Ubuntu tcp wrappers

TCP wrappers can be considered as a simple firewall for Ubuntu system. It is a host access control system and also can be used to secured a service. The tcp wrappers contains two files named hosts.allow and hosts.deny.


Here are some basic information about tcp wrappers and how to configure hosts.allow and hosts.deny files:





  • Access control pattern based on client (host name/address, user name),

  • Access control pattern based on server (process name, host name/address)

  • Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file.

  • Access will be denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file.

  • Otherwise, access will be granted.




Here is the format:


daemon_list : client_list [ : shell command]




  • daemon_list is a list of one or more daemon process names (argv[0] values) or server port numbers or wildcards.

  • client_list is a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address.

  • shell command is optional

  • List elements should be separated by blanks and/or commas.



Wildcards


Here are lists of wildcards support by tcp wrappers:



ALL The universal wildcard, always matches.
LOCAL Matches any host whose name does not contain a dot character.
UNKNOWN Matches any user whose name is unknown, and matches any host whose name
or address are unknown.
KNOWN Matches any user whose name is known, and matches any host whose name
and address are known.
PARANOID Matches any host whose name does not match its address.


Shell commands


Shell command should be perform background otherwise you have to wait until the command finished.




Shell commands should not rely on the PATH setting of the inetd.
Instead, they should use absolute path names, or they should begin with
an explicit PATH=whatever statement.


SERVER ENDPOINT PATTERNS


In order to distinguish clients by the network address that they connect to, use patterns of the form:



process_name@host_pattern : client_list ...



Patterns like these can be used when the machine has different internet addresses with different internet hostnames.



CLIENT USERNAME LOOKUP


Client username information, when available, is logged together with the client host name, and can be used to match patterns like:



daemon_list : ... user_pattern@host_pattern ...



The daemon wrappers can be configured at compile time to perform rule-driven username lookups (default) or to always interrogate the client host. In the case of rule-driven username lookups, the above rule would cause username lookup only when both the daemon_list and the host_pattern match.



Selective username lookups can alleviate the last problem. For example, a rule like:



daemon_list : @pcnetgroup ALL@ALL



would match members of the pc netgroup without doing username lookups, but would perform username lookups with all other systems.



DETECTING ADDRESS SPOOFING ATTACKS


The IDENT (RFC931 etc.)service can be used to detect such and other host address spoofing attacks.



Before accepting a client request, the wrappers can use the IDENT service to find out that the client did not send the request at all. When the client host provides IDENT service, a negative IDENT lookup result (the client matches UNKNOWN@host) is strong evidence of a host spoofing attack.