TCP Wrappers Example

TCP Wrappers Example

To log all access to vsftpd and limit all other wrapped services to local networks add something like this to /etc/hosts.allow

vsftpd : ALL \

: spawn /bin/echo $(/bin/date) access granted to %c>>/var/log/vsftpd_access.log


ALL : 10.

ALL : 192.168.1.

The options above allow access from anywhere in the world to vsftpd and logs that access but only permits access to remaining services from the Local machine, anything that starts with a 10. address and anything that starts with a 192.168.1 address.
Then to enforce denial for all  undefined addresses add the following to /etc/hosts.deny
If none of the rules in /etc/hosts.allow are matched then the above rule ensures that access is denied, otherwise access would be granted by default.

To find wrapped services:
[root@host]# strings -f /usr/sbin/* |grep hosts_access
/usr/sbin/in.tftpd: hosts_access
/usr/sbin/sshd: hosts_access
/usr/sbin/stunnel: hosts_access
/usr/sbin/stunnel: See hosts_access(5) manual for details
/usr/sbin/tcpd: hosts_access_verbose
/usr/sbin/xinetd: hosts_access
[root@host]# strings -f /sbin/* |grep hosts_access
/sbin/auditd: hosts_access
/sbin/portmap: hosts_access_verbose
If you were using quest authentication services formerly known as vintella authentication services you might also check this location:
[root@host]# strings -f /opt/quest/sbin/* |grep hosts_access
/opt/quest/sbin/sshd: @(#) hosts_access.c 1.21 97/02/12 02:13:22

The following expansions are available within shell commands for use with the spawn or twist option as in my vsftpd example above. (The spawn option does not work with the ALL wildcard, hence why I specified the vsftpd separately) I've highlighted the most common and useful expansions below:

       %a (%A) The client (server) host address.

       %c   Client information: user@host, user@address, a host name, or just an address, depending on how much information is available.

       %d  The daemon process name (argv[0] value).

       %h (%H) The  client  (server)  host  name or address, if the host name is unavailable.

       %n (%N) The client (server) host name (or "unknown" or "paranoid").

       %p     The daemon process id.

       %s     Server information: daemon@host, daemon@address, or just a daemon name, depending on how much information is available.

       %u     The client user name (or "unknown").

       %%     Expands to a single % character.

No comments: