TCP Wrappers

Locked doors and a security camera for your computer!


Last updated: June 19, 1998
Development stage: Beta

How to install TCP Wrappers to keep the bad guys out and monitor connection attempts to your computer.

How does tcp_wrappers work?

When a user tries to connect to your computer on a port, inetd looks up the port number in /etc/services, when it finds the port number it looks in the file /etc/inetd.conf for a corresponding service and runs the service. With tcp_wrappers inetd is tricked into running tcpd instead of the service that would normally be called. Tcpd then checks it's rules in the /etc/hosts.allow and /etc/hosts.deny files. It either accepts the connection and runs the service or denies the connection based on it's rules.

Installing TCP Wrappers:
It's very possible the TCP Wrapper package is already installed on your computer. Look in the directory "/usr/sbin" for a file named "tcpd", if it's there you most likely have it installed already and you can proceed to part 4.

The following instructions take you step by step through the installation process of tcp-wrappers from the source code...YES that's right...the source, no sissy-girl rpm's or deb's ;)

1: Download the tcp wrappers source code.
    ftp://ftp.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.6.tar.gz

2: Untar-gz  tcp_wrappers_7.6.tar.gz
    tar zxvf    tcp_wrappers_7.6.tar.gz 

3: Compile and Install the wrappers program.
    Now we will build and install the program.

    cd tcp_wrappers_7.6
    make REAL_DAEMON_DIR=/usr/sbin linux
    make install     <----you'll need to be logged on as root to run this command !
 
    At this point the tcp-wrapper program is installed , next we will configure our wrappers.

4: Set up our banners (optional)
   Banners contain the message displayed  when tcpd is called for a particular service. Create the    banners directory if necessary.
 
    mkdir /usr/local/etc/banners

    For every service you want a message for, you'll have to edit a file in the banners directory.
    /usr/local/etc/banners/in.telnetd   <----for the telnet banner
    /usr/local/etc/banners/in.ftpd         <----for the ftp banner
 
5:  Edit your /etc/hosts.allow  and /etc/hosts.deny to limit access to your computer's network services.
    One of the nice features of tcp-wrappers is the ability to control access to your computers network services and log failed or sucessful attempts. You can also perform certain actions based on the users hostname.
    When someone tries to connect to a network service on your computer the tcp-wrapper (tcpd) reads the file /etc/hosts.allow  for a rule that matches the the hostname of the person trying to connect, if /etc/hosts.allow doesn't contain a rule allowing access tcpd reads /etc/hosts.deny for a rule that would deny access to the hostname. If neither file contains an accept or deny rule, access is granted by default.

In the following examples we are going to  deny all finger request, deny telnet access to all users from lamers.edu (access can be denied in the hosts.allow file) and email a user called "auth" with details of every connection attempt...the format of the hosts.allow/hosts.deny files is as follows:
service: hostname: banners if needed : options

Our example   /etc/hosts.allow  looks like the following---->
---------------------------------------------------------
in.fingerd: ALL : banners /usr/local/etc/banners/ : spawn (echo "Access from %u@%h using %d." | sendmail auth) : DENY
in.telnetd: .lamers.edu : spawn (echo "Access from %u@%h using %d." | sendmail auth : DENY
ALL: ALL : spawn (echo "Access from %u %h using %d." | sendmail auth)

---------------------------------------------------------
In the first line "in.fingerd" is the service, the hostname is "ALL" which means the rule applies to all hosts , then we tell tcpd to display the banner to the user, and finally we tell tcpd to start(spawn) another  program that emails  the message "Access from some-user@some.host.com using in.fingerd" to the user "auth"...finally it tells tcpd the "DENY" access. For this to work you will need a user on your system called "auth", many people send it to "root" but then you have to be logged in as root to read it, also it clutters root's mailbox and makes it difficult to sort your tcpd mail from other "root" mail.

The second rule follows the same format as the first, it denies access to telnet to all users from "lamers.edu",  and sends email to auth.

The third rule allows access to all users from everywhere but email's "auth" with details of the connection.

Each rule goes on it's own unbroken line.

"man 5 hosts_access"  for more information.

4. Edit your /etc/syslog.conf  to use the syslog with tcpd.

Here are a few lines of a typical  /etc/syslog.conf:

*.err;kern.debug;auth.notice;mail.crit          /dev/console
*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
mail.info                                       /var/log/maillog

Here are a few lines of  our edited /etc/syslog.conf:

*.err;kern.debug;auth.notice;mail.crit          /dev/console
*.notice;kern.debug;lpr.info;mail.crit;news.err;auth.info /var/log/messages
mail.info                                       /var/log/maillog

The difference is the added line for auth.info logging to /var/log/messages.
 
5. Edit /etc/inetd.conf to point your services to tcpd.

The following example has the original lines commented (#) out and our modified tcpd lines inserted.

#ftp    stream  tcp     nowait  root    /usr/sbin/ftpd       ftpd -l -a
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd       ftpd -l -a
#telnet stream  tcp     nowait  root    /usr/sbin/telnetd    telnetd
telnet  stream  tcp     nowait  root    /usr/sbin/tcpd       telnetd
#finger stream  tcp     nowait  nobody  /usr/sbin/fingerd    fingerd -s
finger  stream  tcp     nowait  nobody  /usr/sbin/tcpd       fingerd -s
Linux differs from some *unix's in that the file locations aren't quite "standard", so when you install tcp_wrappers the "tcpd" file may be in the "/usr/libexec" directory, in which case you'll have to change "/usr/sbin/tcpd" to "/usr/libexec/tcpd" in the above example.

6. If everything above is correct you can reboot or restart inetd and syslogd .
 
    To restart rather that reboot you need the pid# of both inetd and syslogd...to get this info:

     ps -xa | grep inetd
    the output --->"19086 ??  IWs     0:00.05 inetd "
 
    19086 is the pid of inetd...to restart inetd:
    kill -1 19086
     The process  is the same for the syslog daemon and your done...congratulations!

Comments, questions, suggestions, corrections? Drop me a line at fireman@shaw.wave.ca
 

Copyright © 1998 Rob Sellars (fireman@shaw.wave.ca). All rights reserved. Permission to use, distribute, modify and copy this document is hereby granted provided credit to this document is included in the modifyed document.