amuck-landowner

Restrict Access to your Linux Server with TCP Wrappers

Roger

Member
Verified Provider
Here we'd like to demonstrate how to secure your Linux system by restricting access using TCP Wrappers (tcpd). 

 

Restricting access to your servers is a critical measure that should not be avoided when setting up your system. It will allow only those networks that you have provided to be safe to be granted access to your server's services that support TCP wrappers. We will be using Centos 6.4 64 Bits as our host operating system. Although this is a universal configuration available on most major Linux distributions.

 


TCP Wrappers work on a different way than iptables does. We must say that they are not mutually exclusive. There are some scenarios where TCP Wrappers will be more suitable to securing specific services.

 

Some key differences of TCP Wrappers and iptables are:

 

1) You use iptables command to administer the rules. firewall work at internet layer by allowing or denying access from/to a specific host which in this case using tcp/ip and tcp/udp port number.

 

2) tcpwrappers is another method of allowing or denying access to a specific service which work at application layer. There are two configuration files involve in this setup 

 

hosts.allow 

hosts.deny 

 


How to Find Out if a Program or Service Supports TCP Wrappers?

 

To determine if a service or daemon supports TCP Wrappers, you need to know the deamon/service path in order to run it against ldd. To find a deamon's path, use the whereis command followed by the daemon's name we'd like to obtain the path for, like this:

 


Code:
[root@[member="VPS"] ~]$ whereis sshd

Output:

 


Code:
sshd: /usr/sbin/sshd /usr/share/man/man8/sshd.8.gz

Once you get the path from previously executed command, like the above output, you can run it against ldd in order to determine TCP Wrappers compatibility or if it has been compiled with TCP Wrappers, like this:

 


Code:
[root@[member="VPS"] ~]$ ldd /usr/sbin/sshd | grep libwrap.so

Ouput:

    

Code:
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fc5f95e0000)
If you get an output with libwrap.so included it means it is a dependency for that daemon, which in turns means it is compatible with TCP Wrappers and therefore TCP Wrappers can be used to secure that specific service.



 

The rules

 

The access lists will be validated against two files: /etc/hosts.allow and /etc/hosts.deny

 

This files require a set of rules to be included an properly formatted to match the requesting clients for access.

 

Syntax:

 


Code:
<daemon_list>: <client_list>[: <shell_command> ]

Where:

 

daemon_list — Is a collection of one or more process names or special wildcards, separated by whitespace.

client_list — Is one or more hostnames, host addresses, patterns, or wildcards, separated by whitespace, to use when a particular process name matches a requested service.

shell_command — Is an optional component that specifies something to be done in the event a rule is utilized.

 

The /etc/hosts.allow file

 

In this file you will specify the allowed hosts or complete networks. First, open up /etc/hosts.allow file with your favourite editor.

 

 


Code:
[root@[member="VPS"] ~]$ sudo vi /etc/hosts.allow

You will be presented with an output similar to this:

 


Code:
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#

You will use this file to enter the allowed networks that can connect to your Linux server. This access control language file is based on client (host name/address, user name) and server (process name, host name/address) patterns. If you need to get more information for the complete access control language, please, refer to hosts_options man page.

 

You can also get a complete list of daemon process names in the inetd configuration file. Please consider that access control software consults only two files and at the first match it will stop validation. This means that you should be careful on the order you specify your permitted networks in order not to lock yourself out. Now, lets start by entering our allowed host/network for the SSH service:

 


Code:
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd: 123.123.123.1

With this configuration, access to your machine will be denied to all hosts except for the 123.123.123.1 client. This is assuming you deny all on the /etc/hosts.deny file.

 

The /etc/hosts.deny file

 

In the /etc/hosts.deny file you will specify hosts and networks to be refused access to desired services. Open up /etc/hosts.deny file with your editor.

 

 


Code:
[root@[member="VPS"] ~]$ sudo vi /etc/hosts.deny

You will be presented with an output similar to this:

 


Code:
#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#

To deny access to ANY other host that is not in the /etc/hosts.allow file, you must specify the non-permitted networks or the ALL directive in the /etc/hosts.deny file as follows:

 


Code:
[root@[member="VPS"] ~]$ sudo vi /etc/hosts.allow

Output:

 


Code:
#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
sshd: * 
#You could have also specify sshd: ALL

This rule will refuse access for SSH service to ALL hosts other than those in the /etc/hosts.allow access. You can use either the * symbol or the ALL directive, both means the same. In the same order you will specify one directive per line. You can add as many rules as you need. but always be careful of the order of precedence and remember that at the first rule match the access control will stop validating.

 

 

Deny access to a bigger network targeting more services.

 

Another, more complete example limiting access to SSH and FTP services could be:

 


Code:
[root@[member="VPS"] ~]$ sudo vi /etc/hosts.allow

Output:

 


Code:
#
# hosts.allow   This file contains access rules which are used to
#               allow or deny connections to network services that
#               either use the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
#hosts.allow /etc/hosts.allow file rules

#To allow a single host for SSH
sshd: 123.123.123.1
#To allow a /27 prefix for SSH
sshd: 123.123.123.0/255.255.255.224 
#To allow a /15 prefix for SSH
sshd: 123.122.0.0/255.254.0.0 
#To allow a /single host for FTP
vsftpd: 123.123.123.1 
#To allow a /27 prefix for FTP
vsftpd: 123.123.123.0/255.255.255.224         
#To allow a /15 prefix for FTP
vsftpd: 123.122.0.0/255.254.0.0

Deny access to ALL services and networks.

 

You can deny access to all services and all networks not specified in the /etc/hosts.allow file. For instance:

 


Code:
[root@[member="VPS"] ~]$ sudo vi /etc/hosts.deny

Output:

 


Code:
#
# hosts.deny    This file contains access rules which are used to
#               deny connections to network services that either use
#               the tcp_wrappers library or that have been
#               started through a tcp_wrappers-enabled xinetd.
#
#               The rules in this file can also be set up in
#               /etc/hosts.allow with a 'deny' option instead.
#
#               See 'man 5 hosts_options' and 'man 5 hosts_access'
#               for information on rule syntax.
#               See 'man tcpd' for information on tcp_wrappers
#
​#This refuses connections to ALL services and ALL networks:
ALL: ALL

That's it. You should now have a fully operational access control with TCP wrappers (tcpd) running on your VPS server. You can verify that your traffic is being refused or allowed access in the /var/log/secure

 


Code:
[root@[member="VPS"] ~]$ sudo cat /var/log/secure

You should see an output like this:

 

 


Code:
Oct 20 22:49:14 vps sshd[6559]: refused connect from 123.123.0.5 (123.123.0.5)
Oct 21 00:33:11 vps sshd[7136]: refused connect from 10.2.2.1 (10.2.2.1)
Oct 21 03:53:24 vps sshd[7287]: refused connect from 192.168.1.1 (192.168.1.1)
Oct 22 12:24:08 vps sshd[18548]: Accepted password for root from 123.123.123.1 port 52908 ssh2
Oct 22 12:24:08 vps sshd[18548]: pam_unix(sshd:session): session opened for user root by (uid=0)

If you want to filter the output to only show you the refused connection attempts, input the following command:

 


Code:
[root@[member="VPS"] ~]$ sudo cat /var/log/secure | grep refused

Thank you!
 
Last edited by a moderator:

thedediguy

New Member
Verified Provider
Very nice post and very long with plenty of details, thanks for sharing many will find it of use!
 
Top
amuck-landowner