Using TCP Wrappers to protect Linux and Solaris services

I have been using tcp wrappers for years, and it’s a very simple way to allow and deny network access to applications. TCP wrapper functionality is built into the system libwrap.so module, which various applications are linked against. To see if a given application supports tcp wrappers, you can use the ldd utility:

$ ldd `which sshd` | grep wrap
libwrap.so.0 => /lib64/libwrap.so.0 (0x00002ac16fe0f000)

TCP wrappers is configured through the /etc/hosts.allow and /etc/hosts.deny files. The hosts.allow file allows you to control which services will be accepted, and the hosts.deny file allows you to control which services will be denied. Both files use a format similar to the following:

DAEMON_LIST : CLIENT_LIST [ : SHELL_COMMAND ]

The DAEMON_LIST contains the name of the executable you are protecting, which could be sshd, sendmail or any other daemon that you are trying to protect. The CLIENT_LIST contains the hosts or domain names you wish to allow or deny access to, and they can take various forms:

ALL — matches everything
.prefetch.net — matches everything in the prefetch.net domain
192.168.0.0/255.255.0.0 — matches everything in the 192.168 /16 IP address space
192.168.1.1 — matches a single IP address

SHELL_COMMAND allows you to run a command when the rule matches. This could be used to run a notification script, block an IP with iptables or to provide some more extensive logging. To put this into action, we can set up our hosts.allow and hosts.deny files to limit access to our SSH daemon. The following hosts.allow will allow connections from the IP 192.168.1.100, and deny access from everyone else:

$ cat /etc/hosts.allow
sshd : 192.168.1.100

$ cat /etc/hosts.deny
ALL : ALL

When libwrap processes these files, it will first look for matches in /etc/hosts.allow by sequentially evaluating the rules. If a match isn’t found, it will then consult the hosts.deny file. If a connection is denied, you should see a message similar to the following in the messages file:

Apr 16 13:16:18 localhost sshd[3628]: refused connect from ::ffff:192.168.1.8 (::ffff:192.168.1.8)

TCP wrappers is an invaluable tool, and provides a simple and intuitive way to secure your services. It’s no substitute for a properly functioning host firewall, but an additional tool that can be used to protect your critical services.

1 thought on “Using TCP Wrappers to protect Linux and Solaris services”

Leave a Reply

Your email address will not be published. Required fields are marked *