TCP wrappers is used to implement host based access restrictions to network services running on a Linux server. In order for a network service to work with TCP wrappers, it should be compiled with libwrap.a library. To check whether a network service has TCP wrapping enabled use:
strings -f /path/to/service/binary|grep hosts_access, for example to check whether ssh is compiled with TCP wrappers support,
[root@LinuxBox1 ~]#strings -f /usr/sbin/sshd|grep hosts_access
/usr/sbin/sshd: hosts_access
Host access is allowed or denied based on the entries in the files /etc/hosts.allow & hosts.deny ( together known as host access files) . Each of these files contain a list of services and corresponding list of hosts along with certain additional options.
As the name indicates, hosts.allow lists the hosts allowed to access listed services. When a host tries to access a network service on the server, hosts.allow is parsed from top to bottom to see a match for the service-host pair. The parsing will stop with the first match found and the access will be allowed. If no match is found in this file, hosts.deny is parsed. If a match is found access is denied for the host. If neither file contain a match or the files does not exist, access is allowed for the host.
Access files contain a number of rows, each with following format
daemon-list:host-list:[option1]:[option2]:..........
daemon list : Comma separated list of service binary names. Dont take this for the service name, for example, the service name for telnet is 'telnet' but the binary is 'in.telnetd' (/usr/sbin/in.telnetd).
host list : Comma separated list of hosts to be allowed/denied access to the daemon list. Hosts can be specified in any of the following format.
host names : machine1.mydomain.com represents a single machine
host names starting with a period: .mydomain.com represents all host names under this name. Example: machine2.mydomain.com, switch2.sub1.mydomain.com ......
Hostnames containing ? and/or * : Within a hostname or IP you can use this wild cards, '*' can substitute any number of characters while '?' can replace only a single character.
Eg:
*.mydomain.com : mac1.mydomain.com, mac2.sub1.mydomain.com ....
mac?.mydomain.com : mac1.mydomain.com,mac2.mydomain.com,...mac9.mydomain.com,maca.mydomain.com,macb.mydomain.com etc...
IP address ending with period : 192.168. represents all IPs in the network 192.168.0.0/16
Network & Netmasks : 192.168.1.0/255.255.255.128, 10.10.0.0/255.255.224.0 etc...
File path beginning with leading '/' : The specified file contains a list of hosts. Each line of the file will contain a number of host/ip patterns separated by white spaces.
Explicit wild cards: This wild cards has special purposes, even though there are many the popular one is 'ALL' which matches anything ( applicable to daemons as well as hosts)
The 'EXCEPT' operator: This can be used with both hosts and daemons as follows:
a) In the daemon list, a rule that is applicable to all services except vsftpd
ALL EXCEPT vsftpd
b) In the clients list all machine in the network 192.168.0.0 except 192.168.0.15
192.168.0. EXCEPT 192.168.0.15
options : This fields can be used to alter the log behaviour, launch shell commands etc when a rule is matched, but this feature is specific toRedhat version of tcp wrappers.
There are two approaches for any firewall/access control design, mostly closed and mostly open. In mostly closed all accesses arerestricted and only minimum required access is granted. For TCP wrappers mostly closed means a single line ALL:ALL in hosts.deny and necessary services in hosts.allow. In mostly open, all client access is allowed and restrictions applied as and when necessary. InTCP wrappers: ALL:ALL in hosts.allow and necessary restrictions in hosts.deny.
Some examples rules:
Allow telnet from local networks (192.168.0.0./24 & 192.168.1.0/24)
hosts.allow
in.telnetd:192.168.0.,192.168.1.
Suppose, in addition to this, you want to deny telnet access from all other hosts.
hosts.deny
in.telnetd:ALL
Since hosts.allow is parsed first the access rule ther will match request from local networks and allow them. If the request is from an external host, the rules in hosts.allow will not match and will be passed to hosts.deny where the rule is to deny all telnet communication. This rule will be matched and access denied for that host.
Alternatively we can do both this in a single rule in hosts.deny
hosts.deny
in.telnetd: ALL EXCEPT 192.168.0.,192.168.1.
No comments:
Post a Comment