Lesson 13

Date: 6/28/2017
Linux Network Security
Linux System Administration

TCP Wrappers

  • Access to inetd startable services can be controlled through daemon tcpd; it reads the access rules from files /etc/hosts.allow and /etc/hosts.deny. Similarly, the access can be controlled for the other services, such as portmap, if they have been compiled with libwrap libraries.

  • Format of /etc/hosts.allow and /etc/hosts.deny:
    service_list:  host_list 

    /etc/hosts.allow -- is checked first by tcpd: if the entries match, the host is allowed to access the service, otherwise, /etc/hosts.deny is checked -- if the entries match, the access is denied. If non of the entries match, or both the files are empty, the access is allowed.

  • Keywords: ALL (matches all requests), EXCEPT, LOCAL (hosts matching the local network - no domain), KNOWN (resolvable hosts), PARANOID (hostname doesn't match IP), UNKNOWN (unresolvable hosts).
  • Example:
    sshd:  128.6. 
    in.tftpd:   LOCAL, .my.domain
    ALL:        .foobar.edu EXCEPT terminalserver.foobar.edu

    ALL: ALL

    Login to the console of smbhost VM:
    virsh console smbhost
    Become root
    sudo -s
    Edit file /etc/hosts.deny and add the following entry:
    ALL: ALL
    Try SSH to smbhost from your desktop.
    The SSH attempt should fail.
    Edit file /etc/hosts.allow and add the following entry:
    sshd: 192.168.122. 
    Try to SSH to smbhost from the desktop again.

  • Take me to the Course Website