled with -DPROCESS_OPTIONS flag.

Due to the fact that hosts.allow is processed first and that if there is no match in either file all connections are allowed the best strategy to use TCP wrappers exerting some control in what you run is to concetrate all the controls into one of the two files and ignore the other or implement a very simple rule. The following example implements the policy deny everything that is not explicitely allowed. 

/etc/hosts.deny:
   ALL: ALL

/etc/hosts.allow:
   sshd: ALL
   portmap: <your_hosts_list>

To restrict the access to sshd on the nodes to your local network the sshd line in hosts.allow should be changed to: sshd: <your_hosts_list>.

There are two utilities to check your TCP wrappers configuration. The first one is tcpdchk which might be useful but is limited since it checks only services started with xinetd and directly wrapped with tcpd. The other one tcpdmatch allows you to simulate a connection and see if it possible with the configuration you set up.

For further information refer to the man pages: man 5 hosts_access.

Retrieved from "http://www.sysadmin.hep.ac.uk/wiki/TCP_Wrapper"