Lesson 10

Date: 4/2/2014
Basics of Linux Security
Linux for Engineering and IT Applications


TCP Wrappers

  • Access to inetd startable services can be controlled through daemon tcpd; it reads the access rules from files /etc/hosts.allow and /etc/hosts.deny. Similarly, the access can be controlled for the other services, such as portmap, if they have been compiled with libwrap libraries.

  • Format of /etc/hosts.allow and /etc/hosts.deny: 
    
service_list:  host_list

    /etc/hosts.allow -- is checked first by tcpd: if the entries match, the host is allowed to access the service, otherwise, /etc/hosts.deny is checked -- if the entries match, the access is denied. If non of the entries match, or both the files are empty, the access is allowed.

  • Keywords: ALL (matches all requests), EXCEPT, LOCAL (hosts matching the local network - no domain), KNOWN (resolvable hosts), PARANOID (hostname doesn't match IP), UNKNOWN (unresolvable hosts).
  • Example:
    /etc/hosts.allow 
    
sshd:       165.230.172.13  128.6. 
in.tftpd:   LOCAL, .my.domain
in.rlogind: 128.6.14.216 
in.rshd:    128.6.14.216 128.6.14.211
portmap:    128.6.14.0/255.255.255.128
ALL:        .foobar.edu EXCEPT terminalserver.foobar.edu

    /etc/hosts.deny 
    
ALL: ALL

    Exercise
    Login to the console of smbhost VM: 
    
virsh console smbhost
    Become root 
    
sudo -s
    Edit file /etc/hosts.deny and add the following entry: 
    
ALL: ALL
    Try SSH to smbhost from your desktop. 
     
ssh 192.168.122.42
    The SSH attempt should fail.
    Edit file /etc/hosts.allow and add the following entry: 
    
sshd: 192.168.122
    Try to SSH to smbhost from the desktop again.

    • Take me to the Course Website