Linux TCPWRAPPERS
On Linux systems access to specific users, computers or networks can be blocked through the /etc/hosts.allow or /etc/hosts.deny files. The system is known as tcpwrappers, which is enabled by default and installed through tcp_wrappers.rpm RPM. The Linux services or commands that can be controlled through tcp_wrappers are those that use the libwrap library :
In this case the sshd Linux service can be controled through tcpwrappers using the file /etc/hosts.allow and /etc/hosts.deny : sshd is tcpwrapper-aware.
TCPwrappers dynamics
When the system receives a network request for a service that is tcpwrapper-aware, it passes the request to tcpwrappers that checks its access rules. If there are no restrictions on the particular host, IP address or user tcpwrappers allows the access and passes control back to the service.
Access control on tcpwrappers can be configured through /etc/hosts.allow and /etc/hosts.deny files using the following order:
* First searches on /etc/hosts.allow, if tcpwrappers finds a match access is allowed and no more searches are done.
* If no match is found on /etc/hosts.allow it searches on /etc/hosts.deny. If tcpwrappers finds a match access is denied.
* Finally if no match is found on either file, access is allowed.
/etc/hosts.allow and /etc/hosts.deny
The same configuration parameters can be used in both /etc/hosts.allow and /etc/hosts.deny to tell tcpwrappers which clients are allowed or denied:
daemons : clients
As example in order to allow/deny access to ALL tcpwrappers services to ALL clients:
ALL : ALL
This configuration on /etc/hosts.deny will deny access to all tcpwrappers services. However this line on /etc/hosts.allow will allow access to all tcpwrappers services with no restrictions.
In order to deny sshd access from the IP 192.168.10.100 the following configuration can be used on /etc/hosts.deny :
The same configuration on /etc/hosts.allow will allow access to sshd services to 192.168.10.100.These files can contain more that one line so order is important, first match is applied :
With this configuration access to sshd and vsftpd will be allowed only from 192.168.10.1 and the access to the rest of tcpwrappers services will be denied.
Client Matching
The following are the configuration parameters that can be used in order to match clients on allow/deny rules for the tcpwrappers network services :
ALL
ALL clients.
.info.net
Match all clients on the info.net domain, the same as *.info.net
192.168.
Match all clients with an IP address of 192.168.Z.Z.
192.168.0.0/255.255.0.0
Match all clients on 192.168.0.0/255.255.0.0 subnet. (CIDR notation does not work : 192.168.0.0/16 NOT VALID !!!)
Exceptions
Parameter EXCEPT can be used to build exceptions in access rules. For example the following line on /etc/hosts.deny will deny access to telnet network service from all hosts on 192.168.10.0/24 LAN EXCEPT 192.168.10.1 :
It can be used also on the daemon list part :
With this configuration access to all tcpwrappers services except sshd will be allowed from .info.net domain. This is true if sshd is denied on /etc/hosts.deny, if not sshd will be also allowed, keep in mind that /etc/hosts.allow specifies what is explicitly allowed.
Wildcards
The following are wildcards that can be used on /etc/hosts.allow/deny files:
ALL
Matches everything and can be used for both the daemon list and the client list.
LOCAL
Matches any host that does not contain a period (.), such as localhost.
KNOWN
Matches any host where the hostname and host address can be resolved by our DNS.
UNKNOWN
Matches any host where the hostname or host address can not be resolved by our DNS.
PARANOID
Matches any host where the hostname does not match with his IP address.
Shell Commands
An optional field can be used on /etc/hosts.allow/deny in order to execute shell commands when a match is found through the 'spawn' and 'twist' directives.
spawn
Executes a shell command as a child process when a match is found. This feature can be used in order to get client or proccess information. In the following example all clients attempting to access vsftpd services are logged to file /var/log/audit_vsftpd.log and the connection will be allowed.
Replaces the requested service with the specified command. Useful to send messages to connection clients :
In this case when a client from 192.1568.10.0/24 LAN try to connect to telnet service, tcpwrappers deny the access and send the message to the client.
Expansions
In most of the cases expansions are used with the spawn and twist operators in order to retrieve information about the client that is trying to connect to the tcpwrapped network service. It also provides information about the server and process in execution :
%a
Prints the client IP address.
%A
Prints the server IP address.
%c
Prints a variety of client information, such as the username and hostname.
%d
Prints the daemon process name.
%h
Prints the client hostname (IP address if the hostname is unknown).
%H
Prints the server hostname (IP address if the hostname is unknown).
%n
Prints the client hostname. If unavailable, unknown is printed. If the client hostname and host address do not match, paranoid is printed.
%N
Prints the server hostname. If unavailable, unknown is printed. If the server hostname and host address do not match, paranoid is printed.
%p
Prints the daemon process ID.
%s
Prints various types of server information, such as the daemon process and the host or IP address of the server.
%u
Prints the client username. If unavailable, unknown is printed.
Lets have a look on examples explained on the previous section :
In this case all attempts to use vsftpd will be logged on /var/log/audit_vsftpd.log with the date and the client hostname (%h) and the connection will be allowed.
Telnet logins from 192.168.10.0/24 will be denied with the message "What are you doing %a !!!" where %a will be replaced with the client IP address.
On Linux systems access to specific users, computers or networks can be blocked through the /etc/hosts.allow or /etc/hosts.deny files. The system is known as tcpwrappers, which is enabled by default and installed through tcp_wrappers.rpm RPM. The Linux services or commands that can be controlled through tcp_wrappers are those that use the libwrap library :
Code:
# ldd /usr/sbin/sshd | grep -i libwrap libwrap.so.0 => /lib/libwrap.so.0
TCPwrappers dynamics
When the system receives a network request for a service that is tcpwrapper-aware, it passes the request to tcpwrappers that checks its access rules. If there are no restrictions on the particular host, IP address or user tcpwrappers allows the access and passes control back to the service.
Access control on tcpwrappers can be configured through /etc/hosts.allow and /etc/hosts.deny files using the following order:
* First searches on /etc/hosts.allow, if tcpwrappers finds a match access is allowed and no more searches are done.
* If no match is found on /etc/hosts.allow it searches on /etc/hosts.deny. If tcpwrappers finds a match access is denied.
* Finally if no match is found on either file, access is allowed.
/etc/hosts.allow and /etc/hosts.deny
The same configuration parameters can be used in both /etc/hosts.allow and /etc/hosts.deny to tell tcpwrappers which clients are allowed or denied:
daemons : clients
As example in order to allow/deny access to ALL tcpwrappers services to ALL clients:
ALL : ALL
This configuration on /etc/hosts.deny will deny access to all tcpwrappers services. However this line on /etc/hosts.allow will allow access to all tcpwrappers services with no restrictions.
In order to deny sshd access from the IP 192.168.10.100 the following configuration can be used on /etc/hosts.deny :
Code:
# cat /etc/hosts.deny sshd : 192.168.10.100
Code:
# cat /etc/hosts.deny sshd, vsftpd : ALL EXCEPT 192.168.10.1 ALL:ALL
Client Matching
The following are the configuration parameters that can be used in order to match clients on allow/deny rules for the tcpwrappers network services :
ALL
ALL clients.
.info.net
Match all clients on the info.net domain, the same as *.info.net
192.168.
Match all clients with an IP address of 192.168.Z.Z.
192.168.0.0/255.255.0.0
Match all clients on 192.168.0.0/255.255.0.0 subnet. (CIDR notation does not work : 192.168.0.0/16 NOT VALID !!!)
Exceptions
Parameter EXCEPT can be used to build exceptions in access rules. For example the following line on /etc/hosts.deny will deny access to telnet network service from all hosts on 192.168.10.0/24 LAN EXCEPT 192.168.10.1 :
Code:
# cat /etc/hosts.deny telnetd : 192.168.10.0/255.255.255.0 EXCEPT 192.168.10.1
Code:
# cat /etc/hosts.allow ALL EXCEPT sshd : .info.net
Wildcards
The following are wildcards that can be used on /etc/hosts.allow/deny files:
ALL
Matches everything and can be used for both the daemon list and the client list.
LOCAL
Matches any host that does not contain a period (.), such as localhost.
KNOWN
Matches any host where the hostname and host address can be resolved by our DNS.
UNKNOWN
Matches any host where the hostname or host address can not be resolved by our DNS.
PARANOID
Matches any host where the hostname does not match with his IP address.
Shell Commands
An optional field can be used on /etc/hosts.allow/deny in order to execute shell commands when a match is found through the 'spawn' and 'twist' directives.
spawn
Executes a shell command as a child process when a match is found. This feature can be used in order to get client or proccess information. In the following example all clients attempting to access vsftpd services are logged to file /var/log/audit_vsftpd.log and the connection will be allowed.
Code:
# cat /etc/hosts.allow vsftpd : ALL : spawn /bin/echo `/bin/date` from %h>>/var/log/audit_vsftpd.log twist
Code:
# cat /etc/hosts.deny telnetd : 192.168.10.0/255.255.255.0 : twist /bin/echo "What are you doing %a!!!"
Expansions
In most of the cases expansions are used with the spawn and twist operators in order to retrieve information about the client that is trying to connect to the tcpwrapped network service. It also provides information about the server and process in execution :
%a
Prints the client IP address.
%A
Prints the server IP address.
%c
Prints a variety of client information, such as the username and hostname.
%d
Prints the daemon process name.
%h
Prints the client hostname (IP address if the hostname is unknown).
%H
Prints the server hostname (IP address if the hostname is unknown).
%n
Prints the client hostname. If unavailable, unknown is printed. If the client hostname and host address do not match, paranoid is printed.
%N
Prints the server hostname. If unavailable, unknown is printed. If the server hostname and host address do not match, paranoid is printed.
%p
Prints the daemon process ID.
%s
Prints various types of server information, such as the daemon process and the host or IP address of the server.
%u
Prints the client username. If unavailable, unknown is printed.
Lets have a look on examples explained on the previous section :
Code:
# cat /etc/hosts.allow vsftpd : ALL : spawn /bin/echo `/bin/date` from %h>>/var/log/audit_vsftpd.log
Code:
# cat /etc/hosts.deny telnetd : 192.168.10.0/255.255.255.0 : twist /bin/echo "What are you doing %a!!!"