Lesson 10

Date: 4/2/2014
Basics of Linux Security
Linux for Engineering and IT Applications


TCP Wrappers

  • Access to inetd startable services can be controlled through daemon tcpd; it reads the access rules from files /etc/hosts.allow and /etc/hosts.deny. Similarly, the access can be controlled for the other services, such as portmap, if they have been compiled with libwrap libraries.

  • Format of /etc/hosts.allow and /etc/hosts.deny:
    
    service_list:  host_list 
    

    /etc/hosts.allow -- is checked first by tcpd: if the entries match, the host is allowed to access the service, otherwise, /etc/hosts.deny is checked -- if the entries match, the access is denied. If non of the entries match, or both the files are empty, the access is allowed.

  • Keywords: ALL (matches all requests), EXCEPT, LOCAL (hosts matching the local network - no domain), KNOWN (resolvable hosts), PARANOID (hostname doesn't match IP), UNKNOWN (unresolvable hosts).
  • Example:
    /etc/hosts.allow
    
    sshd:       165.230.172.13  128.6. 
    in.tftpd:   LOCAL, .my.domain
    in.rlogind: 128.6.14.216 
    in.rshd:    128.6.14.216 128.6.14.211
    portmap:    128.6.14.0/255.255.255.128
    ALL:        .foobar.edu EXCEPT terminalserver.foobar.edu
    

    /etc/hosts.deny
    
    ALL: ALL
    

    Exercise
    Login to the console of smbhost VM:
    
    virsh console smbhost
    
    Become root
    
    sudo -s
    
    Edit file /etc/hosts.deny and add the following entry:
    
    ALL: ALL
    
    Try SSH to smbhost from your desktop.
     
    ssh 192.168.122.42
    
    The SSH attempt should fail.
    Edit file /etc/hosts.allow and add the following entry:
    
    sshd: 192.168.122 
    
    Try to SSH to smbhost from the desktop again.


  • Take me to the Course Website