Configuring TCP Wrappers for Linux Security

Configuring TCP Wrappers

The TCP Wrappers package is installed by default on Fedora Linux and provides host-based security separate from that provided by a firewall running on the server itself or elsewhere.
The application relies on two main files:

/etc/hosts.allow: Defines the hosts and networks allowed to connect to the server. The TCP Wrappers enabled application searches this file for a matching entry, and if it finds one, then the connection is allowed.

/etc/hosts.deny: Defines the hosts and networks prohibited from connecting to the server. If a match is found in this file, the connection is denied. No match means the connection proceeds normally.

The /etc/hosts.allow file is always read first and both files are always read from top to bottom, therefore the ordering of the entries is important.

The TCP Wrappers File Format:


The format of the file is:

    <TCP-daemon-name> <client-list> : <option>


This example allows all traffic from the 192.168.5.0/24 and the 192.168.8.0/255.255.255.0 networks and SSH from only two hosts, 172.16.1.2 and 216.14.169.134. All HTTP Web traffic is allowed. All other TCP traffic to the host is denied. Notice how the subnet masks can use the slash nomenclature or the dotted decimal 255.255.255.0 format.

#
# File: hosts.allow
#
ALL:    192.168.5.0/24  192.168.8.0/255.255.255.0
sshd:   172.16.1.2  216.14.169.134
httpd:  ALL

#
# File: hosts.deny
#
ALL:    ALL

Determining the TCP Daemon’s Name:


The easiest way of determining the name of a daemon is to use the ps command and then use grep to filter for the name of the service. Here, the example quickly determines the daemon name (/usr/sbin/sshd) for the SSH server process. Because TCP Wrappers only requires the program name and not the path, sshd therefore becomes the entry to place in the TCP-daemon-name column of the configuration file.

[root@mysrv1 tmp]# ps -ef | grep -i ssh
root     10053     1  0 Nov06 ?        00:00:00 /usr/sbin/sshd
root     14145 10053  0 Nov13 ?        00:00:02 sshd: root@pts/1
root     18100 14148  0 21:56 pts/1    00:00:00 grep ssh
[root@mysrv1 tmp]#

For a full explanation of all the options available, refer to section 5 of the man pages for hosts_access:

[root@mysrv1 tmp]# man 5 hosts_access

TCP Wrappers is simple to implement, but you have to set them on every host. Management is usually easier on a firewall that protects the entire network.