what are TCP Wrappers? How do I find out if a program or server (service) is compiled with TCP Wrappers? What are the advantages and disadvantages of TCP Wrappers over firewalls like Netfilter or PF? How do I protect my Mac OS X or Sun Solaris or Linux workstation by using TCP Wrappers?
A TCP Wrapper is a library that provides simple access control and standardized logging for supported applications that accept connections over a network. Linux and other Unix-like operating systems are compiled with TCP Wrappers (also known as "TCPD"). For example, Solaris, Linux, *BSD, and Mac OS X have TCP Wrappers configured to run right out of the box.
|Estimated completion time||15m|
A TCP Wrapper is a host-based networking access control list (ACL) system and used to filter network access to Internet. TCP Wrappers were original written to monitor and stop cracking activities on the UNIX workstation in the 1990s. It was the best solution in the '90s to protect the UNIX workstations over the Internet. However, it has few disadvantages:
All UNIX apps must be compiled with the libwrap library.
The wrappers do not work with RPC services over TCP.
The user name lookup feature of TCP Wrappers uses identd to identify the username of the remote host. By default, this feature is disabled, as identd may appear hung when there are a large number of TCP connections.
Nevertheless, TCP Wrappers present one strong advantage over firewall: it works on the application layer. It can filter requests when encryption is used. Basically, users need to use both host-based and network-based security. Common services such as pop3, ftp, sshd, telnet, and r-services are supported by TCP Wrappers.
TCPD (TCP Wrappers) Benefits
Logging - Connections that are monitored by TCPD are reported through the syslog facility.
Access Control - TCPD supports a simple form of access control that is based on pattern matching. You can even hook the execution of shell commands/script when a pattern matches.
Host Name Verification - TCPD verifies the client host name that is returned by the address->name DNS server by looking at the host name and address that are returned by the name->address DNS server.
How do I Find Out Whether a Program Is Compiled with TCP Wrappers or Not?
To determine whether a given executable daemon/path/to/daemon supports TCP Wrappers, type:
$ ldd /path/to/daemon | grep libwrap.so
If this command returns any output, then the daemon probably supports TCP Wrappers. In this example, find out if SSHD supports TCP Wrappers on not. First, locate the SSHD program location on the disk:
$ whereis sshd
sshd: /usr/sbin/sshd /usr/share/man/man8/sshd.8.gz
Next, run the good old ldd command as follows to find out whether SSHD daemon supports TCP Wrappers or not:
$ ldd /usr/sbin/sshd | grep libwrap.so
libwrap.so.0 => /lib64/libwrap.so.0 (0x00002b759b381000)
The ldd command is used to see if libwrap.so is a dependency or not. An alternative to TCP Wrapper support is packet filtering using iptables.
tcpd daemon - Access control facility for Internet services.
/etc/hosts.allow - This file describes the names of the hosts which are allowed to use the local INET services, as decided by the /usr/sbin/tcpd server.
/etc/hosts.deny - This file describes the names of the hosts which are NOT allowed to use the local INET services, as decided by the /usr/sbin/tcpd server.
If the same client/user/ip is listed in both hosts.allow and hosts.deny, then hosts.allow takes precedence, and access is permitted. If the client is listed in hosts.allow, then access is permitted. If the client is listed in hosts.deny, then access is denied.
tcpdchk and tcpdmatch commands - Test programs for tcpd.
Syntax (format) Of Host Access Control Files
Both /etc/hosts.allow and /etc/hosts.deny use the following format:
daemon_list : client_list [ : shell_command ]
daemon_list - a list of one or more daemon process names.
client_list - a list of one or more host names, host addresses, patterns, or wildcards that will be matched against the client host name or address.
The access control language supports explicit wildcards (quoting from the man page):
ALL The universal wildcard, always matches. LOCAL Matches any host whose name does not contain a dot character. UNKNOWN Matches any user whose name is unknown, and matches any host whose name or address are unknown. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is talking to. KNOWN Matches any user whose name is known, and matches any host whose name and address are known. This pattern should be used with care: host names may be unavailable due to temporary name server problems. A network address will be unavailable when the soft- ware cannot figure out what type of network it is talking to. PARANOID Matches any host whose name does not match its address. When tcpd is built with -DPARANOID (default mode), it drops requests from such clients even before looking at the access control tables. Build without -DPARANOID when you want more control over such requests.
TCPD Configuration Examples
In this example, I will set default policy to deny access. Only explicitly authorized hosts are permitted access. Update /etc/hosts.deny file as follows:
# The default policy (no access) is implemented with a trivial deny file ALL: ALL
The ALL: ALL config will deny all service to all hosts unless they are permitted access by entries in the allow file. For example, allow access as follows via /etc/hosts.allow file:
ALL: LOCAL @devels ALL: .nixcraft.net.in EXCEPT boobytrap.nixcraft.net.in
Log and deny access (booby traps) - we do not allow connections from crackers.com:
ALL : .crackers.com \ : spawn (/bin/echo %a from %h attempted to access %d >> \ /var/log/connections.log) \ : deny
A Typical UNIX Example
Allow access to various services inside LAN only via /etc/hosts.allow:
popd : 192.168.1.200 192.168.1.104 imapd : 192.168.1.0/255.255.255.0 sendmail : 192.168.1.0/255.255.255.0 sshd : 192.168.1.2 172.16.23.12
Deny everything via /etc/hosts.deny:
ALL : ALL
Reject All Connections
Restrict all connections to non-public services to localhost only. Suppose SSHD and FTPD are the names of services which must be accessed remotely. Edit /etc/hosts.allow. Add the following lines for sshd and ftpd:
sshd ,ftpd : ALL ALL: localhost
Save and close the file. Edit /etc/hosts.deny. Add the following line:
Default Log Files
TCP Wrappers will do all logging via syslog according to your /etc/syslog.conf file. The following table lists the standard locations where messages from TCP Wrappers will appear:
AIX - /var/adm/messages
HP-UX - /usr/spool/mqueue/syslog
Linux - /var/log/messages
FreeBSD / OpenBSD / NetBSD - /var/log/messages
Mac OS X - /var/log/system.log
Solaris - /var/log/syslog
Use the following command to view logs:
# tail -f /path/to/log/file
# grep 'ip' /path/to/log/file
# egrep -i 'ip|hostname' /path/to/log/file
How Do I Predict How the TCP Wrapper Will Handle a Specific Request For Service?
Use the tcpdmatch command to predict how the TCPD would handle an SSHD request from the local system:
tcpdmatch sshd localhost
The same request, pretending that the hostname lookup failed:
tcpdmatch sshd 192.168.1.5
To predict what TCPD would do when the client name does not match the client address:
tcpdmatch sshd paranoid
Replace sshd with in.telnetd, or ftpd and so on. You can use all daemon names specified in the inetd.conf or xinetd.conf file.
How Do I Examine My TCP Wrapper Configuration File?
Use the tcpdchk command to examine your TCP Wrapper configuration and report all of the potential and real problems it can find.