Wednesday, February 10, 2010

Security - TCP Wrappers


Is a package developed by Wietse Vernema, who also wrote the SATAN security package.
Is an IP packet filtering and network access logging facility for inetd. TCP_wrappers is usually configured to “wrap” itself around TCP based services defined in inetd.conf.
Is used to restrict access to TCP services based on the hostname, IP address, network address etc.
TCP wrappers was integrated into Solaris starting in Solaris-9, where both Solaris Secured Shell and inet based services were wrapped.

What TCP wrappers does?
1. Provides system administrator’s a high degree of control over incoming TCP connections. The system is invoked after a remote host connects to our server/machine. It is involved either through a sub-routine library that is linked into the stand alone program stacked up through inetd.
2. Once running, the TCP wrappers system performs the following steps;
a. Open the /etc/hosts.allow file

1. /etc/hosts.allow and /etc/hosts.deny file will not exist by default.
2. Both file contains access control rules and actions for each protocol.
b. It scans through the files, line by line, until it finds a rule that matches the particular protocol and source host that has connected to the server.
c. It executes the actions specified. If appropriate, control is then turned over to the network server.
d. If no matching action is found, the file /etc/hosts.deny is opened and sequentially read line by line. If a matching line is found, access is denied and the corresponding action is performed.
e. If no match is found in either the /etc/hosts.allow or /etc/hosts.deny file, the connection is allowed by default.

To enable TCP wrappers support for inet based services:
For eg:
# inetadm –M tcp_wrappers=true
# svcadm refresh inetd
# inetadm –l telnet | grep tcp_wrapper
Default tcp_wrappers=TRUE

Example entries to file /etc/hosts.allow or /etc/hosts.deny:

Remember it’s case sensitive.

in.telnetd : ALL EXCEPT < host_name1, host_name2…>
ALL EXCEPT in.telnetd : < host_name1, host_name2…>

1. Host names can also replaced with IP addresses.
2. /etc/hosts.deny should contain only a single rule ALL:ALL to deny all access by default. Keeping all the rules in a single file simplifies maintenance. Using /etc/hosts.allow, which has priority over /etc/hosts.deny, ensures that if someone else accidentally modifies the wrong files it won’t override out rules.

No comments:

Post a Comment