Showing posts with label tcp wrapper. Show all posts
Showing posts with label tcp wrapper. Show all posts

How to install tcp wrappers in Ubuntu

This is a guide on how to install tcp wrappers in Ubuntu. Tcp wrapper is a host access control in Ubuntu, or Linux in general and other Unix-based system. You can say it is a simple firewall if you want.



Tcp wrapper used tcpd daemon to run the service. The fast way to install a daemon in Ubuntu is by using software package management aptitude. Aptitude is a high-level package management developed for Debian Linux. The upgrade steps are similar to apt-get command. You can see my previous post, Ubuntu aptitude upgrade for aptitude update and upgrade command.



Here is a step by step example of how to install tcp wrappers in Ubuntu using aptitude:




luzar@ubuntu:~$ sudo aptitude install tcpd
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Building tag database... Done
The following packages have been automatically kept back:
  libbind9-30 libisc32 libisccc30 libisccfg30
The following packages have been kept back:
  bind9 bind9-host dnsutils linux-image-server linux-server
0 packages upgraded, 0 newly installed, 0 to remove and 9 not upgraded.
Need to get 0B of archives. After unpacking 0B will be used.
Writing extended state information... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state information
Initializing package states... Done
Building tag database... Done
luzar@ubuntu:~$


That's it.

Labels: , ,

Ubuntu tcp wrappers

TCP wrappers can be considered as a simple firewall for Ubuntu system. It is a host access control system and also can be used to secured a service. The tcp wrappers contains two files named hosts.allow and hosts.deny.


Here are some basic information about tcp wrappers and how to configure hosts.allow and hosts.deny files:





  • Access control pattern based on client (host name/address, user name),

  • Access control pattern based on server (process name, host name/address)

  • Access will be granted when a (daemon,client) pair matches an entry in the /etc/hosts.allow file.

  • Access will be denied when a (daemon,client) pair matches an entry in the /etc/hosts.deny file.

  • Otherwise, access will be granted.




Here is the format:


daemon_list : client_list [ : shell command]




  • daemon_list is a list of one or more daemon process names (argv[0] values) or server port numbers or wildcards.

  • client_list is a list of one or more host names, host addresses, patterns or wildcards that will be matched against the client host name or address.

  • shell command is optional

  • List elements should be separated by blanks and/or commas.



Wildcards


Here are lists of wildcards support by tcp wrappers:



ALL        The universal wildcard, always matches.
LOCAL      Matches any host whose name does not contain a dot character.
UNKNOWN    Matches any user whose name is unknown, and matches any host whose name
           or address are unknown.
KNOWN      Matches any user whose name is known, and matches any host whose  name
           and address are known.
PARANOID   Matches any host whose name does not match its address.


Shell commands


Shell command should be perform background otherwise you have to wait until the command finished.




  Shell commands should not rely  on  the  PATH  setting  of  the  inetd.
  Instead, they should use absolute path names, or they should begin with
  an explicit PATH=whatever statement.


SERVER ENDPOINT PATTERNS


In order to distinguish clients by the network address that they connect to, use patterns of the form:



process_name@host_pattern : client_list ...



Patterns like these can be used when the machine has different internet addresses with different internet hostnames.



CLIENT USERNAME LOOKUP


Client username information, when available, is logged together with the client host name, and can be used to match patterns like:



daemon_list : ... user_pattern@host_pattern ...



The daemon wrappers can be configured at compile time to perform rule-driven username lookups (default) or to always interrogate the client host. In the case of rule-driven username lookups, the above rule would cause username lookup only when both the daemon_list and the host_pattern match.



Selective username lookups can alleviate the last problem. For example, a rule like:



daemon_list : @pcnetgroup ALL@ALL



would match members of the pc netgroup without doing username lookups, but would perform username lookups with all other systems.



DETECTING ADDRESS SPOOFING ATTACKS


The IDENT (RFC931 etc.)service can be used to detect such and other host address spoofing attacks.



Before accepting a client request, the wrappers can use the IDENT service to find out that the client did not send the request at all. When the client host provides IDENT service, a negative IDENT lookup result (the client matches UNKNOWN@host) is strong evidence of a host spoofing attack.

Labels: ,
Subscribe to: Posts (Atom)