Softpanorama May the source be with you, but remember the KISS principle ;-)	Home	Switchboard	Unix Administration	Red Hat	TCP/IP Networks	Neoliberalism	Toxic Managers
	(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix

TCP Wrappers

News	Lecture Notes	Recommended Books	Recommended Links	Configuration	inetd services
Xinetd	ssh &TCP Wrappers	Sendmail & TCP wrappers	Postfix and TCP wrappers	vsftpd & TCP Wrappers
tcpdchk	tcpdmatch	The try-from Utility	Loggings	Humor	Etc

Note:

This page was created from Dr. Nikolai Bezroukov's Lecture Notes (Partially based on O'Reilly Practical Unix Security book)

TCP wrappers is a classic security tool available on most flavors of Unix including AIX, HP-UX, Linux and Solaris). Sadly despite being a classic tool it is extremely underutilized and widely misunderstood tool.

Very few sysadmins know that TCP wrappers represents (for TCP-based protocols only) a lightweight alternative to firewall (which is actually a heavyweight, obtuse and CPU intensive tool). Some capabilities of TCP wrappers cannot be emulated using firewall.

Wikipedia describes TCP wrappers in the following way:

TCP Wrapper is a host-based Networking ACL system, used to filter network access to Internet Protocol servers on (Unix-like) operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or ident query replies, to be used as tokens on which to filter for access control purposes.
The original code was written by Wietse Venema at the Eindhoven University of Technology, The Netherlands, between 1990 and 1995. As of June 1, 2001 the program is released under its own BSD-style license.

The tarball includes a library named libwrap that implements the actual functionality. Initially, only services that were spawned for each connection from a super-server (such as inetd) got wrapped, utilizing the tcpd program. However most common network service daemons today can be linked against libwrap directly. This is used by daemons that operate without being spawned from a super-server, or when a single process handles multiple connections. Otherwise, only the first connection attempt would get checked against its ACLs.

When compared to host access control directives often found in daemons' configuration files, TCP Wrappers have the benefit of runtime ACL reconfiguration (i.e. services don't have to be reloaded or restarted) and a generic approach to network administration.

This makes it easy to use for anti-Worm scripts, such as BlockHosts, DenyHosts or Fail2ban, to add and expire client-blocking rules, when excessive connections and/or many failed login attempts are encountered.

While originally written to protect TCP and UDP accepting services, examples of usage to filter on certain ICMP packets (such as 'pingd' – the userspace ping request responder) exist too

TCP Wrappers is a package developed by Wietse Venema (who also wrote the SATAN security package) at the Eindhoven University of Technology as a countermeasure against attacks on their university systems. TCP_wrappers is an IP packet filtering and network access logging facility for inetd.

Initially TCP_wrappers were used to "wrap" itself around TCP-based services defined in inetd.conf. But now many non-inetd services like ssh, sendmail and portmap are compiled with libwrap library which provides TCP Wrappers functionality. To determine if a service uses TCP wrapper use command

ldd <binary-name> | grep libwrap

For example:

# ldd /usr/sbin/vsftpd | grep libwrap
        libwrap.so.0 => /lib64/libwrap.so.0 (0x00007feff3fdd000)
# ldd /usr/sbin/sshd | grep libwrap
        libwrap.so.0 => /lib64/libwrap.so.0 (0x00007fe2fae99000)
# ldd /usr/sbin/sendmail | grep libwrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00007f174eb3d000)

Standalone implementation of TCP Wrappers is a single program called "tcpd". The behavior of the program is controlled by two configuration files. The wrapper reports the name of the client host and of the requested service; the wrapper does not exchange information with the client or server applications, and imposes no overhead on the actual conversation between the client and server applications. Optional features are: access control to restrict what systems can connect to what network daemons; client user name lookups with the RFC 931 etc. protocol; additional protection against hosts that pretend to have someone elses host name; additional protection against hosts that pretend to have someone else's host address.

TCP wrapper can limit connections to specific domain (and if you include ion the rule only the first level domain like .com, .edu, etc this prohibits connecting from a host without DNS name):

.subdomain.domain If the hostname field in the rule begins with a period (.), then this hostname field will be matched against DNS name of client that tries to connect. For success the latter should have the stated subdomain and domain

Another very useful option is PARANOID which matches any host for which double reverse-hostname/IP address translation does not match.

# Block possibly spoofed requests to sendmail:
sendmail : PARANOID : deny

When a client connects to such host, the IP address of the client is examined by TCP Wrappers. While IP addresses can be spoofed, and DNS can be hacked, this examination provides one step in a multi-layered security process to help reduce the number of malicious connections. The process works like this:

The client IP address (eg: 128.59.59.134) is determined.
The numerical address is examined to determine the hostname (eg: aloha.cc.columbia.edu).
The hostname is looked up to match the IP address obtained in step #1.

If step #3 fails, the connection is rejected. To learn more about wildcards and their associated functionality, see the hosts_access(5) manual page.

The TCP Wrappers program can log incoming connections via syslog—whether or not the actual Internet daemon provides logging. TCP Wrappers also allows different server executables to be invoked for a given service depending on the source IP address of the incoming connection.

While TCP Wrappers can be run as a standalone program, today it is most commonly used as a library (libwrap) that is linked into the inetd program. One such implementation of inetd is xinetd.

Tcp_wrappers can verify a remote hostname with its IP number before allowing a connection to be established. If a workstation's IP number and hostname do not match when checked against the DNS, tcp_wrappers will close the session before the user enters a username or password. The original tcp_wrappers work in tandem with inetd can can control all programs launched by inetd like telnet and ftp using the hosts.allow & host.deny files. If you only want trusted networks/machine to be able to start telnet, you just add them into hosts.allow and turn off everyone else with hosts.deny.

TCP wrappers can monitor and filter incoming requests for telnet, ftp, rlogin, rsh, finger, talk, and just about anything else that run out of inetd.conf. For example:

telnet stream tcp nowait root in.telnetd in.telnetd

With TCP wrappers installed the only difference that you call wrapper first with the service as a parameter:

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd

In this case the new connection has to first go through the logging and access control mechanisms enforced by tcp_wrappers before it is allowed to proceed to actual daemon. As you can see it's natural to integrate TCP wrappers into inetd and many OSes (Linux, Solaris 10) are using such version of inetd (called xinetd) by default.

Tcp_wrappers is an excellent security tool with functionality more convenient, in some respects more powerful and less intrusive than a regular firewall:

you can use the improved access logging facility provided by tcp_wrappers even for services (such as rlogin) which traditionally do not have a good logging mechanism. These logs are extremely useful in tracking unauthorized break-ins.
You can have fine-grained control over who can and cannot access Unix boxes that belong to "critical infrastructure". Access control can be enforced differently for each wrapped service. For example, you can limit Telnet access to a specific subnet but allow wide open access for FTP (with improved logging).

To determine if a client machine is allowed to connect to a service, TCP wrappers reference the following two files, which are commonly referred to as hosts access files:

/etc/hosts.allow
/etc/hosts.deny

You can use single file and include action (allow or deny as the last field of TCP wrapper configuration file directive (see above). Often this is more transparent approach as you see all directives in a single file.

If you only want trusted networks/machine to be able to start telnet, you add them into hosts.allow and turn off everyone else with hosts.deny. (There's quite an interesting article about TCP wrappers in the August 1997 edition of Linux Journal Wrap a Security Blanket Around Your Computer )

You can also limit users to ftp with the /etc/ftpusers file. Some ftp daemons can reject connections fro which there is no legit DNS name. TCP wrappers can do this too.

As for the ability to execute shutdown command, which is necessary for operators, usually the best way to achieve this is via sudo.

The tcpd program can be used with telnet, finger, ftp, exec, rsh, rlogin, tftp, talk, comsat and other services that have a one-to-one mapping onto executable files.

Operation is as follows: whenever a request for service arrives, the inetd daemon is tricked into running the tcpd program instead of the normal server. tcpd logs the request and does some additional checks. When all is well, tcpd runs the appropriate server program and goes away.

Optional features include pattern-based access control, client username lookups with the RFC 931 protocol, protection against hosts that pretend to have someone else's host name, and protection against hosts that pretend to have someone else's network address.

Package content

Sun Feb 24 21:38:16 2008 422 etc/defaults/etc/hosts.allow Sun Feb 24 21:38:16 2008 225 etc/defaults/etc/hosts.deny Sun Feb 24 21:38:17 2008 164 etc/postinstall/tcp_wrappers.sh Sun Feb 24 21:38:17 2008 365 etc/preremove/tcp_wrappers.sh Sun Feb 24 21:38:19 2008 6656 usr/sbin/safe_finger.exe Sun Feb 24 21:38:19 2008 5120 usr/sbin/tcpd.exe Sun Feb 24 21:38:19 2008 15872 usr/sbin/tcpdchk.exe Sun Feb 24 21:38:19 2008 13312 usr/sbin/tcpdmatch.exe Sun Feb 24 21:38:20 2008 5120 usr/sbin/try-from.exe Sun Feb 24 21:38:16 2008 1736 usr/share/doc/tcp_wrappers-7.6/BLURB Sun Feb 24 21:38:16 2008 19195 usr/share/doc/tcp_wrappers-7.6/CHANGES Sun Feb 24 21:38:16 2008 792 usr/share/doc/tcp_wrappers-7.6/DISCLAIMER Sun Feb 24 21:38:17 2008 48215 usr/share/doc/tcp_wrappers-7.6/README Sun Feb 24 21:38:16 2008 2002 usr/share/doc/tcp_wrappers-7.6/README.Debian Sun Feb 24 21:38:16 2008 2634 usr/share/doc/tcp_wrappers-7.6/README.IRIX Sun Feb 24 21:38:16 2008 6680 usr/share/doc/tcp_wrappers-7.6/README.NIS Sun Feb 24 21:38:17 2008 0 usr/share/doc/Cygwin/ Sun Feb 24 21:38:17 2008 4646 usr/share/doc/Cygwin/tcp_wrappers-7.6.README Sun Feb 24 21:38:17 2008 0 usr/share/man/man5/ Sun Feb 24 21:38:15 2008 6362 usr/share/man/man5/hosts_access.5.gz Sun Feb 24 21:38:15 2008 3054 usr/share/man/man5/hosts_options.5.gz Sun Feb 24 21:38:18 2008 0 usr/share/man/man8/ Sun Feb 24 21:38:15 2008 652 usr/share/man/man8/safe_finger.8.gz Sun Feb 24 21:38:15 2008 3042 usr/share/man/man8/tcpd.8.gz Sun Feb 24 21:38:15 2008 1171 usr/share/man/man8/tcpdchk.8.gz Sun Feb 24 21:38:15 2008 1415 usr/share/man/man8/tcpdmatch.8.gz Sun Feb 24 21:38:15 2008 465 usr/share/man/man8/try-from.8.gz

Utilities (tcpdchk and tcpdmatch) are included to aid writing of /etc/hosts.allow and /etc/hosts.deny files. tcpdmatch does not understand '?' syntax in /etc/inet.conf, so it may generate spurious warnings noting that optional servers were not found.

What TCP Wrappers does

The TCP Wrappers system gives the system administrator a high degree of control over incoming TCP connections. The system is invoked after a remote host connects to your computer. It is invoked either through a subroutine library that is linked into the Internet server or through a standalone program started up through inetd. Once running, the TCP Wrappers system performs the following steps:

It opens the /etc/hosts.allow file. This file contains access control rules and actions for each protocol.
It scans through the file, line by line, until it finds a rule that matches the particular protocol and source host that has connected to the server.
It executes the action(s) specified in the rule. If appropriate, control is then turned over to the network server.
If no matching action is found, the file /etc/hosts.deny is opened and sequentially read line by line. If a matching line is found, access is denied and the corresponding action performed.
If no match is found in either the /etc/hosts.allow or the /etc/hosts.deny file, then the connection is allowed by default.

The complexity of having two two files can be lessened by using mainly /etc/hosts.allow .

Your /etc/hosts.deny can contain only a single rule "ALL:ALL" to deny all access by default. Keeping all the rules in a single file simplifies maintenance. Using /etc/hosts.allow, which has priority over /etc/hosts.deny, ensures that if someone else accidentally modifies the wrong file, it won't override your rules.

The actions implemented by TCP Wrappers are quite sophisticated:

Compare the incoming hostname and requested service with an access control list to see if this host or this combination of host and service has been explicitly denied. If either is denied, TCP Wrappers drops the connection.
Log the results with syslog.
Use the ident protocol (RFC 1413) to determine the username associated with the incoming connection. RFC 1413 superseded RFC 931, but the define in the code has not changed.
Optionally send a "banner" to the connecting client. Banners are useful for displaying legal messages or advisories.
Optionally run an auxiliary command. (For example, you can have TCP Wrappers run finger to get a list of users on a computer that is trying to contact yours.)
Perform a double reverse lookup of the IP address, making sure that the DNS entries for the IP address and hostname match. If they do not, this fact is logged. (By default, TCP Wrappers is compiled with the -DPARANOID option, so the program will automatically drop the incoming connection if the two do not match under the assumption that something somewhere is being hacked.)
Pass control of the connection to the "real" network daemon, or pass control to some other program that can take further action.

The TCP Wrappers system allows you to make up for many deficiencies in other network daemons. You can add logging to services that are not otherwise logged, add sophisticated and easily changeable access control lists, and even substitute different versions of a service daemon depending on the calling host. These are some of the reasons that the TCP Wrappers system has become standard on both free and commercial Unix offerings in recent years.

42.5. TCP Wrappers and xinetd

The TCP Wrappers package (tcp_wrappers) is installed by default and provides host-based access control to network services. The most important component within the package is the /usr/lib/libwrap.a library. In general terms, a TCP-wrapped service is one that has been compiled against the libwrap.a library.

When a connection attempt is made to a TCP-wrapped service, the service first references the host's access files (/etc/hosts.allow and /etc/hosts.deny) to determine whether or not the client is allowed to connect. In most cases, it then uses the syslog daemon (syslogd) to write the name of the requesting client and the requested service to /var/log/secure or /var/log/messages.

If a client is allowed to connect, TCP Wrappers release control of the connection to the requested service and take no further part in the communication between the client and the server.

In addition to access control and logging, TCP Wrappers can execute commands to interact with the client before denying or releasing control of the connection to the requested network service.

Because TCP Wrappers are a valuable addition to any server administrator's arsenal of security tools, most network services within Red Hat Enterprise Linux are linked to the libwrap.a library. Some such applications include /usr/sbin/sshd, /usr/sbin/sendmail, and /usr/sbin/xinetd.

Note

To determine if a network service binary is linked to libwrap.a, type the following command as the root user:
ldd <binary-name> | grep libwrap
Replace <binary-name> with the name of the network service binary.

If the command returns straight to the prompt with no output, then the network service is not linked to libwrap.a.

The following example indicates that /usr/sbin/sshd is linked to libwrap.a:
[root@myserver ~]# ldd /usr/sbin/sshd | grep libwrap
        libwrap.so.0 => /usr/lib/libwrap.so.0 (0x00655000)
[root@myserver ~]#
Advantages of TCP Wrappers

TCP Wrappers provide the following advantages over other network service control techniques:

Transparency to both the client and the wrapped network service — Both the connecting client and the wrapped network service are unaware that TCP Wrappers are in use. Legitimate users are logged and connected to the requested service while connections from banned clients fail.

Centralized management of multiple protocols — TCP Wrappers operate separately from the network services they protect, allowing many server applications to share a common set of access control configuration files, making for simpler management.

TCP Wrappers Configuration Files

To determine if a client is allowed to connect to a service, TCP Wrappers reference the following two files, which are commonly referred to as hosts access files:

/etc/hosts.allow

/etc/hosts.deny

When a TCP-wrapped service receives a client request, it performs the following steps:

It references /etc/hosts.allow. — The TCP-wrapped service sequentially parses the /etc/hosts.allow file and applies the first rule specified for that service. If it finds a matching rule, it allows the connection. If not, it moves on to the next step.

It references /etc/hosts.deny. — The TCP-wrapped service sequentially parses the /etc/hosts.deny file. If it finds a matching rule, it denies the connection. If not, it grants access to the service.

The following are important points to consider when using TCP Wrappers to protect network services:

Because access rules in hosts.allow are applied first, they take precedence over rules specified in hosts.deny. Therefore, if access to a service is allowed in hosts.allow, a rule denying access to that same service in hosts.deny is ignored.

The rules in each file are read from the top down and the first matching rule for a given service is the only one applied. The order of the rules is extremely important.

If no rules for the service are found in either file, or if neither file exists, access to the service is granted.

TCP-wrapped services do not cache the rules from the hosts access files, so any changes to hosts.allow or hosts.deny take effect immediately, without restarting network services.

Warning

If the last line of a hosts access file is not a newline character (created by pressing the Enter key), the last rule in the file fails and an error is logged to either /var/log/messages or /var/log/secure. This is also the case for a rule that spans multiple lines without using the backslash character. The following example illustrates the relevant portion of a log message for a rule failure due to either of these circumstances:
warning: /etc/hosts.allow, line 20: missing newline or line too long
Formatting Access Rules

The format for both /etc/hosts.allow and /etc/hosts.deny is identical. Each rule must be on its own line. Blank lines or lines that start with a hash (#) are ignored.

Each rule uses the following basic format to control access to network services:
<daemon list>: <client list> [: <option>: <option>: ...]
<daemon list> — A comma-separated list of process names (not service names) or the ALL wildcard. The daemon list also accepts operators (refer to Section 42.5.2.1.4, “Operators”) to allow greater flexibility.

<client list> — A comma-separated list of hostnames, host IP addresses, special patterns, or wildcards which identify the hosts affected by the rule. The client list also accepts operators listed in Section 42.5.2.1.4, “Operators” to allow greater flexibility.

<option> — An optional action or colon-separated list of actions performed when the rule is triggered. Option fields support expansions, launch shell commands, allow or deny access, and alter logging behavior.

More information on the specialist terms above can be found elsewhere in this Guide:

Section 42.5.2.1.1, “Wildcards”

Section 42.5.2.1.2, “Patterns”

Section 42.5.2.2.4, “Expansions”

Section 42.5.2.2, “Option Fields”

The following is a basic sample hosts access rule:
vsftpd : .example.com
This rule instructs TCP Wrappers to watch for connections to the FTP daemon (vsftpd) from any host in the example.com domain. If this rule appears in hosts.allow, the connection is accepted. If this rule appears in hosts.deny, the connection is rejected.

The next sample hosts access rule is more complex and uses two option fields:
sshd : .example.com  \ : spawn /bin/echo `/bin/date` access denied>>/var/log/sshd.log \ : deny
Note that each option field is preceded by the backslash (\). Use of the backslash prevents failure of the rule due to length.

This sample rule states that if a connection to the SSH daemon (sshd) is attempted from a host in the example.com domain, execute the echo command to append the attempt to a special log file, and deny the connection. Because the optional deny directive is used, this line denies access even if it appears in the hosts.allow file. Refer to Section 42.5.2.2, “Option Fields” for a more detailed look at available options.

Wildcards

Wildcards allow TCP Wrappers to more easily match groups of daemons or hosts. They are used most frequently in the client list field of access rules.

The following wildcards are available:

ALL — Matches everything. It can be used for both the daemon list and the client list.

LOCAL — [DNS dependent] Matches any host that does not contain a period (.), such as localhost.

KNOWN — [DNS dependent] Matches any host where the hostname and host address are known or where the user is known.

UNKNOWN — [DNS dependent] Matches any host where the hostname or host address are unknown or where the user is unknown.

PARANOID — [DNS dependent] Matches any host where the hostname does not match the host address.

Caution

The KNOWN, UNKNOWN, and PARANOID wildcards should be used with care, because they rely on functioning DNS server for correct operation. Any disruption to name resolution may prevent legitimate users from gaining access to a service.

Patterns

Patterns can be used in the client field of access rules to more precisely specify groups of client hosts.

The following is a list of common patterns for entries in the client field:
Hostname beginning with a period (.) — Placing a period at the beginning of a hostname matches all hosts sharing the listed components of the name. The following example applies to any host within the example.com domain:
ALL : .example.com
IP address ending with a period (.) — Placing a period at the end of an IP address matches all hosts sharing the initial numeric groups of an IP address. The following example applies to any host within the 192.168.x.x network:
ALL : 192.168.
IP address/netmask pair — Netmask expressions can also be used as a pattern to control access to a particular group of IP addresses. The following example applies to any host with an address range of 192.168.0.0 through 192.168.1.255:
ALL : 192.168.0.0/255.255.254.0
Important

When working in the IPv4 address space, the address/prefix length (prefixlen) pair declarations (CIDR notation) are not supported. Only IPv6 rules can use this format.
[IPv6 address]/prefixlen pair — [net]/prefixlen pairs can also be used as a pattern to control access to a particular group of IPv6 addresses. The following example would apply to any host with an address range of 3ffe:505:2:1:: through 3ffe:505:2:1:ffff:ffff:ffff:ffff:
ALL : [3ffe:505:2:1::]/64
The asterisk (*) — Asterisks can be used to match entire groups of hostnames or IP addresses, as long as they are not mixed in a client list containing other types of patterns. The following example would apply to any host within the example.com domain:
ALL : *.example.com
The slash (/) — If a client list begins with a slash, it is treated as a file name. This is useful if rules specifying large numbers of hosts are necessary. The following example refers TCP Wrappers to the /etc/telnet.hosts file for all Telnet connections:
in.telnetd : /etc/telnet.hosts
Other, lesser used, patterns are also accepted by TCP Wrappers. Refer to the hosts_access man 5 page for more information.

Warning

Be very careful when using hostnames and domain names. Attackers can use a variety of tricks to circumvent accurate name resolution. In addition, disruption to DNS service prevents even authorized users from using network services. It is, therefore, best to use IP addresses whenever possible.

Portmap and TCP Wrappers

Portmap's implementation of TCP Wrappers does not support host look-ups, which means portmap can not use hostnames to identify hosts. Consequently, access control rules for portmap in hosts.allow or hosts.deny must use IP addresses, or the keyword ALL, for specifying hosts.

Changes to portmap access control rules may not take effect immediately. You may need to restart the portmap service.

Widely used services, such as NIS and NFS, depend on portmap to operate, so be aware of these limitations.

Operators

At present, access control rules accept one operator, EXCEPT. It can be used in both the daemon list and the client list of a rule.

The EXCEPT operator allows specific exceptions to broader matches within the same rule.

In the following example from a hosts.allow file, all example.com hosts are allowed to connect to all services except cracker.example.com:
ALL: .example.com EXCEPT cracker.example.com
In another example from a hosts.allow file, clients from the 192.168.0.x network can use all services except for FTP:
ALL EXCEPT vsftpd: 192.168.0.
Note

Organizationally, it is often easier to avoid using EXCEPT operators. This allows other administrators to quickly scan the appropriate files to see what hosts are allowed or denied access to services, without having to sort through EXCEPT operators.

Option Fields

In addition to basic rules that allow and deny access, the Red Hat Enterprise Linux implementation of TCP Wrappers supports extensions to the access control language through option fields. By using option fields in hosts access rules, administrators can accomplish a variety of tasks such as altering log behavior, consolidating access control, and launching shell commands.

Logging

Option fields let administrators easily change the log facility and priority level for a rule by using the severity directive.

In the following example, connections to the SSH daemon from any host in the example.com domain are logged to the default authpriv syslog facility (because no facility value is specified) with a priority of emerg:
sshd : .example.com : severity emerg
It is also possible to specify a facility using the severity option. The following example logs any SSH connection attempts by hosts from the example.com domain to the local0 facility with a priority of alert:
sshd : .example.com : severity local0.alert
Note: In practice, this example does not work until the syslog daemon (syslogd) is configured to log to the local0 facility. Refer to the syslog.conf man page for information about configuring custom log facilities.

Access Control

Option fields also allow administrators to explicitly allow or deny hosts in a single rule by adding the allow or deny directive as the final option.

For example, the following two rules allow SSH connections from client-1.example.com, but deny connections from client-2.example.com:
sshd : client-1.example.com : allow
sshd : client-2.example.com : deny
By allowing access control on a per-rule basis, the option field allows administrators to consolidate all access rules into a single file: either hosts.allow or hosts.deny. Some administrators consider this an easier way of organizing access rules.

Shell Commands

Option fields allow access rules to launch shell commands through the following two directives:
spawn — Launches a shell command as a child process. This directive can perform tasks like using /usr/sbin/safe_finger to get more information about the requesting client or create special log files using the echo command.
In the following example, clients attempting to access Telnet services from the example.com domain are quietly logged to a special file:
in.telnetd : .example.com \
	: spawn /bin/echo `/bin/date` from %h>>/var/log/telnet.log \
	: allow
twist — Replaces the requested service with the specified command. This directive is often used to set up traps for intruders (also called "honey pots"). It can also be used to send messages to connecting clients. The twist directive must occur at the end of the rule line.
In the following example, clients attempting to access FTP services from the example.com domain are sent a message using the echo command:
vsftpd : .example.com \
	: twist /bin/echo "421 This domain has been black-listed. Access denied!"
For more information about shell command options, refer to the hosts_options man page.

Expansions

Expansions, when used in conjunction with the spawn and twist directives, provide information about the client, server, and processes involved.

The following is a list of supported expansions:

%a — Returns the client's IP address.

%A — Returns the server's IP address.

%c — Returns a variety of client information, such as the username and hostname, or the username and IP address.

%d — Returns the daemon process name.

%h — Returns the client's hostname (or IP address, if the hostname is unavailable).

%H — Returns the server's hostname (or IP address, if the hostname is unavailable).

%n — Returns the client's hostname. If unavailable, unknown is printed. If the client's hostname and host address do not match, paranoid is printed.

%N — Returns the server's hostname. If unavailable, unknown is printed. If the server's hostname and host address do not match, paranoid is printed.

%p — Returns the daemon's process ID.

%s —Returns various types of server information, such as the daemon process and the host or IP address of the server.

%u — Returns the client's username. If unavailable, unknown is printed.

The following sample rule uses an expansion in conjunction with the spawn command to identify the client host in a customized log file.

When connections to the SSH daemon (sshd) are attempted from a host in the example.com domain, execute the echo command to log the attempt, including the client hostname (by using the %h expansion), to a special file:
sshd : .example.com  \
	: spawn /bin/echo `/bin/date` access denied to %h>>/var/log/sshd.log \
	: deny
Similarly, expansions can be used to personalize messages back to the client. In the following example, clients attempting to access FTP services from the example.com domain are informed that they have been banned from the server:
vsftpd : .example.com \
: twist /bin/echo "421 %h has been banned from this server!"
For a full explanation of available expansions, as well as additional access control options, refer to section 5 of the man pages for hosts_access (man 5 hosts_access) and the man page for hosts_options.

Refer to Section 42.5.5, “Additional Resources” for more information about TCP Wrappers.

xinetd

The xinetd daemon is a TCP-wrapped super service which controls access to a subset of popular network services, including FTP, IMAP, and Telnet. It also provides service-specific configuration options for access control, enhanced logging, binding, redirection, and resource utilization control.

When a client attempts to connect to a network service controlled by xinetd, the super service receives the request and checks for any TCP Wrappers access control rules.

If access is allowed, xinetd verifies that the connection is allowed under its own access rules for that service. It also checks that the service can have more resources allotted to it and that it is not in breach of any defined rules.

If all these conditions are met (that is, access is allowed to the service; the service has not reached its resource limit; and the service is not in breach of any defined rule), xinetd then starts an instance of the requested service and passes control of the connection to it. After the connection has been established, xinetd takes no further part in the communication between the client and the server.

xinetd Configuration Files

The configuration files for xinetd are as follows:

/etc/xinetd.conf — The global xinetd configuration file.

/etc/xinetd.d/ — The directory containing all service-specific files.

The /etc/xinetd.conf File

The /etc/xinetd.conf file contains general configuration settings which affect every service under xinetd's control. It is read when the xinetd service is first started, so for configuration changes to take effect, you need to restart the xinetd service. The following is a sample /etc/xinetd.conf file:
defaults
{
         instances               = 60        
	 log_type                = SYSLOG	authpriv
	 log_on_success          = HOST PID
	 log_on_failure          = HOST
	 cps                     = 25 30
}
includedir /etc/xinetd.d
These lines control the following aspects of xinetd:

instances — Specifies the maximum number of simultaneous requests that xinetd can process.

log_type — Configures xinetd to use the authpriv log facility, which writes log entries to the /var/log/secure file. Adding a directive such as FILE /var/log/xinetdlog would create a custom log file called xinetdlog in the /var/log/ directory.

log_on_success — Configures xinetd to log successful connection attempts. By default, the remote host's IP address and the process ID of the server processing the request are recorded.

log_on_failure — Configures xinetd to log failed connection attempts or if the connection was denied.

cps — Configures xinetd to allow no more than 25 connections per second to any given service. If this limit is exceeded, the service is retired for 30 seconds.

includedir /etc/xinetd.d/ — Includes options declared in the service-specific configuration files located in the /etc/xinetd.d/ directory. Refer to Section 42.5.4.2, “The /etc/xinetd.d/ Directory” for more information.

Note

Often, both the log_on_success and log_on_failure settings in /etc/xinetd.conf are further modified in the service-specific configuration files. More information may therefore appear in a given service's log file than the /etc/xinetd.conf file may indicate. Refer to Section 42.5.4.3.1, “Logging Options” for further information.

The /etc/xinetd.d/ Directory

The /etc/xinetd.d/ directory contains the configuration files for each service managed by xinetd and the names of the files correlate to the service. As with xinetd.conf, this directory is read only when the xinetd service is started. For any changes to take effect, the administrator must restart the xinetd service.

The format of files in the /etc/xinetd.d/ directory use the same conventions as /etc/xinetd.conf. The primary reason the configuration for each service is stored in a separate file is to make customization easier and less likely to affect other services.

To gain an understanding of how these files are structured, consider the /etc/xinetd.d/krb5-telnet file:
service telnet
{
         flags           = REUSE
	 socket_type     = stream
	 wait            = no
	 user            = root
	 server          = /usr/kerberos/sbin/telnetd
	 log_on_failure  += USERID
	 disable         = yes
}
These lines control various aspects of the telnet service:

service — Specifies the service name, usually one of those listed in the /etc/services file.

flags — Sets any of a number of attributes for the connection. REUSE instructs xinetd to reuse the socket for a Telnet connection.

Note

The REUSE flag is deprecated. All services now implicitly use the REUSE flag.

socket_type — Sets the network socket type to stream.

wait — Specifies whether the service is single-threaded (yes) or multi-threaded (no).

user — Specifies which user ID the process runs under.

server — Specifies which binary executable to launch.

log_on_failure — Specifies logging parameters for log_on_failure in addition to those already defined in xinetd.conf.

disable — Specifies whether the service is disabled (yes) or enabled (no).

Refer to the xinetd.conf man page for more information about these options and their usage.

Altering xinetd Configuration Files

A range of directives is available for services protected by xinetd. This section highlights some of the more commonly used options.

Logging Options

The following logging options are available for both /etc/xinetd.conf and the service-specific configuration files within the /etc/xinetd.d/ directory.

The following is a list of some of the more commonly used logging options:

ATTEMPT — Logs the fact that a failed attempt was made (log_on_failure).

DURATION — Logs the length of time the service is used by a remote system (log_on_success).

EXIT — Logs the exit status or termination signal of the service (log_on_success).

HOST — Logs the remote host's IP address (log_on_failure and log_on_success).

PID — Logs the process ID of the server receiving the request (log_on_success).

USERID — Logs the remote user using the method defined in RFC 1413 for all multi-threaded stream services (log_on_failure andlog_on_success).

For a complete list of logging options, refer to the xinetd.conf man page.

Access Control Options

Users of xinetd services can choose to use the TCP Wrappers hosts access rules, provide access control via the xinetd configuration files, or a mixture of both. Refer to Section 42.5.2, “TCP Wrappers Configuration Files” for more information about TCP Wrappers hosts access control files.

This section discusses using xinetd to control access to services.

Note

Unlike TCP Wrappers, changes to access control only take effect if the xinetd administrator restarts the xinetd service.

Also, unlike TCP Wrappers, access control through xinetd only affects services controlled by xinetd.

The xinetd hosts access control differs from the method used by TCP Wrappers. While TCP Wrappers places all of the access configuration within two files, /etc/hosts.allow and /etc/hosts.deny, xinetd's access control is found in each service's configuration file in the /etc/xinetd.d/ directory.

The following hosts access options are supported by xinetd:

only_from — Allows only the specified hosts to use the service.

no_access — Blocks listed hosts from using the service.

access_times — Specifies the time range when a particular service may be used. The time range must be stated in 24-hour format notation, HH:MM-HH:MM.

The only_from and no_access options can use a list of IP addresses or host names, or can specify an entire network. Like TCP Wrappers, combining xinetd access control with the enhanced logging configuration can increase security by blocking requests from banned hosts while verbosely recording each connection attempt.

For example, the following /etc/xinetd.d/telnet file can be used to block Telnet access from a particular network group and restrict the overall time range that even allowed users can log in:
service telnet
{
         disable         = no
	 flags           = REUSE
	 socket_type     = stream
	 wait            = no
	 user            = root
	 server          = /usr/kerberos/sbin/telnetd
	 log_on_failure  += USERID
	 no_access       = 172.16.45.0/24
	 log_on_success  += PID HOST EXIT
	 access_times    = 09:45-16:15
}
In this example, when a client system from the 10.0.1.0/24 network, such as 10.0.1.2, tries to access the Telnet service, it receives the following message:
Connection closed by foreign host.
In addition, their login attempts are logged in /var/log/messages as follows:
Sep  7 14:58:33 localhost xinetd[5285]: FAIL: telnet address from=172.16.45.107
Sep  7 14:58:33 localhost xinetd[5283]: START: telnet pid=5285 from=172.16.45.107
Sep  7 14:58:33 localhost xinetd[5283]: EXIT: telnet status=0 pid=5285 duration=0(sec)
When using TCP Wrappers in conjunction with xinetd access controls, it is important to understand the relationship between the two access control mechanisms.

The following is the sequence of events followed by xinetd when a client requests a connection:

The xinetd daemon accesses the TCP Wrappers hosts access rules using a libwrap.a library call. If a deny rule matches the client, the connection is dropped. If an allow rule matches the client, the connection is passed to xinetd.

The xinetd daemon checks its own access control rules both for the xinetd service and the requested service. If a deny rule matches the client, the connection is dropped. Otherwise, xinetd starts an instance of the requested service and passes control of the connection to that service.

Important

Care should be taken when using TCP Wrappers access controls in conjunction with xinetd access controls. Misconfiguration can cause undesirable effects.

Binding and Redirection Options

The service configuration files for xinetd support binding the service to an IP address and redirecting incoming requests for that service to another IP address, hostname, or port.

Binding is controlled with the bind option in the service-specific configuration files and links the service to one IP address on the system. When this is configured, the bind option only allows requests to the correct IP address to access the service. You can use this method to bind different services to different network interfaces based on requirements.

This is particularly useful for systems with multiple network adapters or with multiple IP addresses. On such a system, insecure services (for example, Telnet), can be configured to listen only on the interface connected to a private network and not to the interface connected to the Internet.

The redirect option accepts an IP address or hostname followed by a port number. It configures the service to redirect any requests for this service to the specified host and port number. This feature can be used to point to another port number on the same system, redirect the request to a different IP address on the same machine, shift the request to a totally different system and port number, or any combination of these options. A user connecting to a certain service on a system may therefore be rerouted to another system without disruption.

The xinetd daemon is able to accomplish this redirection by spawning a process that stays alive for the duration of the connection between the requesting client machine and the host actually providing the service, transferring data between the two systems.

The advantages of the bind and redirect options are most clearly evident when they are used together. By binding a service to a particular IP address on a system and then redirecting requests for this service to a second machine that only the first machine can see, an internal system can be used to provide services for a totally different network. Alternatively, these options can be used to limit the exposure of a particular service on a multi-homed machine to a known IP address, as well as redirect any requests for that service to another machine especially configured for that purpose.

For example, consider a system that is used as a firewall with this setting for its Telnet service:
service telnet
{
         socket_type		= stream
	 wait			= no
	 server			= /usr/kerberos/sbin/telnetd
	 log_on_success		+= DURATION USERID
	 log_on_failure		+= USERID
	 bind                    = 123.123.123.123
	 redirect                = 10.0.1.13 23
}
The bind and redirect options in this file ensure that the Telnet service on the machine is bound to the external IP address (123.123.123.123), the one facing the Internet. In addition, any requests for Telnet service sent to 123.123.123.123 are redirected via a second network adapter to an internal IP address (10.0.1.13) that only the firewall and internal systems can access. The firewall then sends the communication between the two systems, and the connecting system thinks it is connected to 123.123.123.123 when it is actually connected to a different machine.

This feature is particularly useful for users with broadband connections and only one fixed IP address. When using Network Address Translation (NAT), the systems behind the gateway machine, which are using internal-only IP addresses, are not available from outside the gateway system. However, when certain services controlled by xinetd are configured with the bind and redirect options, the gateway machine can act as a proxy between outside systems and a particular internal machine configured to provide the service. In addition, the various xinetd access control and logging options are also available for additional protection.

Resource Management Options

The xinetd daemon can add a basic level of protection from Denial of Service (DoS) attacks. The following is a list of directives which can aid in limiting the effectiveness of such attacks:

per_source — Defines the maximum number of instances for a service per source IP address. It accepts only integers as an argument and can be used in both xinetd.conf and in the service-specific configuration files in the xinetd.d/ directory.

cps — Defines the maximum number of connections per second. This directive takes two integer arguments separated by white space. The first argument is the maximum number of connections allowed to the service per second. The second argument is the number of seconds that xinetd must wait before re-enabling the service. It accepts only integers as arguments and can be used in either the xinetd.conf file or the service-specific configuration files in the xinetd.d/ directory.

max_load — Defines the CPU usage or load average threshold for a service. It accepts a floating point number argument.
The load average is a rough measure of how many processes are active at a given time. See the uptime, who, and procinfo commands for more information about load average.

There are more resource management options available for xinetd. Refer to the xinetd.conf man page for more information.

Additional Resources

More information about TCP Wrappers and xinetd is available from system documentation and on the Internet.

Installed Documentation

The documentation on your system is a good place to start looking for additional configuration options for TCP Wrappers, xinetd, and access control.

/usr/share/doc/tcp_wrappers-<version>/ — This directory contains a README file that discusses how TCP Wrappers work and the various hostname and host address spoofing risks that exist.

/usr/share/doc/xinetd-<version>/ — This directory contains a README file that discusses aspects of access control and a sample.conf file with various ideas for modifying service-specific configuration files in the /etc/xinetd.d/ directory.

TCP Wrappers and xinetd-related man pages — A number of man pages exist for the various applications and configuration files involved with TCP Wrappers and xinetd. The following are some of the more important man pages:

Server Applications

man xinetd — The man page for xinetd.

Configuration Files

man 5 hosts_access — The man page for the TCP Wrappers hosts access control files.

man hosts_options — The man page for the TCP Wrappers options fields.

man xinetd.conf — The man page listing xinetd configuration options.

Useful Websites

http://www.xinetd.org/ — The home of xinetd, containing sample configuration files, a full listing of features, and an informative FAQ.

xinetd sample config

lf175, System Administration xinetd

Top Visited <p>Your browser does not support iframes.</p>					Switchboard
					Latest
					Past week
					Past month

NEWS CONTENTS

20111029 : TCP Wrappers ( TCP Wrappers, Oct 29, 2011 )
20111029 : Release Notes ( )
20111028 : TCP Wrappers Configuration Files ( ef12517-2.tu-sofia.bg )
20111028 : Using TCP Wrappers to secure Linux All about Linux ( linuxhelp.blogspot.com )
20111028 : Enabling TCP Wrappers on Solaris 10 ( Glenn Brunette's Security Weblog )
20111028 : Securing your network: An introduction to TCP wrappers by Paul Dunne ( Securing your network: An introduction to TCP wrappers, )
20111028 : Linux.com TCP Wrappers for Security by Michael J. Wise ( Linux.com TCP Wrappers for Security, )
20060604 : Glenn Brunettes Security Weblog/ Enabling TCP Wrappers on Solaris 10 ( Glenn Brunette's Security Weblog/ Enabling TCP Wrappers on Solaris 10, Jun 4, 2006 )
20060604 : TCP Wrappers and xinetd ( TCP Wrappers and xinetd, )
20060604 : Network monitoring, access control & booby traps using TCP Wrappers Part 1 ( Network monitoring, access control & booby traps using TCP Wrappers Part 1, )
20050107 : BigAdmin - Submitted Tech Tip Enabling TCP Wrappers in the Solaris 10 Operating System ( BigAdmin - Submitted Tech Tip Enabling TCP Wrappers in the Solaris 10 Operating System, Jan 7, 2005 )
20050107 : Installing, configuring, and using tcp wrapper to log unauthorized connection attempts on systems running Solaris 2.x ( Installing, configuring, and using tcp wrapper to log unauthorized connection attempts on systems running Solaris 2.x, )
20050107 : Installing TCP Wrappers on Solaris 7 ( Installing TCP Wrappers on Solaris 7, )
20040907 : BigAdmin - Submitted Tech Tip Configuring TCP Wrappers for the Solaris Operating System ( BigAdmin - Submitted Tech Tip Configuring TCP Wrappers for the Solaris Operating System, Sep 7, 2004 )
20040907 : The Linux Gazette 56 The Answer Gang (TWDT) ( The Linux Gazette 56 The Answer Gang (TWDT), )

Old News ;-)

[Oct 29, 2011] TCP Wrappers

The TCP Wrappers product suite provides an enhanced security mechanism for services spawned by the Internet services daemon, inetd. TCP Wrappers is available on HP-UX 11i platform as a web upgrade. Please visit www.docs.hp.com for related product documentation.
Whenever a connection is established with inetd for a service, inetd runs tcpd, the wrapper program instead of running the service program directly. On inception, tcpd will perform some access control checks and execute the desired service program.

tcpd offers the following features:

- Complete Access control.
- Checks against host name / address spoofing.
- RFC931 lookup for remote user who owns the connection.
- Support for services that use XTI as well as sockets.
- Setting Traps
- Banner Messages.
The product suite also contains the utility programs : tcpdmatch, tcpdchk, try-from, and safe_finger.
It also contains a library, libwrap.a which has the host access control functions in it.
With TCP Wrappers, you can:

monitor incoming requests for Internet Services

control access to services spawned by inetd

enforce access control in stand-alone daemon programs

predict how TCP Wrapper would handle a specific request for a service

check the wrapper's behaviour from a remote shell

Useful Information
The following are the components of the TCP Wrappers software depot:

/usr/lbin/tcpd TCP Wrappers daemon program.

/usr/lib/libwrap.a TCP Wrappers library containing access control APIs, using /etc/hosts.allow and /etc/hosts.deny.

/usr/include/tcpd.h Header file for libwrap.a.

/usr/bin/tcpdchk Tool to examine the validity of configuration file entries.

/usr/bin/tcpdmatch Tool to simulate the Wrappers daemon program's i.e., tcpd's behaviour for a particular host and for a particular service.

/usr/bin/try-from A utility program that can be invoked from a remote shell to get connection end-points' information.

/usr/bin/safe_finger A secure finger client program.

/usr/newconfig/etc/tcpd.conf A sample configuration file for the TCP Wrappers daemon program.

/usr/newconfig/etc/hosts.allow A sample ACL file to specify hosts to be allowed.

/usr/newconfig/etc/hosts.deny A sample ACL file to specify hosts to be denied.

/usr/share/doc/TCPWRAP-RelNotes.pdf A detailed Release Notes explaining the features supported in this release.

The following product documentation is available with this release of TCP Wrappers:

Man Pages

tcpd(1M)

tcpdmatch(1)

tcpdchk(1)

hosts_access(3)

hosts_access(5)

hosts_options(5)

tcpd.conf(4)

try-from(1)

Release Notes
The Release Notes is also available at,
http://www.docs.hp.com/hpux/netcom/index.html#Internet%20Services.

Additional product information

Version: -

Software specification: Workstation/Server, HP-UX11.11

[Oct 28, 2011] TCP Wrappers Configuration Files

ef12517-2.tu-sofia.bg

Wildcards allow TCP wrappers to more easily match groups of daemons or hosts. They are used most frequently in the client list field of access rules.

The following wildcards may be used:

ALL - Matches everything. It can be used for both the daemon list and the client list.

LOCAL - Matches any host that does not contain a period (.), such as localhost.

KNOWN - Matches any host where the hostname and host address are known or where the user is known.

UNKNOWN - Matches any host where the hostname or host address are unknown or where the user is unknown.

PARANOID - Matches any host where the hostname does not match the host address.

Caution: The KNOWN, UNKNOWN, and PARANOID wildcards should be used with care as a disruption in name resolution may prevent legitimate users from gaining access to a service.

[Oct 28, 2011] Using TCP Wrappers to secure Linux All about Linux

linuxhelp.blogspot.com

Wildcards

You can use wildcards in the client section of the rule to broadly classify a set of hosts. These are the valid wildcards that can be used.

ALL - Matches everything

LOCAL - Matches any host that does not contain a dot (.) like localhost.

KNOWN - Matches any host where the hostname and host addresses are known or where the user is known.

UNKNOWN - Matches any host where the hostname or host address are unknown or where the user is unknown.

PARANOID - Matches any host where the hostname does not match the host address.

Patterns
You can also use patterns in the client section of the rule . Some examples are as follows:
ALL : .xyz.com
Matches all hosts in the xyz.com domain . Note the dot (.) at the beginning.
ALL : 123.12.
Matches all the hosts in the 123.12.0.0 network. Note the dot (.) in the end of the rule.
ALL : 192.168.0.1/255.255.255.0
IP address/Netmask can be used in the rule.
ALL : *.xyz.com
Asterisk * matches entire groups of hostnames or IP addresses.
sshd : /etc/sshd.deny
If the client list begins with a slash (/), it is treated as a filename. In the above rule, TCP wrappers looks up the file sshd.deny for all SSH connections.
sshd : ALL EXCEPT 192.168.0.15
If the above rule is included in the /etc/hosts.deny file, then it will allow ssh connection for only the machine with the IP address 192.168.0.15 and block all other connections. Here EXCEPT is an operator.
Note: If you want to restrict use of NFS and NIS then you may include a rule for portmap . Because NFS and NIS depend on portmap for their successful working. In addition, changes to portmap rules may not take effect immediately.

Suppose I want to log all connections made to SSH with a priority of emergency. See my previous post to know more on logging. I could do the following:
sshd : .xyz.com : severity emerg
Note: You can use the options allow or deny to allow or restrict on a per client basis in either of the files hosts.allow and hosts.deny
in.telnetd : 192.168.5.5 : deny in.telnetd : 192.168.5.6 : allow

Enabling TCP Wrappers on Solaris 10

Glenn Brunette's Security Weblog
Before answering this question, let's first provide a little background. TCP Wrappers has been around for many, many years. It is used to restrict access to TCP services based on host name, IP address, network address, etc. For more detailed on what TCP Wrappers is and how you can use it, see tcpd(1M). TCP Wrappers was integrated into Solaris starting in Solaris 9 where both Solaris Secure Shell and inetd-based (streams, nowait) services were wrapped. Bonus points are awarded to anyone who knows why UDP services are not wrapped by default.
TCP Wrappers support in Secure Shell was always enabled since Secure Shell always called the TCP Wrapper function host_access(3) to determine if a connection attempt should proceed. If TCP Wrappers was not configured on that system, access, by default, would be granted. Otherwise, the rules as defined in the hosts.allow and hosts.deny files would apply. For more information on these files, see hosts_access(4). Note that this and all of the TCP Wrappers manual pages a stored under /usr/sfw/man in Solaris 10. To view this manual page, you can use the following command:
$ man -M /usr/sfw/man -s 4 hosts_access
inetd-based services use TCP Wrappers in a different way. In Solaris 9, to enable TCP Wrappers for inetd-based services, you must edit the /etc/default/inetd file and set the ENABLE_TCPWRAPPERSparameter to YES. By default, TCP Wrappers was not enabled for inetd.

In Solaris 10, two new services were wrapped: sendmail and rpcbind. sendmail works in a way similar to Secure Shell. It always calls the host_access function and therefore TCP Wrappers support is always enabled. Nothing else needs to be done to enable TCP Wrappers support for that service. On the other hand, TCP Wrappers support for rpcbind must be enabled manually using the new Service Management Framework ("SMF"). Similarly, inetd was modified to use a SMF property to control whether TCP Wrappers is enabled for inetd-based services.

Let's look at how to enable TCP Wrappers for inetd and rpcbind...

To enable TCP Wrappers support for inetd-based services, you can simply use the following commands:
# inetadm -M tcp_wrappers=true
# svcadm refresh inetd
This will enable TCP Wrappers for inetd-based (streams, nowait) services like telnet, rlogin, and ftp (for example):
# inetadm -l telnet | grep tcp_wrappers
default  tcp_wrappers=TRUE
You can see that this setting has taken effect for inetd by running the following command:
# svcprop -p defaults inetd
defaults/tcp_wrappers boolean true
Note that you can also use the svccfg(1M) command to enable TCP Wrappers for inetd-based services.
# svccfg -s inetd setprop defaults/tcp_wrappers=true
# svcadm refresh inetd
Whether you use inetadm(1M) or svccfg is really a matter of preference. Note that you can also use inetadm or svccfg to enable TCP Wrappers on a per-service basis. For example, let's say that we wanted to enable TCP Wrappers for telnet but not for ftp. By default, both the global and per-service settings for TCP Wrappers are disabled:
# inetadm -p | grep tcp_wrappers
tcp_wrappers=FALSE

# inetadm -l telnet | grep tcp_wrappers
default  tcp_wrappers=FALSE

# inetadm -l ftp | grep tcp_wrappers
default  tcp_wrappers=FALSE
To enable TCP Wrappers for telnet, use the following command:
# inetadm -m telnet tcp_wrappers=TRUE
Let's check out settings again:
# inetadm -p | grep tcp_wrappers
tcp_wrappers=FALSE

# inetadm -l telnet | grep tcp_wrappers
         tcp_wrappers=TRUE

# inetadm -l ftp | grep tcp_wrappers
default  tcp_wrappers=FALSE
As you can see, TCP Wrappers has been enabled for telnet but none of the other inetd-based services. Pretty cool, eh?

You can enable TCP Wrappers support for rpcbind by running the following command:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind
This change can be verified by running:
# svcprop -p config/enable_tcpwrappers rpc/bind
true
That is all that there is to it! Quick, easy and painless! As always, let me know what you think!

Take care!
3 Comments
Trackback URL: http://blogs.sun.com/roller/trackback/gbrunett/Weblog/tcp_wrappers_on_solaris_10
Comments:
Just wondering if using IP filter would not be a better way of blocking/allowing machines to connect to services? I used to use TCP Wrappers all the time, but find now, that I rarely use them in favor of using ipfilter? Is there some advantage to using both? Just curious....

Posted by Jason Grove on April 07, 2005 at 11:58 PM EDT #
Jason,
Thank you for your question. In my opinion, I agree with you - I too would rarely use TCP Wrappers in favor of IP Filter. The reasons for this are simple - IP Filter simply has a more rich feature set and offers greater flexibility for defining filtering policy. Further, if you use Solaris containers, keep in mind that the IP Filter policy is defined in the global zone (versus TCP Wrappers which is done per container). The benefit of configuring IP Filter from the global zone is that if a local zone is breached, an attacker (even with root privileges) will not be able to alter the firewall policy or touch the firewall logs since they are safely protected in the global zone.

That said, TCP Wrappers was designed to protect TCP services and it does that very well. Further it offers an easy to understand and use interface for configuring policy. The choice to use IP Filter or TCP Wrappers will likely depend on your experience and comfort level with these tools as well as on your filtering requirements. If you are looking for a more comprehensive host-based firewall solution however, I would certainly recommend IP Filter.

Thanks again!

Glenn

Posted by Glenn Brunette (192.18.128.12) on April 08, 2005 at 01:17 PM EDT
Website: http://blogs.sun.com/gbrunett/ #
Nice article. To answer the bonus question, the UDP services are not wrapable because they are stateless so there is no connection to manage. As the first comment said, IP filter can manage services, including UDP, because it is low enough in the protocol stack to cover both UDP and TCP.
Posted by Ben Strother on August 17, 2005 at 08:20 PM EDT
Website: http://www.livejournal.com/~wr4th/ #

Securing your network: An introduction to TCP wrappers By Paul Dunne

Compilation

Many Unix flavors are supported by TCP wrappers, so you shouldn't have any trouble building from source. There are, however, a few decisions to make at compile time. Features, for example, can be turned on or off through definitions. Here is a list, with default values shown where appropriate:

`STYLE = -DPROCESS_OPTIONS`:	Enable language extensions. This is disabled by default.
`FACILITY = LOG_MAIL`:	Where do log records go? I prefer to set this to `LOG_DAEMON` so that everything goes to `/var/log/daemon`.
`SEVERITY = LOG_INFO`:	Indicates what level to give to the log message. The default, `LOG_INFO`, is fine.
`HOSTS_ACCESS`:	When compiled with this option, wrapper programs support a simple form of access control. Because this is the raison d'être of the suite, it's defined by default.
`PARANOID`:	When compiled with `-DPARANOID`, wrappers will always try to look up and double-check the client hostname, and will always refuse service in the case of a discrepancy between hostname and IP address. This is a reasonable policy for most systems. When compiled without `-DPARANOID`, wrappers still perform hostname lookup; however, where such lookups give conflicting results for hostname and IP address, hosts are not automatically rejected. They can be matched with the `PARANOID` wildcard in the access files, and a decision is made on whether or not to grant access.
`DOT = -DAPPEND_DOT`:	This appends a dot to every domain name -- transforming `example.com` into `example.com.` for instance. This is done because on many Unix systems the resolver will append substrings of the local domain and try to look up those hostnames before trying to resolve the name it has actually been given. Use of the `APPEND_DOT` feature stops this waste of time and resources. It is off by default.
`AUTH = -DALWAYS_RFC931`:	Will cause the system to always try to look up the remote username. For this to be of any use, the remote host must run a daemon that supports the finger protocol. Such lookups aren't possible for UDP-based connections. By default, this is turned off and the wrappers look up the remote username only when the access control rules specify such behavior.
`RFC931_TIMEOUT = 10`:	Sets the username lookup timeout.
`-DDAEMON_UMASK = 022`:	This is the default file permissions mask for processes run under the control of the wrappers.
`ACCESS = -DHOSTS_ACCESS`:	Sets host access control. This feature can also be turned off at runtime by providing no, or empty, access control tables. Enabled by default.
`TABLES = -DHOSTS_DENY=\"/etc/hosts.deny\" --DHOSTS_ALLOW=\"/etc/hosts.allow\"`:	Sets the pathnames for the access control tables.
`HOSTNAME = -DALWAYS_HOSTNAME`:	Sets the system to always attempt to look up the client hostname. If this is disabled, the client hostname lookup is postponed until the name is required by an access control rule or by a `%letter` expansion. If this is what you want, note that `PARANOID` mode must be disabled as well. This is on by default.
`-DKILL_IP_OPTIONS`:	This is for protection against hosts that pretend they have someone else's host address --i.e., host address spoofing. This option isn't needed on modern Unix systems that can stop source-routed traffic in the kernel -- e.g., Linux, Solaris 2.x, 4.4 BSD and derivatives.
`-DNETGROUP`:	Determines whether or not your system has NIS support. This is used only in conjunction with host access control, so if you're not using that, don't bother about this in any case. Off by default.

Some definitions are given that work around system bugs (just the basics here; see makefile for details). The standard define is BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS - DLIBC_CALLS_STRTOK.

Having set the options to your requirements, type make sys-type, with sys-type being one of the following:

generic (includes most bsd-ish systems that have sys5 compatibility)

386bsd aix freebsd hpux linux machten mips<(untested) ncrsvr4 netbsd next osf power_unix_211 ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4 sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2 uts215

uxp

In the unlikely event that none of these match your system, you'll have to edit the system dependencies sections in the makefile and do a make other.

There are two ways to install the software -- the easy way and the advanced way.

 ... ... ...

And here is the same record after modification to support TCP wrappers:

 telnet     stream  tcp     nowait  root    /sbin/tcpd          /sbin/in.telnetd

After editing this file, remember to tell inetd to reread it with kill -1.

Access control
The core idea behind TCP wrappers is that of an access control policy. The policy rules are held in two files: /etc/hosts.allow and etc/hosts.deny. These are the default pathnames, which can be changed in the makefile.

Access can be controlled per host, per service, or in combinations thereof. Access control can also be used to connect clients to particular services, depending on the requested service, the origin of the request, and the host address to which the client connects. For example, a www daemon might be set to serve documents in French when contacted from within the France, but otherwise respond in English.

The format of these files is described in detail by hosts_access(5). Basically, each file consists of a set of rules, which are searched for first in hosts.allow and then hosts.deny. The search stops at the first match, so if a host is granted access in host.allow it doesn't matter if it's then blocked in hosts.deny. Remember, the first rule matched determines what action the system will take.

There are two basic keywords, allow and deny. Both are used in conjunction with either specific hostnames or a wildcard from the list below.

A string beginning with . matches all hostnames that conclude with that string. For example, .example.com would match dunne.example.com. A string ending with . matches all hosts whose IP addresses begin with that sequence. For example, 192.168. would match all addresses in the range 192.168.xxx.xxx. A string beginning with @ is treated as an NIS netgroup name. A string of the form n.n.n.n/m.m.m.m is treated as a network/mask pair.

There are also some special shorthand names:

ALL: Always matches
LOCAL: Matches any host whose name doesn't contain a dot character
UNKNOWN: Matches a user whose name is unknown, and matches any host whose name or address is unknown
KNOWN: Matches a user whose name is known, and matches any host whose name and address is known
PARANOID: Matches any host whose name doesn't match its address

There is also a set of symbolic names that expand to various information about the client and server. The full list of such expansions is shown in the table below.

**Symbolic names**
`%a`	The client IP address
`%c`	Client information: user@host, user@IP, etc
`%d`	`argv[0]` from the daemon process
`%h`	Client host name or IP address
`%n`	Client host name
`%p`	Process id of the daemon
`%s`	Server information
`%u`	Client username
`%%`	Literal `%`

Examples

There are several typical forms of access control that provide examples of using the access control files. Explicitly authorized hosts are listed in hosts.allow, while most other rules are put in hosts.deny.

To deny all access, leave hosts.allow blank and put this in hosts.deny.

/etc/hosts.deny:
ALL: ALL

To allow all access, simply leave both files blank. To allow controlled access, add rules to hosts.allow and hosts.deny as appropriate. The simplest way to do this is to list banned sites in hosts.deny.

/etc/hosts.deny:
evilcrackers.com: ALL

On the other hand, you can also deny access to all save selected sites:

/etc/hosts.allow:
example.com: ALL
/etc/hosts.deny:
ALL:ALL

Remember, the first match is the important one -- the ALL in hosts.deny won't block example.com.

Booby traps
A useful feature is the ability to trigger actions on the host which are based on attempted connections. For example, should you detect a remote site attempting to use your TFTP server, the following rule in /etc/hosts.deny not only rejects the attempt, but notifies the system administrator:

 in.tftpd: ALL: finger -l @%h 2>&1 | mail -s 'remote tftp attempt' sysadm

Note that use of this feature relies on the PROCESS_OPTIONS option. This option also provides some other useful features:

spawn <shell_command> -- Run the specified shell command as a child process.
twist <shell_command> -- Replace the current process by the specified shell command.
banners <pathname> -- Copy the contents of the file in <pathname> to the client. This is useful for sites that are required to display a site policy banner to all users.

See the host_options(5) man page for full details of these and other options.

Logging
Log records are written to the syslog daemon, syslogd, with facility and level as specified in the makefile at compile time. What happens to the logs there is determined by the syslogd config file, /etc/syslog.conf. If PROCESS_OPTIONS has been defined, the facility and level can be changed at runtime, using the keyword severity. For example severity mail.info specifies logging with facility mail at level info. An undotted argument is understood as a level.

... ... ...

A good account of the thinking that led to the creation of the TCP wrappers is the paper "TCP Wrapper: Network Monitoring, Access Control, and Booby Traps," which is available from the same FTP site as the TCP wrappers software. Look for tcp_wrapper.<format>.Z.

Linux.com TCP Wrappers for Security - May 27th, 1999 by Michael J. Wise

[****] Linux Security 101 Issue 14 By Kelley Spoon, [email protected] -- very good discussion of tcpd

There's a daemon that's probably been installed on your machine that you don't know about. Or at least, you're not aware of what it can do. It's called tcpd, and it's how we shut off access to some of the basic services that the Bad Guys can use to get on our system.

Since tcpd can be pretty complex, I'm not going to go into all the details and tell you how to do the fancy stuff. The goal here is to keep the mischievous gibbons from knocking down what it took so long for use to set up.

tcpd is called into action from another daemon, inetd, whenever someone tries to access a service like in.telnetd, wu.ftpd, in.fingerd, in.rshd, etc. tcpd's job is to look at two files and determine if the person who is trying to access the service has permission or not.

The files are /etc/hosts.allow and /etc/hosts.deny. Here's how it all works:

Someone tries to use a service that tcpd is monitoring.

tcpd wakes up, and makes a note of the attempt to the syslog.

tcpd then looks hosts.allow

if it finds a match, tcpd goes back to sleep and lets the user access the service.

tcpd now takes a look at hosts.deny

if it finds a match, tcpd closes the user's connection

If it can't find a match in either file, or if both files are empty, tcpd shrugs, guesses it's OK to let the user on, and goes back to sleep.

Now, there are a couple of things to note here. First, if you haven't edited hosts.allow or hosts.deny since you installed Linux, then tcpd assumes that you want to let everyone have access to your machine. The second thing to note is that if tcpd finds a match in hosts.allow, it stops looking. In other words, we can put an entry in hosts.deny and deny access to all services from all machines, and then list ``friendly'' machines in the hosts.allow file.

Let's take a look at the man page. You'll find the info you need by typing man 5 hosts_access (don't forget the 5 and the underscore).
daemon_list : client_list

daemon_list is a list of one or more daemon process  names
         or wildcards

client_list  is  a  list  of  one or more host names, host
         addresses, patterns or wildcards  that will  be matched
         against the remote host name or address. 
       
List elements should be separated by blanks and/or commas.
Now, if you go take a look at the man page, you'll notice that I didn't show you everything that was in there. The reason for that is because the extra option (the shell_command) can be used to do some neat stuff, but *most Linux distributions have not enabled the use of this option in their tcpd binaries*. We'll save how to do this for an article on tcpd itself.

If you absolutely have to have this option, get the source from here and recompile.

Back to business. What the above section from the hosts_access man page was trying to say is that the format of hosts.[allow|deny] is made up of a list of services and a list of host name patterns, separated by a ``:''

You'll find the name of the services you can use by looking in your /etc/inetd.conf...they'll be the ones with /usr/sbin/tcpd set as the server path.

The rules for determining host patterns are pretty simple, too:

if you want to match all hosts in a domain, put a ``.'' at the front.

Ex: .bar.com will match "foo.bar.com", "sailors.bar.com", "blue.oyster.bar.com", etc.

if you want to match all IPs in a domain, put a "." at the end.

Ex: 192.168.1. will match "192.168.1.1", "192.168.1.2", "192.168.1.3", etc.

And finally, there are some wildcards you can use:

ALL matches everything. If in daemon_list, matches all daemons; if in client_list, it matches all host names.

Ex: ALL : ALL would match any machine trying to get to any service.

LOCAL matches host names that don't have a dot in them.

Ex: ALL : LOCAL would match any machine that is inside the domain or search aliases given in your /etc/resolv.conf

except isn't really a wildcard, but it comes in useful. It excludes a pattern from the list.

Ex: ALL : ALL except .leetin-haxor.org would match all services to anyone who is not from ``*.leetin-haxor.org''

Ok. Enough technical stuff. Let's get to some examples.

Let's pretend we have a home LAN, and a computer for each member of the family.

Our home network looks like this:
linux.home.net      192.168.1.1
    dad.home.net	192.168.1.2
    mom.home.net	192.168.1.3
    sis.home.net	192.168.1.4
    bro.home.net    192.168.1.5  
Now, since no one in the family is likely to try and ``hack root,'' we can assume they're all friendly. But....we're not so sure about the rest of the people on the Internet. Here's how we go about setting things up so people on home.net have full access to our machine, but no one else does. In /etc/hosts.allow:
# /etc/hosts.allow for linux.home.net

ALL: .home.net 
And in /etc/hosts.deny
# /etc/hosts.deny for linux.home.net

ALL : ALL 
Since tcpd looks at hosts.allow first, we can safely deny access to all services for everybody. If tcpd can't match the machine sending the request to ``*.home.net'', the connection gets refused.

Now, let's pretend that Mom has been reading up on how Unix stuff works, and she's started doing some unfriendly stuff on our machine. In order to deny her access to our machine, we simply change the line in hosts.allow to:
ALL: .home.net except mom.home.net 
Now, let's pretend a friend from....uh....friend.com wants to get something off our ftp server. No problem, just edit hosts.allow again:
# /etc/hosts.allow for linux.home.net

ALL: .home.net except mom.home.net
wu.ftpd: .friend.com
Things are looking good. The only problem is that the name server for home.net is sometimes down, and the only way we can identify someone as being on home.net is through their IP address. Not a problem:
# /etc/hosts.allow for linux.home.net

ALL: .home.net except mom.home.net
ALL: 192.168.1. except 192.168.1.3
ALL: .friend.com
And so on....

I have found that's it's easier to deny everybody access, and list your friends in hosts.allow than it is to allow everybody access, and deny only the people who you know are RBG's. If you are running a private machine, this won't really be a problem, and you can rest easy.

However, if you're trying to run a public service (like an ftp archive of Tetris games for different OS's) and you can't afford to be this paranoid, then you need shouldn't put anything in hosts.allow, and just put all of the people you don't want touching your machine in hosts.deny

[Jun 4, 2006] Glenn Brunette's Security Weblog/ Enabling TCP Wrappers on Solaris 10

Tip of the Month: Enabling TCP Wrappers in Solaris 10

Before answering this question, let's first provide a little background. TCP Wrappers has been around for many, many years. It is used to restrict access to TCP services based on host name, IP address, network address, etc. For more detailed on what TCP Wrappers is and how you can use it, see tcpd(1M). TCP Wrappers was integrated into Solaris starting in Solaris 9 where both Solaris Secure Shell and inetd-based (streams, nowait) services were wrapped. Bonus points are awarded to anyone who knows why UDP services are not wrapped by default.

TCP Wrappers support in Secure Shell was always enabled since Secure Shell always called the TCP Wrapper function host_access(3) to determine if a connection attempt should proceed. If TCP Wrappers was not configured on that system, access, by default, would be granted. Otherwise, the rules as defined in the hosts.allow and hosts.deny files would apply. For more information on these files, see hosts_access(4). Note that this and all of the TCP Wrappers manual pages a stored under /usr/sfw/man in Solaris 10. To view this manual page, you can use the following command:
$ man -M /usr/sfw/man -s 4 hosts_access
inetd-based services use TCP Wrappers in a different way. In Solaris 9, to enable TCP Wrappers for inetd-based services, you must edit the /etc/default/inetd file and set the ENABLE_TCPWRAPPERSparameter to YES. By default, TCP Wrappers was not enabled for inetd.

In Solaris 10, two new services were wrapped: sendmail and rpcbind. sendmail works in a way similar to Secure Shell. It always calls the host_access function and therefore TCP Wrappers support is always enabled. Nothing else needs to be done to enable TCP Wrappers support for that service. On the other hand, TCP Wrappers support for rpcbind must be enabled manually using the new Service Management Framework ("SMF"). Similarly, inetd was modified to use a SMF property to control whether TCP Wrappers is enabled for inetd-based services.

Let's look at how to enable TCP Wrappers for inetd and rpcbind...

To enable TCP Wrappers support for inetd-based services, you can simply use the following commands:
# inetadm -M tcp_wrappers=true
# svcadm refresh inetd
This will enable TCP Wrappers for inetd-based (streams, nowait) services like telnet, rlogin, and ftp (for example):
# inetadm -l telnet | grep tcp_wrappers
default  tcp_wrappers=TRUE
You can see that this setting has taken effect for inetd by running

Note that you can also use the svccfg(1M) command to enable TCP Wrappers for inetd-based services.
# svccfg -s inetd setprop defaults/tcp_wrappers=true
# svcadm refresh inetd
Whether you use inetadm(1M) or svccfg is really a matter of preference. Note that you can also use inetadm or svccfg to enable TCP Wrappers on a per-service basis. For example, let's say that we wanted to enable TCP Wrappers for telnet but not for ftp. By default, both the global and per-service settings for TCP Wrappers are disabled:
# inetadm -p | grep tcp_wrappers
tcp_wrappers=FALSE

# inetadm -l telnet | grep tcp_wrappers
default  tcp_wrappers=FALSE

# inetadm -l ftp | grep tcp_wrappers
default  tcp_wrappers=FALSE
To enable TCP Wrappers for telnet, use the following command:
# inetadm -m telnet tcp_wrappers=TRUE
Let's check out settings again:
# inetadm -p | grep tcp_wrappers
tcp_wrappers=FALSE

# inetadm -l telnet | grep tcp_wrappers
         tcp_wrappers=TRUE

# inetadm -l ftp | grep tcp_wrappers
default  tcp_wrappers=FALSE
As you can see, TCP Wrappers has been enabled for telnet but none of the other inetd-based services. Pretty cool, eh?

You can enable TCP Wrappers support for rpcbind by running the following command:
# svccfg -s rpc/bind setprop config/enable_tcpwrappers=true
# svcadm refresh rpc/bind
This change can be verified by running:
# svcprop -p config/enable_tcpwrappers rpc/bind
true
That is all that there is to it! Quick, easy and painless! As always, let me know what you think!

Take care!

TCP Wrappers and xinetd

Controlling access to network services can be a challenge. Firewalls are useful for controlling access in and out of a particular network, but they can be difficult to configure. TCP wrappers and xinetd control access to services by hostname and IP addresses. In addition, these tools also include logging and utilization management capabilities that are easy to configure.
Purpose of TCP Wrappers
Many modern network services, such as SSH, Telnet, and FTP, make use of TCP wrappers, a program that is designed to stand between an incoming request and the requested service. TCP wrappers is installed by default with a server-class installation of Red Hat Linux, providing many advantages over running a variety of different services, each with their own access control methods.

The idea behind TCP wrappers is that, rather than allowing an incoming client connection to communicate directly with a network service daemon running as a separate process on a server system, the target of the request is "wrapped" by another program, allowing a greater degree of access control and logging of who is attempting to use the service.

The functionality behind TCP wrappers is provided by libwrap.a, a library that network services, such as xinetd, sshd, and portmap, are compiled against. Additional network services, even networking programs you may write, can be compiled again libwrap.a to provide this functionality. Red Hat Linux bundles the necessary TCP wrapper programs and library in the tcp_wrappers-<version> RPM file.
TCP Wrapper Advantages
When someone attempts to access a network service using TCP wrappers, a small wrapper program reports the name of the service requested and the client's host information. The wrapper program does not directly send any information back to the client, and after the access control directives are satisfied, the wrapper gets out of the way, not placing any additional overhead on the communication between the client and server.

TCP wrappers provide two basic advantages over other network service control techniques:

The connecting client is unaware that TCP wrappers are in use. Legitimate users will not notice anything different, and attackers never receive any additional information about why their attempted connections failed.

TCP wrappers operate in a manner that is separate from the applications the wrapper program protects. This allows many applications to share a common set of configuration files for simpler management.

Network monitoring, access control & booby traps using TCP Wrappers Part 1

By Trevor Warren <[email protected]>

This tool has been successfully used for shielding off systems and for detection of cracker activity. It has no impact on legal computer users, and does not require any change to existing systems software or configuration files. The tool has been installed world-wide on numerous UNIX systems without any source code change. Such is the beauty of TCP Wrappers.
Almost every application of the TCP/IP protocols is based on a client-server model. For example, when someone uses the telnet command to connect to a host, a telnet server process is started on the target host. The server process connects the user to a login process. A few examples are shown in table 1.

client server application
________________________________
telnet telnetd remote login
ftp ftpd file transfer
finger fingerd show users
systat systatd show users

Table 1. Examples of TCP/IP client-server pairs and
their applications.

The usual approach is to run one daemon process that waits for all kinds of incoming network connections. Whenever a connection is established this daemon (usually called inetd on our Linux boxes) runs the appropriate server program and goes back to sleep, waiting for other connections. See the example as illustrated below.

client server application
________________________________
telnet telnetd remote login
(foo1.bar) (foo2.bar)

We are on a client Linux box called foo1.bar and want to connect to a remote Linux box called foo2.bar which resides on a remote network. We then use the telnet client application from my box i.e foo1.bar to connect to the remote telnet server box foo2.bar. Have a look at the graphical illustrations as given below.
              -------------------      -----------------    -----------
foo1.bar---| client(ftp,telnet..) |---------| INETD server |--------| login |
            --------------------      -----------------    -----------
Figure 1. The inetd daemon process listens on the ftp,
telnet etc. network ports and waits for incoming con-
nections. The figure shows that a user has connected to
the ftp/telnet port.
            -----------------      -----------------    ---------
     user---| telnet client |--------| telnet server |--------| login |
            -----------------      -----------------    ---------
                   (foo1.bar)                           (foo2.bar) 
Figure 2. The inetd process has started a telnet
server process that connects the user to a login pro-
cess. Meanwhile, inetd waits for other incoming con-
nections. This illustrates an unprotected machine.
Fortunately, the author of TCP wrapper came up with a simple solution that did not require any change to existing software, and that turned out to work on all UNIX systems that were ever tried it on. The trick was to make a swap. Move the vendor-provided network server programs to another place, and install a trivial program in the original place of the network server programs. Whenever a connection was made, the trivial program would just record the name of the remote host, and then run the original network server program.
            -----------------      -----------------
     user---| telnet client |---------|  tcp wrapper  |----> logfile
            -----------------      -----------------
               (foo1.bar)                                (foo2.bar)
Figure 3. The original telnet server program has been
moved to some other place, and the tcp wrapper has tak-
en its place. The wrapper logs the name of the remote
host to a file. This illustrates a protected machine.
            -----------------      -----------------    ---------
     user---| telnet client |---------| telnet server |-------| login |
            -----------------      -----------------    ---------
                   (foo1.bar)                            (foo2.bar)
Figure 4. The tcp wrapper program has started the real
telnet server and no longer participates. The user can-
not notice any difference.
Lets look at the logs capable of being generated by our TCP wrapper application.

May 22 14:43:29 tuegate: systatd: connect from monk.rutgers.edu
May 22 15:08:30 tuegate: systatd: connect from monk.rutgers.edu
May 22 15:09:19 tuewse: fingerd: connect from monk.rutgers.edu
May 22 15:14:27 tuegate: telnetd: connect from cumbic.bmb.columbia.edu
May 22 15:23:06 tuegate: systatd: connect from cumbic.bmb.columbia.edu
May 22 15:23:56 tuewse: fingerd: connect from cumbic.bmb.columbia.edu

Some of the first cracker connections observed with the tcp wrapper program by the author. Each connection is recorded with: time stamp, the name of the local host, the name of the requested service (actually, the network server process name), and the name of the remote host.

Automatic reverse fingers had proven useful in the authors fight against the cracker, so he decided to integrate the "ad hoc" reverse finger tool with TCP Wrappers. To this end, the access control language was extended so that arbitrary shell commands could be specified.

/etc/hosts.allow:

in.tftpd: LOCAL, .foo.bar

/etc/hosts.deny:

in.tftpd: ALL: /usr/ucb/finger -l @%h 2>&1 | /usr/ucb/mail wswietse

This is an example of a booby trap on the tftp service. The entry in the first access control file says that tftp connections from hosts within its own domain are allowed. The entry in the second file causes the TCP Wrapper to perform a reverse finger in all other cases. The "%h" sequence is replaced by the actual remote host name. The result is sent to the administrator by email.

Our discussion till now gives only a limited illustration of the use of booby traps. Booby traps can be much more useful when installed on firewall systems, whose primary purpose is to separate an organizational network from the rest of the world. A typical firewall system provides only a limited collection of network services to the outer world. For example, telnet and smtp. By placing booby traps on the remaining network ports one can implement an effective early-warning system.

[Jan 7, 2005] BigAdmin - Submitted Tech Tip Enabling TCP Wrappers in the Solaris 10 Operating System `Glenn Brunette, April, 2005`

April, 2005 (BigAdmin)

First let's first provide a little background. TCP Wrappers has been around for many, many years (see Wietse Venema's FTP archive). It is used to restrict access to TCP services based on host name, IP address, network address, and so on. For more details on what TCP Wrappers is and how you can use it, see tcpd(1M). TCP Wrappers was integrated into the Solaris Operating System starting in the Solaris 9 release, where both Solaris Secure Shell and inetd-based (streams, nowait) services were wrapped. Bonus points are awarded to anyone who knows why UDP services are not wrapped by default.

TCP Wrappers support in Secure Shell was always enabled since Secure Shell always called the TCP Wrapper function host_access(3) to determine if a connection attempt should proceed. If TCP Wrappers was not configured on that system, access, by default, would be granted. Otherwise, the rules as defined in the hosts.allow and hosts.deny files would apply. For more information on these files, see hosts_access(4). Note that this and all of the TCP Wrappers manual pages are stored under /usr/sfw/man in the Solaris 10 OS. To view this manual page, you can use the following command:
$ man -M /usr/sfw/man -s 4 hosts_access
inetd-based services use TCP Wrappers in a different way. In the Solaris 9 OS, to enable TCP Wrappers for inetd-based services, you must edit the /etc/default/inetd file and set the ENABLE_TCPWRAPPERS parameter to YES. By default, TCP Wrappers was not enabled for inetd.

In the Solaris 10 OS, two new services were wrapped: sendmail and rpcbind. sendmail works in a way similar to Secure Shell. It always calls the host_access function and therefore TCP Wrappers support is always enabled. Nothing else needs to be done to enable TCP Wrappers support for that service. On the other hand, TCP Wrappers support for rpcbind must be enabled manually using the new Service Management Facility (SMF). Similarly, inetd was modified to use a SMF property to control whether TCP Wrappers is enabled for inetd-based services.

Installing, configuring, and using tcp wrapper to log unauthorized connection attempts on systems running Solaris 2.x

Installing TCP Wrappers on Solaris 7

[Sep 7, 2004 ] BigAdmin - Submitted Tech Tip Configuring TCP Wrappers for the Solaris Operating System

Solaris 9 SSH already has libwrap support compiled on. In S10 and later rpcbind is linked with libwrap so TCP Wrapper style controls are available for all RPC-based protocols (NIS, NFS etc)

Commentor: Casper Dik
Added: September 7, 2004
Comment:
It is rather pointless to install TCP wrappers for Solaris 9 and later as the version included in the OS is exactly the same as the one available on porcupine. That version has also been reved twice because of bugs we ran into. Solaris 9 SSH already has libwrap support compiled on. In S10 and later we also provide rpcbind linked with libwrap.

The Linux Gazette 56 The Answer Gang (TWDT)

was looking at this issue:- http://tech.buffalostate.edu/LDP/LDP/LG/issue38/tag/32.html, and I did not understand your solution correctly.

Can you please let me know what I need to do in order for telnet to work without any pause?

I happen to see similar problem for FTP also.

Thanks Hari Koalsani
If you look at some of the other back issues (search on the string "tcpd" you can see that I've tried to explain the issue a few times and at great length.
Basically there are three ways to approach this:

Abandon telnet; use ssh instead.

Fix your reverse DNS zones. Make the PTR records consistent with the A (address/host) records.

Remove TCP Wrappers protection from the telnet service on this host. Change the line in the /etc/inetd.conf file that reads something like:
telnet	stream	tcp	nowait	telnetd.telnetd	/usr/sbin/tcpd	/usr/sbin/in.telnetd
to look more like:
telnet	stream	tcp	nowait	telnetd.telnetd	/usr/sbin/in.telnetd in.telnetd
Personally I suggest that you use both methods 1 and 2. Use ssh, which USUALLY doesn't use tcpd or libwrap, the library which implements tcpd access controls, AND fix your DNS zones so that your hosts have proper PTR records.

As I said, I've written many pages on this topic. I'm not going to re-hash it again. Hopefully this summary will get you on the right track. If you still can't understand what is going on and how to do this you should consider calling a tech support service (Linuxcare does offer single-incident tech support calls, though they are a bit expensive; there may be other companies still doing this), or hire a Linux consultant in your area (look in the Linux Consultants HOWTO http://www.linuxdoc.org/HOWTO/Consultants-HOWTO.html for one list of them).

They can provide hand holding services. A good consultant can and will show you how to handle these sorts of things for yourself, and will ask some questions regarding your needs, and recommend comprehensive solutions.

I would ask about why you are using telnet, who needs access to the system, what level and form of access they need, etc. I can simply answer questions, but a good consultant will ask more questions than he or she answers --- to make sure that you're getting the right answers. Given my constraints here, I don't have the luxury of doing in-depth requirements analysis for this column. (Also note that I'm not currently available for consulting contracts, Starshine Technical Services is currently in hiatus).

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to to buy a cup of coffee for authors of this site

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019

TCP Wrappers

Package content

What TCP Wrappers does

Portmap and TCP Wrappers

NEWS CONTENTS

Old News ;-)

[Oct 29, 2011] TCP Wrappers

Useful Information

Man Pages

Release Notes

[Oct 28, 2011] TCP Wrappers Configuration Files

ef12517-2.tu-sofia.bg

[Oct 28, 2011] Using TCP Wrappers to secure Linux All about Linux

linuxhelp.blogspot.com

Enabling TCP Wrappers on Solaris 10

Glenn Brunette's Security Weblog

Securing your network: An introduction to TCP wrappers By Paul Dunne

Linux.com TCP Wrappers for Security - May 27th, 1999 by Michael J. Wise

[Jun 4, 2006] Glenn Brunette's Security Weblog/ Enabling TCP Wrappers on Solaris 10

TCP Wrappers and xinetd

Network monitoring, access control & booby traps using TCP Wrappers Part 1

[Jan 7, 2005] BigAdmin - Submitted Tech Tip Enabling TCP Wrappers in the Solaris 10 Operating System `Glenn Brunette, April, 2005`

Installing, configuring, and using tcp wrapper to log unauthorized connection attempts on systems running Solaris 2.x

Installing TCP Wrappers on Solaris 7

[Sep 7, 2004 ] BigAdmin - Submitted Tech Tip Configuring TCP Wrappers for the Solaris Operating System

Solaris 9 SSH already has libwrap support compiled on. In S10 and later rpcbind is linked with libwrap so TCP Wrapper style controls are available for all RPC-based protocols (NIS, NFS etc)

The Linux Gazette 56 The Answer Gang (TWDT)

Recommended Links

Internal

External

Etc

/usr/lbin/tcpd	TCP Wrappers daemon program.
/usr/lib/libwrap.a	TCP Wrappers library containing access control APIs, using /etc/hosts.allow and /etc/hosts.deny.
/usr/include/tcpd.h	Header file for libwrap.a.
/usr/bin/tcpdchk	Tool to examine the validity of configuration file entries.
/usr/bin/tcpdmatch	Tool to simulate the Wrappers daemon program's i.e., tcpd's behaviour for a particular host and for a particular service.
/usr/bin/try-from	A utility program that can be invoked from a remote shell to get connection end-points' information.
/usr/bin/safe_finger	A secure finger client program.
/usr/newconfig/etc/tcpd.conf	A sample configuration file for the TCP Wrappers daemon program.
/usr/newconfig/etc/hosts.allow	A sample ACL file to specify hosts to be allowed.
/usr/newconfig/etc/hosts.deny	A sample ACL file to specify hosts to be denied.
/usr/share/doc/TCPWRAP-RelNotes.pdf	A detailed Release Notes explaining the features supported in this release.

Additional product information
Version:	-
Software specification:	Workstation/Server, HP-UX11.11

TCP Wrappers

Package content

What TCP Wrappers does

Portmap and TCP Wrappers

[Oct 29, 2011] TCP Wrappers

Useful Information

Man Pages

Release Notes

[Oct 28, 2011] TCP Wrappers Configuration Files

ef12517-2.tu-sofia.bg

[Oct 28, 2011] Using TCP Wrappers to secure Linux All about Linux

linuxhelp.blogspot.com

Securing your network: An introduction to TCP wrappers By Paul Dunne

Linux.com TCP Wrappers for Security - May 27th, 1999 by Michael J. Wise

[Jun 4, 2006] Glenn Brunette's Security Weblog/ Enabling TCP Wrappers on Solaris 10

[Jan 7, 2005] BigAdmin - Submitted Tech Tip Enabling TCP Wrappers in the Solaris 10 Operating System Glenn Brunette, April, 2005

[Sep 7, 2004 ] BigAdmin - Submitted Tech Tip Configuring TCP Wrappers for the Solaris Operating System

Solaris 9 SSH already has libwrap support compiled on. In S10 and later rpcbind is linked with libwrap so TCP Wrapper style controls are available for all RPC-based protocols (NIS, NFS etc)

Internal

External

[Jan 7, 2005] BigAdmin - Submitted Tech Tip Enabling TCP Wrappers in the Solaris 10 Operating System `Glenn Brunette, April, 2005`