Candidates should be able to configure TCP Wrapper to allow connections to specified servers only from certain hosts or subnets.
TCP Wrapper configuration files, tools and utilities
inetd configuration files, tools and utilities
Libwrap is a software library which provides tcp-wrapping services. Software can be written to use this library, and use the tcp-wrapping functions and configuration files. Daemons that have to be "wrapped" have to be linked to the libwrap library during compilation.
If a daemon is tcp-wrapper enabled can be determined with the following (example) command:
# ldd `which sshd` | grep libwrap libwrap.so.0 => /lib/x86_64-linux-gnu/libwrap.so.0 (0x00007f88177a9000)
For security reasons, it became necessary to only allow certain types of incoming connections from certain hosts. The inetd daemon now listens to incoming requests and instead of starting the server program needed, inetd starts tcpd which does some additional checks (such as where the request came from). If tcpd determines that the connection should be honoured, the server program needed to honour the request is launched by tcpd.
TCP wrappers do not protect against network sniffing because TCP wrappers do not encrypt network traffic. Use ssh encryption to prevent network sniffing.
For tcp-wrapper enabled daemons inetd can be configured to use tcp-wrappers. /etc/hosts.allow and /etc/hosts.deny (first match in that order) will be checked for access rules.
ftp stream tcp nowait root /usr/sbin/tcpd /usr/sbin/wu-ftpd -l
The lines of
/etc/inetd.conf are made up of the
following mandatory fields:
/etc/hosts.allow, (daemon,client) pairs that are granted access.
/etc/hosts.deny, (daemon,client) pairs that are denied access.
The form of the rules in both files is the following:
daemon_list : client_list [ : shell_command ]
This is a list of one or more host names, host addresses,
patterns or wildcards that will be matched against the client
host name or address. Consult the man page of
host_access(5) for details.
Command to be run by the shell when the rule matches.
The foreign_host_list can be of the following form:
Universal wildcard pattern.
In the context of: lists1 EXCEPT list2
This matches known addresses, after a succesfull DNS lookup.
The wildcard matches any hosts that does not contain a dot. Only local hosts.
Opposite of KNOWN.
A simple setup would be to add ALL: ALL at the /etc/hosts.deny file. And only add hosts or domains in /etc/hosts.allow.
ALL : 127.0.0.1 [::1]
ALL : ALL
The hosts.allow file is evaluated prior to hosts.deny. So if a match occurs in hosts.allow the connection can be made.
Service access is checked by hosts.allow and hosts.deny when using tcpd. Configuration of services is done in inetd.conf.
Xinetd stands for “eXtended InterNET services Daemon” and replaces the combination of inetd and tcpd. xinetd can do the same things and offers extra functionality such as: more sophisticated access control, preventing DoS attacks, extensive logging. For more information, take a look at the Xinetd Homepage .
Like with inetd /etc/hosts.allow and /etc/hosts.deny will be checked for access rules, but access rules can also be configured in the xinetd configuration files for the affected daemons.
only_from - Allows the hosts specified to use the service.
no_access - Blocks these hosts from using this service.
access_times - Specifies the time range when a particular service may be used. The time range must be stated in a HH:MM-HH:MM format using 24-hour notation.