LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-08-2006, 08:38 AM   #1
sysconfig
Member
 
Registered: Sep 2006
Location: (.)
Posts: 44

Rep: Reputation: 15
Tcp wrappers


Tcp wrappers provides the following advantages against network services

Almost every application of the TCP/IP protocols is based on a client-
server model. for example telnet, ftp, ssh, etc..

TCP wrappers is used to allow/grant or deny access to the various services on your maschine from remote client/ or to the outside network or other machines on the same network. it does this by using two files called:

Quote:
/etc/hosts.allow
/etc/hosts.deny
The TCP wrappers package (tcp_wrappers ) is installed by default and provides host-based access control to network services. The most important component within the package is the /usr/lib/libwrap.a library. In general terms, a TCP wrapped service is one that has been compiled against the libwrap.a library.

When a connection attempt is made to a TCP wrapped service, the service first references the hosts access files (/etc/hosts.allow and /etc/hosts.deny) to determine whether or not the client host is allowed to connect. In most cases, it then uses the syslog daemon (syslogd) to write the name of the requesting host and the requested service to /var/log/secure or /var/log/messages .


- Rules define in hosts.allow takes precedence over rules in hosts.deny .
- You can have only one rule per service in hosts.allow and hosts.deny file.
- If there are no matching rules in either of the files or if the files don't exist, then the remote machine is allowed access to the service.
- Any changes to hosts.allow and hosts.deny file takes immediate effect.

Some of the example of it:

syntax of host access file: <daemon list>: <client list> [: <option>: <option>: ...]


The following wildcards may be used:

ALL — Matches everything. It can be used for both the daemon list and the client list.
LOCAL — Matches any host that does not contain a period (.), such as localhost.
KNOWN — Matches any host where the hostname and host address are known or where the user is known.
UNKNOWN — Matches any host where the hostname or host address are unknown or where the user is unknown.
PARANOID — Matches any host where the hostname does not match the host address.


Quote:
vsftpd : .example.com
This rule instructs TCP wrappers to watch for connections to the FTP daemon (vsftpd) from any host in the example.com domain. If this rule appears in hosts.allow, the connection will be accepted. If this rule appears in hosts.deny, the connection will be rejected

Quote:
ALL : .xyz.com
Matches all hosts in the xyz.com domain . Note the dot (.) at the beginning.
Quote:
ALL : 123.12.
Matches all the hosts in the 123.12.0.0 network. Note the dot (.) in the end of the rule.
Quote:
ALL : 192.168.0.1/255.255.255.0
IP address/Netmask can be used in the rule
.

Quote:
sshd : 192.168.5.5 : spawn /bin/echo `/bin/date` from %h >> /var/log/ssh.log : deny
Each time the rule is satisfied, the current date and the clients hostname %h is appended to the ssh.log file.
To determine if a network service binary is linked against libwrap.a, type the following command as the root user:

strings -f <binary-name> | grep hosts_access

# strings /usr/sbin/sendmail | grep hosts_access

Replacing <binary-name> with the name of the network service binary. If a prompt is returned, then the network service is not linked against libwrap.a .

Source: http://forums.linuxwebadmin.info/ind...opic,62.0.html
thankx

Last edited by sysconfig; 09-08-2006 at 08:40 AM.
 
Old 09-08-2006, 08:51 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
this really isn't the best place for guides, we have a whole subsite dedicated to this for original content, but as your bottom link points out, this is actually a cut and paste from another forum anyway.
 
Old 09-08-2006, 09:11 AM   #3
sysconfig
Member
 
Registered: Sep 2006
Location: (.)
Posts: 44

Original Poster
Rep: Reputation: 15
If it is violating the forums rule then I have to remvoe it.

I am sorry if so
 
Old 09-08-2006, 09:19 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984Reputation: 1984
no, not at all, just that guides like this tend to sink without trace on forums due to the way they way the naturally work.
 
Old 09-08-2006, 09:20 AM   #5
sysconfig
Member
 
Registered: Sep 2006
Location: (.)
Posts: 44

Original Poster
Rep: Reputation: 15
Will take care next time ... thx
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
NFS with TCP Wrappers! stakhous Linux - Software 1 02-17-2005 10:25 PM
netatalk and TCP wrappers greenhornet Linux - Networking 0 04-23-2004 12:47 AM
TCP Wrappers ? juanb Linux - Newbie 1 01-31-2004 02:35 PM
tcp wrappers --with-tcp-wrappers ForumKid Linux - Security 2 01-04-2002 05:01 PM
TCP Wrappers ltrain Linux - Security 6 05-31-2001 11:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration