Linux Services Organization

Our goal, introduce Linux services to the enterprise world.
Contact us in contact@linuxsv.org

Linux Services Organization : Linux TCPWRAPPERS Linux Server

On Linux systems access to specific users, computers or networks can be blocked through the /etc/hosts.allow or /etc/hosts.deny files. The system is known as tcpwrappers, which is enabled by default and installed through tcp_wrappers.rpm RPM. The Linux services or commands that can be controlled through tcp_wrappers are those that use the libwrap library :

# ldd /usr/sbin/sshd | grep -i libwrap
libwrap.so.0 => /lib/libwrap.so.0


In this case the sshd Linux service can be controled through tcpwrappers using the file /etc/hosts.allow and /etc/hosts.deny : sshd is tcpwrapper-aware.

TCPwrappers dynamics

When the system receives a network request for a service that is tcpwrapper-aware, it passes the request to tcpwrappers that checks its access rules. If there are no restrictions on the particular host, IP address or user tcpwrappers allows the access and passes control back to the service.

Access control on tcpwrappers can be configured through /etc/hosts.allow and /etc/hosts.deny files using the following order:

* First searches on /etc/hosts.allow, if tcpwrappers finds a match access is allowed and no more searches are done.
* If no match is found on /etc/hosts.allow it searches on /etc/hosts.deny. If tcpwrappers finds a match access is denied.
* Finally if no match is found on either file, access is allowed.

/etc/hosts.allow and /etc/hosts.deny

The same configuration parameters can be used in both /etc/hosts.allow and /etc/hosts.deny to tell tcpwrappers which clients are allowed or denied:

daemons : clients

As example in order to allow/deny access to ALL tcpwrappers services to ALL clients:

ALL : ALL

This configuration on /etc/hosts.deny will deny access to all tcpwrappers services. However this line on /etc/hosts.allow will allow access to all tcpwrappers services with no restrictions.

In order to deny sshd access from the IP 192.168.10.100 the following configuration can be used on /etc/hosts.deny :

# cat /etc/hosts.deny

sshd : 192.168.10.100


The same configuration on /etc/hosts.allow will allow access to sshd services to 192.168.10.100.These files can contain more that one line so order is important, first match is applied :

# cat /etc/hosts.deny

sshd, vsftpd : ALL EXCEPT 192.168.10.1
ALL:ALL


With this configuration access to sshd and vsftpd will be allowed only from 192.168.10.1 and the access to the rest of tcpwrappers services will be denied.

Client Matching

The following are the configuration parameters that can be used in order to match clients on allow/deny rules for the tcpwrappers network services :

ALL
ALL clients.

.info.net
Match all clients on the info.net domain, the same as *.info.net

192.168.
Match all clients with an IP address of 192.168.Z.Z.

192.168.0.0/255.255.0.0
Match all clients on 192.168.0.0/255.255.0.0 subnet. (CIDR notation does not work : 192.168.0.0/16 NOT VALID !!!)

user@rhel6.info.net
Match client rhel6.info.net using 'user' account.

Exceptions

Parameter EXCEPT can be used to build exceptions in access rules. For example the following line on /etc/hosts.deny will deny access to telnet network service from all hosts on 192.168.10.0/24 LAN EXCEPT 192.168.10.1 :

# cat /etc/hosts.deny

telnetd : 192.168.10.0/255.255.255.0 EXCEPT 192.168.10.1


It can be used also on the daemon list part :

# cat /etc/hosts.allow

ALL EXCEPT sshd : .info.net


With this configuration access to all tcpwrappers services except sshd will be allowed from .info.net domain. This is true if sshd is denied on /etc/hosts.deny, if not sshd will be also allowed, keep in mind that /etc/hosts.allow specifies what is explicitly allowed.

Wildcards

The following are wildcards that can be used on /etc/hosts.allow/deny files:

ALL
Matches everything and can be used for both the daemon list and the client list.

LOCAL
Matches any host that does not contain a period (.), such as localhost.

KNOWN
Matches any host where the hostname and host address can be resolved by our DNS.

UNKNOWN
Matches any host where the hostname or host address can not be resolved by our DNS.

PARANOID
Matches any host where the hostname does not match with his IP address.

Shell Commands

An optional field can be used on /etc/hosts.allow/deny in order to execute shell commands when a match is found through the 'spawn' and 'twist' directives.

spawn

Executes a shell command as a child process when a match is found. This feature can be used in order to get client or proccess information. In the following example all clients attempting to access vsftpd services are logged to file /var/log/audit_vsftpd.log and the connection will be allowed.

# cat /etc/hosts.allow
vsftpd : ALL : spawn /bin/echo `/bin/date` from %h>>/var/log/audit_vsftpd.log

twist

Replaces the requested service with the specified command. Useful to send messages to connection clients :

# cat /etc/hosts.deny

telnetd : 192.168.10.0/255.255.255.0 : twist /bin/echo "What are you doing %a!!!"


In this case when a client from 192.1568.10.0/24 LAN try to connect to telnet service, tcpwrappers deny the access and send the message to the client.

Expansions

In most of the cases expansions are used with the spawn and twist operators in order to retrieve information about the client that is trying to connect to the tcpwrapped network service. It also provides information about the server and process in execution :

%a
Prints the client IP address.

%A
Prints the server IP address.

%c
Prints a variety of client information, such as the username and hostname.

%d
Prints the daemon process name.

%h
Prints the client hostname (IP address if the hostname is unknown).

%H
Prints the server hostname (IP address if the hostname is unknown).

%n
Prints the client hostname. If unavailable, unknown is printed. If the client hostname and host address do not match, paranoid is printed.

%N
Prints the server hostname. If unavailable, unknown is printed. If the server hostname and host address do not match, paranoid is printed.

%p
Prints the daemon process ID.

%s
Prints various types of server information, such as the daemon process and the host or IP address of the server.

%u
Prints the client username. If unavailable, unknown is printed.

Lets have a look on examples explained on the previous section :

# cat /etc/hosts.allow
vsftpd : ALL : spawn /bin/echo `/bin/date` from %h>>/var/log/audit_vsftpd.log


In this case all attempts to use vsftpd will be logged on /var/log/audit_vsftpd.log with the date and the client hostname (%h) and the connection will be allowed.

# cat /etc/hosts.deny
telnetd : 192.168.10.0/255.255.255.0 : twist /bin/echo "What are you doing %a!!!"


Telnet logins from 192.168.10.0/24 will be denied with the message "What are you doing %a !!!" where %a will be replaced with the client IP address.

Questions

1.- Tcpwrappers first checks matching on /etc/hosts.deny, so denying is first than allowing (true/false).

2.- By default Tcpwrappers is installed on RHEL6 system by tcp_wrappers RPM (true/false).

3.- Which command can be used in order to check if a network server uses tcpwrappers.

4.- Which tcpwrappers command will substitute the execution of the requested network service by a specified system command ?

A - twist
B - except
C - all
D - spawn

5.- Which of the following files are used by tcpwrappers ?

A - /etc/hosts.allow
B - /etc/hosts.deny
C - Both of them
D - None of them

Labs

1.- Configure tcpwrappers to allow connections to sshd server on rhel6 only from 10.0.0.0/24 LAN except from 10.0.0.99.

2.- Modify previous lab and log allowed connections with the following information: client and process information on /var/log/audit_sshd.

-- This page is part of Linux Server online tutorial --