Using TCP Wrappers to restrict connections

TCP Wrappers (formerly LOG_TCP) is one of the many security utilities written by Wietse Venema. It works by logging the client host name of incoming telnet, ftp, rsh, rlogin, finger etc. requests. The security options you can configure are: access control per host, domain and/or service, detection of host name spoofing or host address spoofing, and setting booby traps to implement an early-warning system.

Installing and configuring TCP wrappers

You can download TCP Wrappers from several sites; it's also built into modern versions of the inetd program and included as a standalone program called tcpd on most Solaris 9, Linux and BSD systems.

You would typically call tcpd from within inetd for the services you want it to protect. The following statements are extracted from a sample inetd.conf configuration:

- ftp stream tcp nowait root /usr/sbin/tcpd in.ftpd
- telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
- login stream tcp nowait root /usr/sbin/tcpd in.rlogind
- finger stream tcp nowait nobody /usr/sbin/tcpd in.fingerd

Once invoked, TCP Wrappers will open the /etc/hosts/allow file, which is where you'll configure the rules governing access or otherwise for each protocol. If it finds a match, it will stop and carry out that action: otherwise it will keep searching. If no match is found, it will then look at the /etc/hosts/deny file.

Be careful here since if no match is found there either, it will then allow the requested connection to take place. For this reason it's a good idea to configure all restrictions in the allow file, and the deny one with just one line denying everything else:

ALL: ALL: RFC931 : BANNERS /usr/sbin/sec/reject :
SPAWN (/usr/sbin/sec/safe_finger -l @%h | /usr/ucb/mail -s %d-%h

The SPAWN command used for denied connections retrieves more information about the source and alerts the administrator, so manual analysis can be performed if needed. SPAWN calls the safe_finger program, part of TCP Wrapper, to initiate a finger lookup and pipe the results to a mail program. The mail program lists the requested service and the host or IP address of the connection from which it originated, so providing you with useful logs. TCP Wrapper sends logging information to the syslog daemon, which records the data in the appropriate place. It is essential that you inspect these file entries on a regular and frequent basis.

Note that the use of both /etc/hosts/allow and /etc/hosts/deny is historic, for backwards compatibility, since nowadays you can perform deny commands in effect from within the allow file.

The /etc/hosts/allow file

So what do you put in this allow file to make it do what you want? The format of the file is

daemon_list: client_host_list: option [: option…]

where daemon_list is one or more services, client_host_list is the source address-more than one can be listed here - and the options let you specify what to do, which might include sending a banner message, using ident to determine the client program, allow or deny. For example:

ALL: LOCAL RFC931: BANNERS /usr/sbin/sec/banners
in.telnetd: RFC931 : BANNERS /usr/sbin/sec/banners
in.ftpd: RFC931 : BANNERS /usr/sbin/sec/banners

Be aware that since TCP wrapper deals in IP addresses, it's vulnerable to IP spoofing. You should already be protecting your network against this (see Securing Your Routers), and you can also set TCP Wrappers in what's called 'paranoid' mode to identify this type of attack. In this case it will perform two DNS lookups, looking up both the host name for the source IP address and the IP address for the retrieved host name. If the resulting IP address does not match the actual source address, the connection is denied. Logging will also take place.

Setting traps

You can find out if anyone is trying to access your servers by setting up services in the inetd file that you don't use, logging who is trying to access them and then denying access to those services regardless of who is trying to use them (which is why you need to pick ones that you don't need). Obviously be careful that you get this configuration correct though, to avoid creating an opening into your system.

TCP Wrappers won't solve all your problems, but as a useful member of your security toolbag, it's just one more thing that a potential attacker will have to circumvent - enough perhaps to make him look elsewhere for easier pickings.

Join the newsletter!

Error: Please check your email address.

More about SEC

Show Comments

Market Place