TCP WRAPPERS
Thursday, July 9, 2009
TCP WRAPPERS
To provide a better degree of access control, some service like sshd, portmap, xinetd are compiled with libwrap.a library. These are called “Tcp-wrapped” service.
Now, we are going to implement control on tcp-wrapped service. We will modify /etc/hosts.deny file here as follows – see the highlighted section in the screenshot below.
Here, in the highlighted section –
• The 1st line defines “ssh connection from any system will be disallowed”
• The 2nd line defines “only a computer with IP address 172.16.1.38 will be allowed to establish ssh session – others will be disallowed”
• The 3rd line defines “ssh connection from any system will be disallowed but the system will allow 172.16.1.38 and 172.16.1.178 to establish ssh session”
• The 4th line allows “computer from 172.16.0.0/255.255.248.0 network will be establis allowed to h ssh session – other will be disallowed”
• The 5th line defines “computer from 172.16.0.0/255.255.248.0 network, except 172.16.1.38, will be allowed and other systems will be disallowed to establish ssh session.
• The 6th line defines “the same rule as it is defined in the 5th line, where the rule is here for telnet and ssh service”
• The last line defines “all tcp-wrapped service can only be accessible from
abc.com domain”
In the screen shot above the last line is activated only as it is not commented out using #.
Have a note, you do not need to start or restart any service to control tcp-wrapped service using tcp-wrapper. All you have to do is just modify the /etc/hosts.deny file.
There is another important file, /etc/hosts.allow, as far as tcp wrapper is concerned. The system will check the /etc/hosts.allow file first, service will be accessible to users using it. Then the system will go through /etc/hosts.deny file and act accordingly.
Let us assume, we have a requirement where we want only ssh service will be accessible from 172.16.1.38 and other “tcp-wrapped” services will be blocked from any user.
The easiest solution is add the following line in /etc/hosts.deny file –
ALL: ALL
Add the following line in /etc/hosts.allow file –
ssh: 172.16.1.38
To provide a better degree of access control, some service like sshd, portmap, xinetd are compiled with libwrap.a library. These are called “Tcp-wrapped” service.
Now, we are going to implement control on tcp-wrapped service. We will modify /etc/hosts.deny file here as follows – see the highlighted section in the screenshot below.
Here, in the highlighted section –
• The 1st line defines “ssh connection from any system will be disallowed”
• The 2nd line defines “only a computer with IP address 172.16.1.38 will be allowed to establish ssh session – others will be disallowed”
• The 3rd line defines “ssh connection from any system will be disallowed but the system will allow 172.16.1.38 and 172.16.1.178 to establish ssh session”
• The 4th line allows “computer from 172.16.0.0/255.255.248.0 network will be establis allowed to h ssh session – other will be disallowed”
• The 5th line defines “computer from 172.16.0.0/255.255.248.0 network, except 172.16.1.38, will be allowed and other systems will be disallowed to establish ssh session.
• The 6th line defines “the same rule as it is defined in the 5th line, where the rule is here for telnet and ssh service”
• The last line defines “all tcp-wrapped service can only be accessible from
abc.com domain”
In the screen shot above the last line is activated only as it is not commented out using #.
Have a note, you do not need to start or restart any service to control tcp-wrapped service using tcp-wrapper. All you have to do is just modify the /etc/hosts.deny file.
There is another important file, /etc/hosts.allow, as far as tcp wrapper is concerned. The system will check the /etc/hosts.allow file first, service will be accessible to users using it. Then the system will go through /etc/hosts.deny file and act accordingly.
Let us assume, we have a requirement where we want only ssh service will be accessible from 172.16.1.38 and other “tcp-wrapped” services will be blocked from any user.
The easiest solution is add the following line in /etc/hosts.deny file –
ALL: ALL
Add the following line in /etc/hosts.allow file –
ssh: 172.16.1.38
Labels: command, guide to linux, Linux, linux administrator guide, Linux installation guide, linux security, pocket linux guide, red hat linux guide, redhat server, TCP WRAPPERS
posted by Gautam at 3:16 AM, | 
Post a Comment